File sslh.changes of Package sslh

Fri Dec 15 08:22:05 UTC 2023 - Felix Niederwanger <>

- Add obsinfo files

Fri Dec 15 08:20:55 UTC 2023 - Felix Niederwanger <>

- Add services

Fri Dec 15 08:19:37 UTC 2023 - Felix Niederwanger <>

- Remove old init file

Fri Dec 15 08:16:36 UTC 2023 - Felix Niederwanger <>

- Don't start services by default

Fri Dec 15 08:08:17 UTC 2023 - Felix Niederwanger <>

- Add libev to build requirements
- Remove unnecessary DESTDIR from the %build section

Fri Dec 15 08:02:03 UTC 2023 -

- Update to version 2.0.1:
  * Set image tag to use github in docker-compose example (#414)
  * Cleanup error checking logic in bind_peer() (#412)
  * document Windows build and docker repositories
  * add sslh-ev
  * Transparent mode in a multi-stage chain will fail after the first step because the (ip,port) is already bound.  With this change, the bind is retried with a different port to at least keep the same IP address, which for most uses is all that is needed.  I've tested this on my own system where sslh is used downstream from stunnel, with both in transparent mode.
  * fix install to build sslh-fork (fix #407)
  * remove obsolete intermediate sslh target
  * Makefile: add USE_LIBEV
  * Changelog for resolve_on_forward fix
  * resolve name at connection time for UDP too
  * update to Conf::Libconfig 1.0.3 API
  * update to Conf::Libconfig 1.0.3 API
  * add resolve_on_forward in tests
  * fix resolve_on_forward use (fix #405)
  * Initial support for the landlock LSM

Thu Aug 31 14:48:35 UTC 2023 -

- Update to version 2.0.0:
  * remove magic numbers with correct sizeof
  * fix handling of IPv6 UDP connections
  * remove dependency of sslh-conf.c to sslhconf.cfg (fix #283)
  * fix cppcheck complains
  * fix possible buffer overflow
  * Allow supplying additional CFLAGS

Tue May  3 14:27:29 UTC 2022 - Marcus Meissner <>

- switch to https source url

Mon Sep  6 07:12:44 UTC 2021 - Michael Vetter <>

- Update to 1.22c:
  * Fix invalid size (#302)
  * Test aborted connections (#285)

Wed Aug 25 06:59:54 UTC 2021 - Michael Vetter <>

- Update to 1.22b:
  * do not timeout TCP connections (fix #300) 
  * remove obsolete usage string and added lost version option
  * be more defensive when allocating and extending gap

Wed Aug 18 06:59:54 UTC 2021 - Michael Vetter <>

- Update to 1.22:
  * sslh-select now supports UDP protocols.
    Probes specified in the `protocols`
    configuration entry are tried on incoming packets,
    TCP or UDP, and forwarded based on the input
    protocol (an incoming TCP connection will be
    forwarded as TCP, and same with UDP).
    This has been tested with DNS as shown in udp.cfg:
    incoming packets that contain my domain name are
    assumed to be a DNS request and forwarded
    accordingly. Note this could cause problems if
    combined with incoming TLS with SNI.  UDP clients
    and servers need to agree on the IPv4/IPv6 they use:
    use the same protocol on all sides! Often, this
    means explicitely using 'ip4-localhost'.
    UDP sender-receiver pairs (connections, so to speak)
    are kept for 60s, which can be changed with
    `udp_timeout` in the configuration.
 * Added probes for UDP protocols QUICK and Teamspeak.
 * Added probes for syslog protocol.
 * sslh-select refactored to change linear searches
   through connections to linear searches through
 * Fixed a libconfig call to support libconfig 1.7.3.
 * Added symbol to support libconfig 1.4.9, still in
   use in CentOS7.
 * Warn about unknown settings in the configuration
 * Added per-protocol `transparent` option. sslh-fork
   drops the capability after creating the server-side
   transparent socket. Transparent now uses CAP_NET_RAW
   instead of CAP_NET_ADMIN.
 * Removed compile-time option to use POSIX regex. Now
   regex must be PCRE2 (Perl-Compatible). This was in
   fact the case since v1.21, as PCRE are used to parse
   the config file.
- Drop sslh-nopcreposix.patch:
  pcre2 is a hard dependency now

Fri Apr  9 19:08:27 UTC 2021 - Cristian Rodríguez <>

- remove unused tcpd-devel dependency 

Fri Apr  9 19:06:58 UTC 2021 - Cristian Rodríguez <>

- sslh-nopcreposix.patch: Using pcreposix is the wrong thing
  to do on any glibc based system, avoid linking it.

