What is it?
sslh accepts connections on specified ports, and
forwards them further based on tests performed on the first
data packet sent by the remote client.
sslh has been packaged for Debian, Gentoo, FreeBSD
and many other operating systems, so check out
your favourite package repository before
installing by hand. Do note that packaged
version often are outdate, so check the change
log for bug fixes and new features if you run
You can compile
sslh for Cygwin 1.7 (older version will
not work), or download the binary version provided below by
Arnaud Gendre. You will need at least
installed, and maybe the entire Cygwin package.
Announcements of new versions will be posted on the sslh mailing list. This list can also be used to discuss usage, request features and so on. Traffic is expected to be low (a dozen mail a year on average). It will be further split into a “discussion” list and an “announcement” list if required.
sslh is managed in Git and pushed to Github. Patches and new features will be pushed there, probably long before they make it into actual releases…
Tags are normally all signed off using my public key, which you should also be able to get from your neighbourhood key server.
- Added ‘syslog_facility’ configuration option to specify where to log.
- TLS now supports SNI and ALPN (Travis Burtrum), including support for Let’s Encrypt challenges (Jonathan McCrohan)
- ADB probe. (Mike Frysinger)
- Added per-protocol ‘fork’ option. (Oleg Oshmyan)
- Added chroot option. (Mike Frysinger)
- A truckload of bug fixes and documentation improvements (Various contributors)
- Added USELIBPCRE to make use of regex engine optional.
- Added support for RFC4366 SNI and RFC7301 ALPN (Travis Burtrum)
- Changed connection log to include the name of the probe that triggered.
- Changed configuration file format: ‘probe’ field is no longer required, ‘name’ field can now contain ‘tls’ or ‘regex’, with corresponding options (see example.cfg)
- Added ‘log_level’ option to each protocol, which allows to turn off generation of log at each connection.
- Added ‘keepalive’ option.
- Support RFC5952-style IPv6 addresses, e.g. [::]:443.
- Transparant proxy support for FreeBSD. (Ruben van Staveren)
- Using -F with no argument will try /etc/sslh/sslh.cfg and then /etc/sslh.cfg as configuration files. (argument to -F can no longer be separated from the option by a space, e.g. must be -Ffoo.cfg)
- Call setgroups() before setgid() (fixes potential privilege escalation). (Lars Vogdt)
- Use portable way of getting modified time for OSX support. (Aaron Madlon-Kay)
- Example configuration for fail2ban. (Every Mouw)
Cygwin binary [Includes DLLs necessary to run without a full install of Cygwin]
- Probes made more resilient, to incoming data containing NULLs. Also made them behave properly when receiving too short packets to probe on the first incoming packet. (Ondrej Kuzník)
- Libcap support: Keep only CAP_NET_ADMIN if started as root with transparent proxying and dropping priviledges (enable USELIBCAP in Makefile). This avoids having to mess with filesystem capabilities. (Sebastian Schmidt/yath)
- Fixed bugs related to getpeername that would cause sslh to quit erroneously (getpeername can return actual errors if connections are dropped before getting to getpeername).
- Set IP_FREEDBIND if available to bind to addresses that don’t yet exist.
Cygwin binary [Includes DLLs necessary to run without a full install of Cygwin]
- Added –transparent option for transparent proxying. See README for iptables magic and capability management.
- Fixed bug in sslh-select: if number of opened file descriptor became bigger than FD_SETSIZE, bad things would happen.
- Fixed bug in sslh-select: if socket dropped while defered_data was present, sslh-select would crash.
- Increased FD_SETSIZE for Cygwin, as the default 64 is too low for even moderate load. Thanks to Arnaud Gendre and Michael K. Avanessian for helping with investigation of the last three points.
- Corrected OpenVPN probe to support pre-shared secret mode (OpenVPN port-sharing code is… wrong). Thanks to Kai Ellinger for help in investigating and testing.
- Added an actual TLS/SSL probe.
- Added configurable –on-timeout protocol specification.
- Added a –anyprot protocol probe (equivalent to what –ssl was).
- Makefile respects the user’s compiler and CFLAG choices (falling back to the current values if undefined), as well as LDFLAGS. (Michael Palimaka)
- Added “After” and “KillMode” to systemd.sslh.service (Thomas Weißschuh).
- Added LSB tags to etc.init.d.sslh (Tomas Varil).
- Write PID file before dropping privileges.
