- When SSL filter is added without FF_SSL_SUPPORT_CLIENT_CERTIFICATES flag, requesting a client certificate by server adds host to exceptions after 2 unsuccessful attempts.
- HTTP filter modifies Accept-Encoding field in request headers to avoid receiving the responses with unsupported encodings.
- The procedure of adding automatic SSL exceptions is modified to avoid false positives with antiviruses.
- Debug builds write a log file asyncronously for better performance.
- SSL filter adds host to the list of exceptions if SSL connection is closed immediately after establishing only for hardcoded hosts.
- OpenSSL and WinSock initialization/deinitialization is moved to pf_init/pf_free path.
- SSL filter adds host to the list of exceptions if SSL connection is closed immediately after establishing.
- Fixed an issue with filtering FTP over SOCKS proxy connections.
- HTTP filter uses for filtered response the same transfer encoding as in original response.
- OpenSSL is upgraded to version 1.0.2h.
- Fixed a hang on loading broken file with SSL certificates (cert.db).
- Added support for TLS session resumtion in SSL filter, for compatibility with secure FTP servers.
- Minor performance optimization.
- SSL filter signs MITM certificates with the algorithm used for signing original certificates.
- Fixed hangs of SSL connections on renegotiation when server requires a client certificate.
- Removed the code for disabling filtering from PFEventsDefault.
- Fixed an issue with delayed remote disconnects for TCP sessions.
- Fixed an overflow issue occured in HTTP filter during updating Content-Length larger than MAX_INT after returning DPCR_UPDATE_AND_BYPASS or DPCR_UPDATE_AND_FILTER_READ_ONLY from dataPartAvailable.
- Fixed an issue in SSL filter with negotiating a set of algorithms for remote TLS connections.
- Root certificate is imported to Windows storage even if the certificate already exists.
- Added a workaround in SSL filter for a case with flag FF_SSL_COMPATIBILITY when server closes connection by returning TLS response.
- Added a fix to HTTP filter to avoid issues when a server returns content longer than specified in Content-Length.
- Minor optimization.
- Fixed an issue with importing SSL root certificate to Opera.
- SSL filter uses OCSP stapling TLS extension for better performance when FF_SSL_VERIFY flag is enabled.
- Added a timeout in SSL filter for certificate revocation checks.
- Added a flag FF_SSL_DECODE_ONLY for SSL filter, allowing to bypass encoding the traffic between proxy and server. It is useful for example when a local or remote server should handle both HTTP and HTTPS traffic as generic HTTP. It is possible to enable the flag dynamically, by returning DPCR_FILTER_READ_ONLY from dataPartAvailable for OT_SSL_HANDSHAKE_OUTGOING object, containing some known domain name.
- Added a patch for Logjam SSL vulnerability.
- Fixed a code for importing root certificate to old versions of Opera.
- OpesSSL is upgraded to version 1.0.2c.
- Added a flag FF_SSL_ENABLE_ALPN for SSL filter, which enables using of TLS extension for negotiating the next protocol (e.g. HTTP/2,SPDY,HTTP/1.1). This feature is disabled by default to block HTTP/2 and SPDY.
- SSL exceptions are stored as records in container files x.db, xtls.db and xv.db for better performance.
- Fixed an issue in SSL filter with obtaining a client certificate from Windows storage for processes having low security privileges.
- When FF_SSL_INDICATE_CLIENT_CERT_REQUESTS flag is enabled, and server requests a client certificate, SSL filter indicates via dataPartAvailable an object of type OT_SSL_CLIENT_CERT_REQUEST, containing server domain name (or IP address the name is not specified in SNI) in a single stream. If dataPartAvailable returns DPCR_BYPASS, SSL filter adds host to internal list of exceptions and doesn't try to filter SSL for this host in future.
- When FF_SSL_VERIFY flag is enabled, SSL filter validates server certificates in a separate thread to avoid deadlocks. The synchronous validation checks only cached certificates and uses basic check rules.
- SSL validation checks only cached certificates when OCSP server is not available.
- pf_setRootSSLCertImportFlags supports new flag RSIF_GENERATE_ROOT_PRIVATE_KEY. When it is enabled, SSL filter generates a unique private key for root certificate.