Fri Jul 31 08:40:11 UTC 2020 - Michael Vetter <>

- Update to 1.21c:
  * Removed support for 'ssl' and fix a related segfault bug.

Mon Jul 20 07:50:38 UTC 2020 - Michael Vetter <>

- Update to 1.21b:
  * Moved configuration and command-line management to
    use conf2struct. Changes are:
    - command line option <-F|--config> no longer defaults to
	  /etc/sslh.cfg, so you have to specify it explicitly.
	- command line option <-v|--verbose> takes a mandatory
	  integer parameter
  * Changed exit code for illegal command line parameter
	from 1 to 6 (for testing purposes)

Mon Jul 13 07:23:35 UTC 2020 - Michael Vetter <>

- Update to 1.21:
  * Added TCP_FASTOPEN support for client sockets (if
    tfo_ok is specified in their configuration) and for
    listenint socket, if all client protocols support it.
  * Added 'minlength' option to skip a probe if less
    than that many bytes have been received (mostly for
  * Moved configuration and command-line management to
    use conf2struct. Hopefully this should be transparent
    to users.
  * Update Let's Encrypt entry in example.cfg for tls-alpn-01
    challenges; tls-sni-* challenges are now deprecated.
  * Log to syslog even if in foreground (for people who
    use fail2ban)
  * Use syslog_facility: "none" to disable syslog

Wed Jan 15 09:32:42 UTC 2020 - Ismail Dönmez <>

- Cleanup spec file, remove old openSUSE support
- Fix useradd syntax

Fri Nov 23 13:57:08 UTC 2018 -

- Update to 1.20:
  * Added support for socks5 protocol (Eugene Protozanov)
  * New probing method
  * Test suite refactored
- ChangeLog from 1.19:
  * Added ‘syslog_facility’ configuration option to specify where to log.
  * TLS now supports SNI and ALPN (Travis Burtrum), including support for Let’s Encrypt challenges (Jonathan McCrohan)
  * ADB probe. (Mike Frysinger)
  * Added per-protocol ‘fork’ option. (Oleg Oshmyan)
  * Added chroot option. (Mike Frysinger)
  * A truckload of bug fixes and documentation improvements (Various contributors)
- Remove filepath-in-systemd-service.patch: upstreamed
- Add BuildRequires: pcre-devel

Mon Nov  6 17:38:30 UTC 2017 -

- fix systemd vs SysVinit
  * don't install both when system should be used
  * add var has_systemd

Tue Jul 19 08:43:02 UTC 2016 -

- Update to 1.18
  * Added USELIBPCRE to make use of regex engine optional.
  * Added support for RFC4366 SNI and RFC7301 ALPN
    (Travis Burtrum)
  * Changed connection log to include the name of the probe that
  * Changed configuration file format: 'probe' field is
    no longer required, 'name' field can now contain
    'tls' or 'regex', with corresponding options (see
  * Added 'log_level' option to each protocol, which
    allows to turn off generation of log at each
  * Added 'keepalive' option.
  Version 1.17
  * Support RFC5952-style IPv6 addresses, e.g. [::]:443.
  * Transparant proxy support for FreeBSD  (Ruben van Staveren)
  * Using -F with no argument will try
    /etc/sslh/sslh.cfg and then /etc/sslh.cfg as configuration files.
    (argument to -F can no longer be separated from the option by a space,
    e.g. must be -Ffoo.cfg)
  * Call setgroups() before setgid() (fixes potential
    privilege escalation) (Lars Vogdt)
  * Use portable way of getting modified time for OSX support (Aaron
  * Example configuration for fail2ban (Every Mouw)
- Dropped missing-call-to-setgroups-before-setuid.patch, included