- Added –background, which overrides ‘foreground’ configuration file setting.
- Added example systemd service file from Archlinux in scripts/ https://projects.archlinux.org/svntogit/community.git/tree/trunk/sslh.service?h=packages/sslh (Sébastien Luttringer)
- Added support for configuration file.
- New protocol probes can be defined using regular expressions that match the first packet sent by the client.
- sslh now connects timed out connections to the first configured protocol instead of ‘ssh’ (just make sure ssh is the first defined protocol).
- sslh now tries protocols in the order in which they are defined (just make sure sslh is the last defined protocol).
- WARNING: defaults have been removed for –user and –pidfile options, update your start-up scripts!
- No longer stop sslh when reverse DNS requests fail for logging.
- Added HTTP probe.
- No longer create new session if running in foreground.
- No longer default to changing user to ‘nobody’. If –user isn’t specified, just run as current user.
- No longer create PID file by default, it should be explicitely set with –pidfile.
- No longer log to syslog if in foreground. Logs are instead output to stderr.
- The four changes above make it straightforward to integrate sslh with systemd, and should help with launchd.
- Fixed calls referring to sockaddr length so they work with FreeBSD.
- Try target addresses in turn until one works if there are several (e.g. “localhost:22” resolves to an IPv6 address and an IPv4 address and sshd does not listen on IPv6).
- Heavily cleaned up test suite. Added stress test t_load script. Added coverage (requires lcov).
- Support for XMPP (Arnaud Gendre).
- Updated README.MacOSX (Aaron Madlon-Kay).
- WARNING: 1.9 does not currently work on FreeBSD and derivatives (such as MacOSX). The problem is identified and will be corrected shortly.
- WARNING: Options changed, you’ll need to update your start-up scripts! Log format changed, you’ll need to update log processing scripts!
- Now supports IPv6 throughout (both on listening and forwarding)
- Logs now contain IPv6 addresses, local forwarding address, and resolves names (unless –numeric is specified).
- Introduced long options.
- Options -l, -s and -o replaced by their long counterparts.
- Defaults for SSL and SSH options suppressed (it’s legitimate to want to use sslh to mux OpenVPN and tinc while not caring about SSH nor SSL).
- Bind to multiple addresses with multiple -p options.
- Support for tinc VPN (experimental).
- Numeric logging option.
- Changed log format to make it possible to link connections to subsequent logs from other services.
- Added single-threaded, select(2)-based version.
- Added -o “OpenVPN” and OpenVPN probing and support.
- Added support for “Bold” SSH clients (clients that speak first) Thanks to Guillaume Ricaud for spotting a regression bug.
- Updated CentOS init.d script (Andre Krajnik).
- Fixed zombie issue with OpenBSD (The SA_NOCLDWAIT flag is not propagated to the child process, so we set up signals after the fork.) (François FRITZ)
- Added -f “foreground” option.
- Added test suite. (only tests connexions. No test for libwrap, setsid, setuid and so on) and corresponding ‘make test’ target.
- Added README.MacOSX (thanks Aaron Madlon-Kay)
- Documented use with proxytunnel and corkscrew in README.
- Added CentOS init.d script (Andre Krajnik).
- Fixed default ssl address inconsistancy, now defaults to “localhost:443” and fixed documentation accordingly (pointed by Markus Schalke).
- Children no longer bind to the listen socket, so parent server can be stopped without killing an active child (pointed by Matthias Buecher).
- Inetd support (Dima Barsky).
- Added -V, version option.
- Install target directory configurable in Makefile.
- Changed syslog prefix in auth.log to “sslh[%pid]”
- Man page
- new ‘make install’ and ‘make install-debian’ targets
- PID file now specified using -P command line option
- Actually fixed zombie generation (the v1.5 patch got lost, doh!)
- Added libwrap support for ssh service (Christian Weinberger)
- Fixed zombie generation.
- Added support scripts, Makefile.
- Added parsing for local interface to listen on (e.g.: -p 192.168.0.3:443)
- Changed default SSL connexion to port 442 (443 doesn’t make sense as a default as we’re already listening on 443)
- Syslog incoming connexions
- Fixed compilation warning for AMD64.
This feature was already implemented as a Perl script which has since disappeared from CPAN. I re-implemented it because I was uncomfortable having a network service written in Perl, and because that simple script lacked too many features to be mature (e.g. privilege dropping was the first added feature, and many followed).