- By default SSL filter tries to use TLS 1.2 for SSL/TLS connections.
- A postfix is appended to root certificate, to re-generate old certificates signed with SHA1 to new signed with SHA256.
- SSL filter stores all certificates in a single file cert.db. The certificates and keys are encrypted. The existing certificates are imported to the new storage automatically. The certificates are cached in memory for better performance.
- When FF_SSL_VERIFY flag is specified for SSL filter, the validation of SSL certificates occurs periodically, once per 24 hours. Also the filter validates full certificate chain to detect revoked, self-signed certificates and invalid certificate properties.
- Fixed an issue in SSL filter with switching to TLS 1.2 protocol.
- In some cases HTTP filter didn't work properly with old versions of Kaspersky antivirus.
- Fixed incorrect switching to TLS 1.2 protocol for SSL filter in compatibility mode.
- Added a flag FF_HTTP_BLOCK_SPDY for FT_HTTP filter, allowing to block SPDY protocol. When SPDY is blocked, the browsers switch to generic HTTP, which can be filtered.
- OpenSSL is upgraded to version 1.0.2.
- Fixed the logic of adding exceptions in SSL filter.
- Fixed possible deadlocks during initialization and unloading the library.
- Fixed false positives in the code adding exceptions in SSL filter.
- Added a flag FF_SSL_INDICATE_SERVER_CERTIFICATES for FT_SSL filter. When it is specified, SSL filter indicates the objects with type OT_SSL_SERVER_CERTIFICATE via dataPartAvailable after receiving server certificate. The objects contain the certificate, it's subject and issuer in 3 streams. It is possible to check the certificates and return DPCR_FILTER, DPCR_BYPASS or DPCR_BLOCK to let SSL filter know what to do with SSL connection.
- Added a flag FF_SSL_INDICATE_EXCEPTIONS for FT_SSL filter. When it is specified, SSL filter indicates the objects with type OT_SSL_EXCEPTION via dataPartAvailable each time when server or client closes a connection during SSL handshake. The indicated objects with type OT_SSL_EXCEPTION have one stream, containing a remote host name from TLS SNI field, or remote endpoint string host:port in case if SNI field is empty. dataPartAvailable can return DPCR_BLOCK to avoid adding the host to list of exceptions.
- SSL filter tries to use TLS 1.2 protocol if the server doesn't support TLS 1.0.
- SSL filter tries to use for server connection the set of ciphers taken from client hanshake request. It can provide better compatibility if the client chooses a specific cipher list according to it's requirements.
- The signing algorithm for SSL certificates is changed to SHA256. To re-generate the existing certificates it is possible to change the name of root certificate, passed to pf_setRootSSLCertSubject. Or delete the files from SSL subfolder of ProtocolFilters configuration directory.
- Fixed an issue with parsing chunked encoding in HTTP filter.
- SSL filter adds exception in case when a connection is disconnected because server requires client certificate.
- Fixed an issue in SMTP filter.
- Fixed an issue with 101 HTTP responses.
- SSL filter generates self-signed certificates having 2048 bits to avoid blocking SSL connections in latest versions of browsers.
- Fixed random errors in OpenSSL when there are multiple worker threads.
- Fixed errors in library cleanup code.
- Added fixes to HTTP filter for correct parsing non-standard HTTP requests and responses.
- Added a fix to HTTP filter for correct parsing the chunked HTTP requests without Content-Length header.
- Changed the locking model for better performance. The library uses session-level locks instead of global lock to allow filtering the connections simultaneously in several threads.
- Fixed an issue in HTTP filter related to finding the end of HTML responses.
- The root certificate is generated with earlier start validity date to avoid issues on machines with invalid time.
- Added a workaround in HTTP filter for a situation of violating standard, when HTTP server returns several odd bytes after a response with specified Content-Length.
- Added a fix in HTTP filter for proper classification of the protocol.
- SSL filter works more properly during filtering TLS protocol.
- Added a fix in HTTP filter for proper handling of 204 responses with incorrectly formatted status.
- Added a fix in SSL filter, allowing to avoid issues with servers which don't support older SSL 2 protocols.