Thu Dec 18 09:31:58 UTC 2014 -

- Added filepath-in-systemd-service.patch to point to correct
  patch in systemd service file

Tue Mar 25 19:05:13 UTC 2014 -

- update to 1.16:
  + Probes made more resilient, to incoming data
    containing NULLs. Also made them behave properly
    when receiving too short packets to probe on the
    first incoming packet.
    (Ondrej Kuzník)
  + Libcap support: Keep only CAP_NET_ADMIN if started
    as root with transparent proxying and dropping
    priviledges (enable USELIBCAP in Makefile). This
    avoids having to mess with filesystem capabilities.
    (Sebastian Schmidt/yath)
  + Fixed bugs related to getpeername that would cause
    sslh to quit erroneously (getpeername can return
    actual errors if connections are dropped before
    getting to getpeername).
  + Set IP_FREEDBIND if available to bind to addresses
    that don't yet exist.
- compile with libcap support
- added missing-call-to-setgroups-before-setuid.patch
- removed patches fixed upstream:
  + sslh-asprintf.patch
  + sslh-chroot.patch

Sun Dec 22 14:50:15 UTC 2013 -

- added /etc/conf.d/sslh
  now the service actually starts when using systemd 

Wed Dec 11 19:20:54 UTC 2013 -

- update to 1.15:
  + Added --transparent option for transparent proxying. See README for iptables magic and capability management.
  + Fixed bug in sslh-select: if number of opened file descriptor became bigger than FD_SETSIZE, bad things would happen.
  + Fixed bug in sslh-select: if socket dropped while defered_data was present, sslh-select would crash.
  + Increased FD_SETSIZE for Cygwin, as the default 64 is too low for even moderate load.
    Thanks to Arnaud Gendre and Michael K. Avanessian for helping with investigation of the last three points.

Sun Jan  6 17:36:22 UTC 2013 -

- update to 1.14:
  + Corrected OpenVPN probe to support pre-shared secret
    mode (OpenVPN port-sharing code is... wrong). Thanks
    to Kai Ellinger for help in investigating and
  + Added an actual TLS/SSL probe.
  + Added configurable --on-timeout protocol
  + Added a --anyprot protocol probe (equivalent to what
    --ssl was).
  + Makefile respects the user's compiler and CFLAG
    choices (falling back to the current values if
    undefined), as well as LDFLAGS.
    (Michael Palimaka)
  + Added "After" and "KillMode" to systemd.sslh.service
    (Thomas Weißschuh).
- use upstream sslh.systemd.service instead of own one

Thu Aug 23 19:41:44 UTC 2012 -

- update to 1.13b:
  + WARNING: Options changed, you'll need to update your start-up 
    scripts! Log format changed, you'll need to update log 
    processing scripts
  + Added support for configuration file.
  + New protocol probes can be defined using regular expressions that 
    match the first packet sent by the client.
  + Added HTTP probe.
  + Now supports IPv6 throughout (both on listening and forwarding)
  + Logs now contain IPv6 addresses, local forwarding address, and 
    resolved names (unless --numeric is specified).
  + Introduced long options.
  + Bind to multiple addresses with multiple -p options.
  + Added -o "OpenVPN" and OpenVPN probing and support.
  + Added -f "foreground" option.
- adapted init script to new options
- added option for openVPN target address in sysconfig file
For openSUSE > 12.1:
- added config file /etc/default/sslh - but this needs to be enabled/
  added in SSLH_OPTS="" in /etc/sysconfig/sslh for now as the 
  sysconfig file already contains all variables
- added systemd file

Wed Aug 18 21:05:06 UTC 2010 -

- add special user sslh for sslh daemon
- fix typo in init script

Wed Aug 18 20:38:39 UTC 2010 -

- use /etc/sysconfig/sslh for configuration
- enhanced the init script

Mon Jun 28 07:16:35 UTC 2010 -

- specfile cleanup
- package docu and manpage
- create rcsslh symlink
- build with distribution optflags
- added sslh-1.7a-asprintf.patch 

Thu Feb 25 2010 Christian Debertshaeuser <>

- initial build

openSUSE Build Service is sponsored by