From a1a65c3fd50ae9d9a6262b4e1befc965b2a730c2 Mon Sep 17 00:00:00 2001 From: Vladimir Dubrovin <3proxy@3proxy.ru> Date: Mon, 13 Apr 2026 20:53:38 +0300 Subject: [PATCH] ssl_client_mode = 3 added, allow 'secure' parent types ending with 's': https, tcps, socks5s, connect+s, etc. example: plugin SSLPlugin.ld.so ssl_plugin allow user1 parent 1000 http 1.1.1.1 1111 allow user2 parent 1000 https 2.2.2.2 2222 ssl_client_mode 3 ssl_client proxy With ssl_client_mode 3 TLS is only handshaked for https parent type and is not handshaked for http parent. --- src/auth.c | 12 ++++++++++++ src/conf.c | 7 ++++++- src/plugins/SSLPlugin/ssl_plugin.c | 14 ++++++++++++++ src/structures.h | 3 ++- 4 files changed, 34 insertions(+), 2 deletions(-) diff --git a/src/auth.c b/src/auth.c index 40b51bc..83a87af 100644 --- a/src/auth.c +++ b/src/auth.c @@ -8,6 +8,14 @@ #include "proxy.h" +static FILTER_ACTION (*ext_ssl_parent)(struct clientparam * param) = NULL; + +static FILTER_ACTION ssl_parent(struct clientparam * param){ + if(ext_ssl_parent) return ext_ssl_parent(param); + ext_ssl_parent = pluginlink.findbyname("ssl_parent"); + if(ext_ssl_parent) return ext_ssl_parent(param); + return REJECT; +} int clientnegotiate(struct chain * redir, struct clientparam * param, struct sockaddr * addr, unsigned char * hostname){ unsigned char *buf; @@ -33,6 +41,10 @@ int clientnegotiate(struct chain * redir, struct clientparam * param, struct soc pass = param->password; } } + if(redir->secure){ + res = ssl_parent(param); + if(res != PASS) return res; + } switch(redir->type){ case R_TCP: case R_HTTP: diff --git a/src/conf.c b/src/conf.c index 16dfe51..bad8458 100644 --- a/src/conf.c +++ b/src/conf.c @@ -795,8 +795,13 @@ static int h_parent(int argc, unsigned char **argv){ return(3); } for(i = 0; redirs[i].name ; i++){ - if(!strcmp((char *)argv[2], redirs[i].name)) { + int len; + len = strlen(redirs[i].name); + if(!strncmp((char *)argv[2], redirs[i].name, len) + && (argv[2][len] == 0 || (argv[2][len] == 's' && argv[2][len+1] == 0)) + ) { chains->type = redirs[i].redir; + if(argv[2][len] == 's') chains->secure = 1; break; } } diff --git a/src/plugins/SSLPlugin/ssl_plugin.c b/src/plugins/SSLPlugin/ssl_plugin.c index 79dac3c..634cc1f 100644 --- a/src/plugins/SSLPlugin/ssl_plugin.c +++ b/src/plugins/SSLPlugin/ssl_plugin.c @@ -759,6 +759,14 @@ static FILTER_ACTION ssl_filter_predata(void *fc, struct clientparam * param){ return PASS; } +static FILTER_ACTION ssl_parent(struct clientparam * param){ + if(PCONF->cli && client_mode == 3) { + if(docli(param)) { + return REJECT; + } + } + return PASS; +} static void ssl_filter_clear(void *state){ struct clientparam *param; @@ -1158,6 +1166,10 @@ static struct commands ssl_commandhandlers[] = { {NULL, "ssl_certcache", h_certcache, 2, 2}, }; +static struct symbol ssl_symbols[] = { + {NULL, "ssl_parent", (void *)&ssl_parent}, +}; + #ifdef WATCOM #pragma aux ssl_plugin "*" parm caller [ ] value struct float struct routine [eax] modify [eax ecx edx] @@ -1221,6 +1233,8 @@ PLUGINAPI int PLUGINCALL ssl_plugin (struct pluginlink * pluginlink, ssl_init(); ssl_commandhandlers[(sizeof(ssl_commandhandlers)/sizeof(struct commands))-1].next = pl->commandhandlers->next; pl->commandhandlers->next = ssl_commandhandlers; + ssl_symbols[0].next = pl->symbols.next; + pl->symbols.next = ssl_symbols; } tcppmfunc = (PROXYFUNC)pl->findbyname("tcppm"); diff --git a/src/structures.h b/src/structures.h index 11d12bd..bd254ad 100644 --- a/src/structures.h +++ b/src/structures.h @@ -326,6 +326,7 @@ extern struct redirdesc redirs[]; struct chain { struct chain * next; int type; + int secure; PROXYSOCKADDRTYPE addr; unsigned char * exthost; unsigned char * extuser; @@ -415,7 +416,7 @@ extern int numservers; typedef void * (* PROXYFUNC)(struct clientparam *); typedef enum { - PASS, + PASS = 0, CONTINUE, HANDLED, REJECT,