Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Squid - implement SSL MITM mode options #269

Merged
merged 4 commits into from
Jan 27, 2017
Merged

Squid - implement SSL MITM mode options #269

merged 4 commits into from
Jan 27, 2017

Conversation

doktornotor
Copy link
Contributor

@doktornotor doktornotor commented Jan 27, 2017
edited
Loading

This implements a couple of options for configuring SSL MITM interception, as discussed @ https://forum.pfsense.org/index.php?topic=123461.0

  • Splice Whitelist, Bump Otherwise
    This is the current code, still used by default.
  • Splice All
    Will splice everything. No need to install CA certificate on clients, and lets SquidGuard do its job. No content filtering (AV) possible, obviously.
  • Custom
    Use advanced custom options. Tinker with it as you wish. Unsupported, if you break it, fix it yourself.

Tweak a couple of descriptions/comments and fix some tags while here.

doktornotor added 3 commits January 27, 2017 13:51
@doktornotor
Squid - implement SSL MITM mode options
c48c13a 
This implements a couple of options for configuring SSL MITM interception, as discussed @ https://forum.pfsense.org/index.php?topic=123461.0

- Splice Whitelist, Bump Otherwise
This is the current code, still used by default.
- Splice All
Will splice everything. No need to install CA certificate on clients, and lets SquidGuard do its job.
- Custom
Use advanced custom options. Tinker with it as you wish. Unsupported, if you break it, fix it yourself.

Tweak a couple of descriptions and fix some tags while here.
@doktornotor
Update squid.inc
e729256 
This implements a couple of options for configuring SSL MITM interception, as discussed @ https://forum.pfsense.org/index.php?topic=123461.0

- Splice Whitelist, Bump Otherwise
This is the current code, still used by default.
- Splice All
Will splice everything. No need to install CA certificate on clients, and lets SquidGuard do its job.
- Custom
Use advanced custom options. Tinker with it as you wish. Unsupported, if you break it, fix it yourself.

Tweak a couple of comments while here.
@doktornotor
Bump port version
1336899
rbgarga
rbgarga reviewed Jan 27, 2017
View reviewed changes
www/pfSense-pkg-squid/files/usr/local/pkg/squid.xml
<custom_php_after_form_command>
squid_print_javascript_general2();
</custom_php_after_form_command>
-->
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is the idea about adding this commented out code here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well the idea is getting some JS magic there as in Antivirus/Authentication tab, but it's

  • not ready yet
  • mostly unrelated to this change
  • not compatible with RELENG_2_3_2 in case someone decides to cherrypick this to that branch

@rbgarga rbgarga requested review from rbgarga and jim-p January 27, 2017 13:23
jim-p
jim-p approved these changes Jan 27, 2017
View reviewed changes
Copy link
Contributor

@jim-p jim-p left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Works nicely, thanks!

@doktornotor
Copy link
Contributor Author

@jim-p Thanks for testing. Now, if only someone fixed/rewrote the SquidGuard thing. :/ I gave up everytime after 5 minutes.

@netgate-git-updates netgate-git-updates merged commit 0f96ee0 into pfsense:devel Jan 27, 2017
netgate-git-updates pushed a commit that referenced this pull request Jan 27, 2017
@rbgarga
Merge pull request #269 from doktornotor/patch-3
9b37e22
@doktornotor doktornotor deleted the patch-3 branch January 27, 2017 14:07
@jim-p
Copy link
Contributor

jim-p commented Jan 27, 2017

I agree, re: SquidGuard. Every time I have to touch that code it makes my brain hurt, and that's just from the whitespace and formatting.

netgate-git-updates pushed a commit that referenced this pull request Nov 8, 2022
@mandree
math/Imath: update to patch release 3.1.6
27cccc8 
Patch release with miscellaneous bug/doc/build fixes.
Excerpt from release tag:

    [#269] fix memory leak in V3fArrayFromBuffer
    [#268] Add <cstdint> for int64_t
    [#263] Initialize x in testRoots.cpp:solve() to suppress compiler warning
    [#262] Fix gcc compiler warning in testFun.cpp
    [#261] Test return value of extractSHRT to avoid uninitialized reference
    [#260] Fix example code so it compiles as is
    [#259] Cuda safety in several headers
    [#256] Fix markdown and typos in README.md
    [#255] Do not warn if half.h has already being included
    [#248] Update sphinx version

ChangeLog:	https://github.com/AcademySoftwareFoundation/Imath/releases/tag/v3.1.6
MFH:		2022Q4
netgate-git-updates pushed a commit that referenced this pull request Jun 24, 2023
@Jakker @fernape
dns/nsd: Update to 4.7.0
6bda518 
ChangeLog: https://www.nlnetlabs.nl/news/2023/Jun/07/nsd-4.7.0-released/

4.7.0
================
FEATURES:
- Merge #263: Add bash autocompletion script for nsd-control.
- Fix #267: Allow unencrypted local operation of nsd-control.
- Merge #269 from Fale: Add systemd service unit.
- Fix #271: DNSTAP over TCP, with dnstap-ip: "127.0.0.1@3333".
- dnstap over TLS, default enabled. Configured with the
  options dnstap-tls, dnstap-tls-server-name, dnstap-tls-cert-bundle,
  dnstap-tls-client-key-file and dnstap-tls-client-cert-file.

BUG FIXES:
- Fix #239: -Wincompatible-pointer-types warning in remote.c.
- Fix configure for -Wstrict-prototypes.
- Fix #262: Zone(s) not synchronizing properly via TLS.
- Fix for #262: More error logging for SSL read failures for zone
  transfers.
- Merge #265: Fix C99 compatibility issue.
- Fix #266: Fix build with --without-ssl.
- Fix for #267: neater variable definitions.
- Fix #270: reserved identifier violation.
- Fix to clean more memory on exit of dnstap collector.
- Fix dnstap to not check socket path when using IP address.
- Fix to compile without ssl with dnstap-tls code.
- Dnstap tls code fixes.
- Fix include brackets for ssl.h include statements, instead of quotes.
- Fix static analyzer warning about nsd_event_method initialization.
- Fix #273: Large TXT record breaks AXFR.
- Fix ixfr create from adding too many record types.
- Fix cirrus script for submit to coverity scan to libtoolize
  the configure script components config.guess and config.sub.
- Fix readme status badge links.
- make depend.
- Fix for build to run flex and bison before compiling code that needs
  the headers.
- Fix to remove unused whitespace from acx_nlnetlabs.m4 and config.h.
- For #279: Note that autoreconf -fi creates the configure script
  and also the needed auxiliary files, for autoconf 2.69 and 2.71.
- Fix unused variable warning in unit test, from clang compile.
- Fix #240: Prefix messages originating from verifier.
- Fix #275: Drop unnecessary root server checks.

PR:		272096
Reported by:	[email protected] (maintainer)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jim-p jim-p jim-p approved these changes

@rbgarga rbgarga rbgarga approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@doktornotor @jim-p @rbgarga @netgate-git-updates