apf.git/src, branch master Active Port Forwarder Prepare for v0.8.5 release 2015-02-17T05:43:54+00:00 Joshua Judson Rosen 2015-02-17T05:43:54+00:00 c0101ba5d78758d30503682935b5b7602269aa93 Update version-strings and summarise the changes since v0.8.4 in ChangeLog. 
Update version-strings and summarise the changes since v0.8.4 in ChangeLog.
Update autotools-generated files 2015-02-17T05:42:02+00:00 Joshua Judson Rosen 2015-02-17T05:42:02+00:00 b1f97ed484182ecb842a08c422e7b69dd5959ab4 via autoreconf. 
via autoreconf.
Remove HTTP proxy support. 2015-02-17T05:37:08+00:00 Joshua Judson Rosen 2015-02-17T05:37:08+00:00 714aebccbd7a4ab6ec0964d4580efd49171ba140 There are plenty of popular, readily-available external tools that, frankly, provide better options for going through proxies-- both of the HTTP variety and others (corkscrew, httptunnel, socat...); and dropping our internal implementation results in a significant reduction in code complexity--including the complete elimination of multithreading and all of the worries that go along with it. 
There are plenty of popular, readily-available external tools
that, frankly, provide better options for going through proxies--
both of the HTTP variety and others (corkscrew, httptunnel, socat...);
and dropping our internal implementation results in a significant
reduction in code complexity--including the complete elimination
of multithreading and all of the worries that go along with it.
Nix mysleep(). 2015-02-17T04:33:02+00:00 Joshua Judson Rosen 2015-02-17T04:33:02+00:00 b3be641eeddce360692d3a3e872d769f86f1b293 Just use sleep() where only whole-second resolution is used to delay between reconnect-attempts; and nanosleep where sub-second resolution is used. sleep() should actually be OK, because we don't intermix those calls with alarm() or any other signals or itimer functions. nanosleep() should be OK because POSIX.1-2001 requires that it not have the crazy signal interactions that its predecessors are known for. 
Just use sleep() where only whole-second resolution is used
to delay between reconnect-attempts; and nanosleep where
sub-second resolution is used.

sleep() should actually be OK, because we don't intermix those calls
with alarm() or any other signals or itimer functions.

nanosleep() should be OK because POSIX.1-2001 requires
that it not have the crazy signal interactions
that its predecessors are known for.
afserver: support per-realm CA-certificate settings 2014-11-19T04:16:55+00:00 Joshua Judson Rosen 2014-11-19T04:16:55+00:00 fe9bda8d2aad33e0f71d5699bcf90fb78b3fb5bb This makes it possible to have different CA certificates for different realms, or certificate auth for only some realms and password auth for others. 
This makes it possible to have different CA certificates for different realms,
or certificate auth for only some realms and password auth for others.
Add missing const qualifier on SSL_METHOD* vars. 2014-11-19T02:10:13+00:00 Joshua Judson Rosen 2014-11-19T02:10:13+00:00 41bf28a5efad5aa5cd47a180c03ea5434fb98ddc 






afserver: log which protocol version was accepted by SSL_accept.
2014-10-20T05:18:48+00:00

Joshua Judson Rosen

2014-10-20T05:18:48+00:00

c9d9807956a09e5219366abdad39901786a53718












afclient: make "SERVER SSL" log show which protocol version is in use, if any
2014-10-20T05:06:15+00:00

Joshua Judson Rosen

2014-10-20T05:06:15+00:00

b0d4313bc85dc8fc1449e52cd63a0a09db89a3ff

(rather than just "yes")





(rather than just "yes")







afclient: use whatever version of TLS (or better) we can.
2014-10-20T04:31:21+00:00

Joshua Judson Rosen

2014-10-20T04:31:21+00:00

91a72baa658628354bd7adba45fb6071356898bd

Refuse to use pre-TLS SSL, since now SSLv3 has been broken by POODLE attack.





Refuse to use pre-TLS SSL, since now SSLv3 has been broken by POODLE attack.







afserver: avoid requiring a specific SSL protocol version
2014-10-20T04:31:09+00:00

Joshua Judson Rosen

2014-10-20T04:31:09+00:00

fc04c7ac1f50aa5c147af5c0f8cd4a68b9e37990

Trust the clients to negotiate the latest/best protocol version they can.

This should generally improve security over time (as OpenSSL improves
and implements improved protocols) without having the APF codebase
or server/client deployments need to chase latest OpenSSL API additions,
causing portability problems, or breaking client deployments that
are hard to upgrade.





Trust the clients to negotiate the latest/best protocol version they can.

This should generally improve security over time (as OpenSSL improves
and implements improved protocols) without having the APF codebase
or server/client deployments need to chase latest OpenSSL API additions,
causing portability problems, or breaking client deployments that
are hard to upgrade.