- It is possible to change HTTP requests and responses in dataPartAvailable and return DPCR_UPDATE_AND_BYPASS or DPCR_UPDATE_AND_FILTER_READ_ONLY to skip the rest of object data or indicate later the full object via dataAvailable in read-only mode.
- Fixed SSL filtering code to avoid blocking SSL connections when a server requests a client certificate, but can continue handshake when the client certificate is not available.
- OpenSSL is updated to version 1.0.1g.
- Fixed the logic in HTTP filter related to parsing multiple subsequent requests and responses.
- HTTP filter reclassifies the protocol after receiving a response on HTTPS CONNECT request.
- HTTP filter handles the responses with code 100 more properly.
- Fixed a procotol classification issue in SSL filter.
- HTTP filter is able to avoid blocking the downloading of HTML pages having wrong Content-Length field value in headers.
- Added new API function pf_setRootSSLCertImportFlags. It is possible to call this function before pf_setRootSSLCertSubject to avoid importing root certificate to certain types of storages.
- Fixed an issue in HTTP filter, related to handling responses with code 204.
- Added TLS exceptions to SSL filter. When a client tries to establish TLS connection with SSL server that doesn't support TLS, SSL filter adds host:port to exceptions as *.ssl file in SSL subfolder of ProtocolFilters configuration directory. Next time a connection with this server is established using SSL instead of TLS.
- Fixed an issue in SSL filter, related to used set of OpenSSL encryption protocols.
- Fixed an issue with validating SSL certificates with inline intermediate CAs when FF_SSL_VERIFY is enabled for SSL filter.
- Added flags FF_SSL_VERIFY and FF_SSL_SUPPORT_CLIENT_CERTIFICATES for SSL filter.
- Fixed an issue with filtering HTTP requests containing national characters in URL.
- SSL filter adds an automatic exception when server requests a client certificate immediately, i.e. doesn't wait for repeating the same situation for process, IP and port.
- SSL filter adds an automatic exception when server requests a client certificate.
- SSL filter doesn't add exceptions for connections redirected to local proxy.
- The files of SSL certificates have root certificate name as a prefix, to avoid issues after changing the name of root certificate.
- Implemented more correct disconnect for TCP sessions when a filter process emulates server disconnection.
- SSL filter generates a self-signed certificate if the original certificate is self-signed.
- SSL filter doesn't try graceful shutdown during disconnecting SSL session.
- Fixed an issue with filtering pipelined requests in HTTP filter.
- Implemented a protection from non-standard usage of protocol in HTTP filter. It fixes hangs during filtering connections of some flash applications.
- Fixed an issue in FT_PROXY filter.
- Fixed an issue with filtering outgoing ICQ messages.
- Fixed breaking SSL connections with some servers, which require TLS.
- Fixed issues with filtering SSL connections to old servers.
- Added FTP proxy support in FT_FTP filter.
- Fixed issues in HTTPS proxy filtering code in FT_PROXY filter.
- XMPP filter automatically decompresses gzipped XML streams for read-only objects.
- Added function pf_unzipStream, allowing to decompress data streams compressed with gzip.
- OpenSSL is upgraded to latest version 1.0.1c.
- Updated XMPP filter to support flash:stream requests.
- Fixed an issue in HTTP filter with filtering responses missing required headers.
- Fixed an issue with filtering 304 requests in HTTP filter.
- Fixed the incompatibilities with new builds of Opera.
- The call to nss\certutil.exe doesn't create conhost.exe.
- Fixed an issue in HTTP parser related to filtering responses with status code other than 200.
- SSL exceptions are not added on breaking SSL handshake due to connection abort.
- The hosts which require client SSL certificates are added to the list of exceptions automatically by SSL filter.
- SSL filter didn't work properly with the server certificates missing CN field.
- SSL filter specifies remote IP address in OT_SSL_HANDSHAKE_* objects when the server name from TLS SNI extension in unavailable.
- HTTP filter saves as-is the objects compressed with unsupported algorithms.
- SSL filter adds host to exception list when the client aborts connection after receiving a certificate.
- Added XMPP filter.
- Fixed an issue in HTTP parser related to filtering chunked encoding.
- ProtocolFilters cuts off Kaspersky KAVCONN_ID packets from traffic automatically.
