Date: Fri, 19 Sep 1997 00:24:38 +1000 (EST) Message-Id: <199709181424.AAA04622@zen.quick.com.au> From: "Simon J. Gerraty" To: ssl-users@mincom.oz.au Cc: firewalls@greatcircle.com, sjg@quick.com.au Subject: SSLrsh-2.0,stelnet-2.0 released A quick note to announce the release of SSLrsh-2.0.tar.gz The stelnet (2.0) and bmake (2.1.1) archives have also been updated. The significant changes are: o supports SSLeay-0.8.1 There is a patch in ssl/lib/sslfd/crl-081.patch which you need to apply to SSLeay-0.8.1 if you want CRL checking to work. Without the patch it will never find CRL's but should otherwise work ok. o ssl_rcmd() (and hence all SSLrshd clients), knows how to use a HTTP proxy, including proxy authentication (See ssl/bin/proxy.sh to see how to handle authentication). Note that you will need to configure your proxy to allow connections to sshell/tcp (port 614), this is trivial for squid and can be done for the netscape proxy - but not as easily. Also note that host certs will fail, as SSLrshd will see the connection as comming from the proxy not the client. A wild card cert (below) may avoid this problem. o handles wild card certs (eg. /CN=*.quick.com.au) o ssl.users format updated to allow listing hosts from which a cert will be accepted (really only useful for wildcard certs which I don't recommend trusting). o better handling of connections from localhost (will qualify hostname via DNS) o multiple auth files. I can't recall whether the previous release supported multiple auth files or not. The current SSLrshd will look for (in order) /etc/ssl.{deny,root,local,users,global} This allows me to produce a ssl.global file listing all the certs that I have issued to users, and SSLrdist that to all host. The files that are searched before it, allow the local admin to override the global file. If the "name" deny is found against a cert, access is denied also any match in ssl.deny denies access. o cleaner build The fact that these archives are each a sub-set of a much larger build tree, cause some boot strapping problems in the previous release. I've unpacked the and built from scratch on a virgin Solaris system (plus gcc and SSLeay-0.8.1) with no problems. o pre-formatted man pages included - look for *.cat[138] Please (please) read everything in the help directory, the man pages and probably the SSLeay FAQ (links to it in help/*) before you start building. Enjoy! --sjg