Package: sslh Version: 1.13b-3.2 Severity: important Hi,
this bug report might be of higher severity since it leads to an endless loop which causes thousands of syslog messages per second to be written which will eventually fill up /var, leading to data loss when syslogd cannot continue writing data to syslog. In the default configuration, sslh is configured to listen on 0.0.0.0 and to forward ssl connections to localhost:443. In the case where no https daemon is actually listening, this configuration will cause sslh to forward incoming ssl connections ot itself in an endless loop. This can be reproduced by using openssl s_client -connect localhost:443. The workaround for me was to explicitly configure eth0's IP address in /etc/default/sslh. In the package, a probable fix would be not to listen on 127.0.0.1. I have noticed that this is documented in the README. Since this has a tremendously high potential to shoot yourself in the foot, it should be prominently mentioned in the defaults file itself, and there should not be --listen 0.0.0.0 in the default configuration. --listen <add-your-ip-here> would be illegal in the default configuration, and would prevent the daemn from starting, and it would serve as a precaution against trigger-happy local admins. --listen 0.0.0.0 is a loadd gun in the hands of a (proable) fool, Debian should not deliver a weapon like that. Greetings Marc -- System Information: Debian Release: 7.1 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.10.7-zgsrv20080 (SMP w/2 CPU cores; PREEMPT) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages sslh depends on: ii adduser 3.113+nmu3 ii debconf 1.5.49 ii libc6 2.13-38 ii libconfig9 1.4.8-5 ii lsb-base 4.1+Debian8+deb7u1 ii update-inetd 4.43 Versions of packages sslh recommends: pn apache2 | httpd <none> ii openssh-server [ssh-server] 1:6.0p1-4 Versions of packages sslh suggests: pn openbsd-inetd | inet-superserver <none> -- Configuration Files: /etc/default/sslh changed [not included] -- debconf information: * sslh/inetd_or_standalone: standalone -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