- HTTP filter more correctly handles the cases with responses missing header divider.
- In SSL filter implemented a workaround for the cases when SSL server returns a certificate with different host name in properties.
- SSL certificates are re-generated if original certificate changes.
- When a client uses TLS SNI extension, SSL filter generates certificate with the specified domain name.
- SSL filter uses notBefore and notAfter fields from original certificate for generating new certificate.
- Added flag FF_SSL_COMPATIBILITY for SSL filter. It is necessary to use this flag during filtering HTTPS connections of Outlook, to avoid issues with RPC over HTTPS.
- SSL filter uses TLS SNI field obtained from client applications during SSL handshake with servers.
- SSL filter is fixed for compatibility with Google Chrome.
- Added flags FF_HTTP_KEEP_PIPELINING and FF_HTTP_INDICATE_SKIPPED_OBJECTS for HTTP filter.
- FT_PROXY filter works for both incoming and outgoing connections.
- Fixed several bugs in HTTP and POP3 filters.
- The buffer limits are updated for SMTP, POP3, Proxy and NNTP filters.
- Fixed SSL filtering code to support PF_NO_SSL_FILTER configuration.
- Added new flag for SSL filter: FF_SSL_TLS_AUTO. It is useful for decoding TLS for unknown protocols, which establish encoded session dynamically using a special protocol command.
- pf_setRootSSLCertSubject imports root certificate to Pidgin.
- pf_deleteFilter marks the filter as deleted, and actually deletes the filter object when it is possible to do it safely. Now it is possible to call pf_deleteFilter from dataAvailable/dataPartAvailable.
- Added new API function pf_canDisableFiltering. It returns true when it is safe to disable filtering for the connection with specified id (there are no filters in chain and internal buffers are empty).
- pf_isFilterActive returns true only if the appropriate protocol is classified. pf_getFilterCount counts only active filters.
- pf_setRootSSLCertSubject automatically adds root SSL certificate with given name to certificate storages (Windows internal storage, Mozilla products, Opera).
- Fixed bugs in HTTP and HTTP/SOCKS proxy filters.
- PFHeader ignores invalid header fields.
- Added a method detach() for PFObject. It works like clone(), but moves all streams to new object instead of copying the data, thus it works faster.
- Added FF_SSL_INDICATE_HANDSHAKE_REQUESTS for SSL filter. It enables indicating OT_SSL_HANDSHAKE_OUTGOING/OT_SSL_HANDSHAKE_INCOMING objects during SSL handshake.
- HTTP filter splits pipelined requests.
- Several fixes in HTTP filter and Delphi API.
[-] Additional checking is implemented in HTTP filter to detect violations of HTTP standard.
[*] Updated UDP filtering code.
[-] HTTP filter handles HEAD requests properly.
[-] Fixed an incompatibility with old versions of QIP in FT_ICQ filter.
[+] Added a new API function pf_isFilterActive.
[-] Patched OpenSSL libraries to avoid long delays on Windows 7 in some cases.
[-] Minor bugfixes.
build 220.127.116.11[+] Added SOCKS v4/4a/5 support to FT_PROXY filter.
[+] Added new filters: FT_ICQ, FT_FTP, FT_NNTP.
[+] Added a tool import_root_cert for automatic importing root SSL certificate to Mozilla Firefox/Thunderbird and Opera.
[-] Fixed several issues in FT_POP3, FT_SMTP, FT_SSL.
[*] The documentation and samples are updated according to changes above.
build 18.104.22.168[-] Fixed a problem in HTTP filter related to parsing HTTP responses without Content-Length and Content-Type fields.
[-] Minor optimization.
build 22.214.171.124[+] The new function pf_getFilterCount returns the number of active filters for a connection.
[+] The new functions nf_tcpDisableFiltering and pf_getFilterCount are used in PFEventsDefault to disable filtering the connections with unknown protocols.
[-] HTTP filter skipped the content of aborted connections, filtered in read-only mode.
[*] HTTP filter is able to filter the incoming connections.
[-] Other minor bugfixes.
build 126.96.36.199[-] Fixed a problem in HTTP classifier.
build 1.0September 22, 2009 - Initial release.