Build 1.3.4.0 (October 31, 2024)
- Fixed an issue in HTTP/2 filter with parsing objects having a content-length header.
Build 1.3.3.9 (October 16, 2024)
- Fixed an issue in HTTP/2 filter with reordering HTTP/2 stream ids for filtered requests.
- Fixed issues in uncompression routines.
Build 1.3.3.4 (August 9, 2024)
- The Content-Length header is not removed from headers when DPCR_UPDATE_* code is returned from dataPartAvailable, and content length is zero in the indicated object.
- Added RSIF_PERSISTENT_CERTIFICATE_CACHE flag for function pf_setRootSSLCertImportFlags. It enables storing the generated domain certificates in cache file instead of generating them each session.
Build 1.3.3.2 (June 20, 2024)
- The default SSL private key size is raised for compatibility with Mac requirements.
- Fixed the behavior of FF_SSL_TLS_COMPATIBILITY flag for a case when server certificate has issues with private key, which can be ignored for compatibility.
Build 1.3.3.0 (May 14, 2024)
- SSL filter uses the list of curves from original TLS handshake data, for compatibility with some servers.
- Added a workaround in HTTP filter for a case when a connection is not disconnected from server side after receiving HTML response without specified content length or chunked encoding.
Build 1.3.2.8 (April 25, 2024)
- OpenSSL is upgraded to version 3.1.5.
- Fixed an issue with large header fields in HTTP/2 filter.
Build 1.3.2.5 (March 13, 2024)
- Added support for zstd compression algorithm for HTTP content. Also zstd is supported in pf_unzipStream.
- Fixed an issue with filtering HTTP responses merged with WebSocket data.
Build 1.3.2.3 (February 06, 2024)
- Fixed an issue in SSL filter with invalid shared keys used by some web servers.
- Fixed an issue with SSL certificate storage.
- By default a pre-generated private key is used for creating domain certificates, unless RSIF_GENERATE_DOMAIN_PRIVATE_KEYS flag is specified in pf_setRootSSLCertImportFlags.
- The library generates EC private keys instead of RSA for certificates if RSIF_GENERATE_EC_PRIVATE_KEYS flag is specified in pf_setRootSSLCertImportFlags before pf_init.
- OpenSSL is patched for compatibility with some servers like archive.is.
- Fixed an issue with WebSocket protocol in HTTP filter.
Build 1.3.1.6 (October 28, 2023)
- Fixed an issue in HTTP/2 with counting window sizes.
Build 1.3.1.5 (October 20, 2023)
- Fixed an issue in HTTP/2 filter related to window sizes.
- Fixed conversion of IPv6 addresses to string on Linux/MacOS.
Build 1.3.1.3 (September 21, 2023)
- Fixed an issue with processing large HTTP headers in HTTP/2 filter.
- Optimized the usage of "end of stream" flag in HTTP/2 filter.
- Fixed a memory leak during indicating OT_SSL_INVALID_SERVER_CERTIFICATE objects.
- Fixed an issue in pf_unzipStream.
- The flag FF_SSL_TLS_COMPATIBILITY for SSL filter enables support of TLS protocol versions 1.0 and 1.1.
Build 1.3.0.8 (July 21, 2023)
- Legacy Unsafe Renegotiation mode is enabled by default for TLS protocol for compatibility. It is disabled with flag FF_SSL_STRICT_VERIFICATION for SSL filter.
- Linux: Added required paths for importing root certificate to system storage on CentOS, AltLinux and others.
- The domain certificates are removed and generated again each time on initialization of ProtocolFilters.
- Fixed selection of TLS protocol version for local traffic between clients and proxy.
Build 1.3.0.5 (June 16, 2023)
- Fixed a compatibility issue with some FTP clients on TLS filtering level.
- The flag FF_SSL_TLS_COMPATIBILITY for SSL filter enables Legacy Unsafe Renegotiation mode for compatibility with servers using old versions of TLS protocol.
- SSL filter bypasses the filtering for TLS_ANY_VERSION protocol, to avoid blocking the data transmission.
Build 1.2.9.8 (May 11, 2023)
- Fixed the possible locale issues in HTTP/2 filtering code.
Build 1.2.9.7 (April 26, 2023)
- OpenSSL is upgraded to version 3.1.0.
- The new flag FF_HTTP_DONT_UNCOMPRESS_CONTENT disables decompressing the content of requests and responses in HTTP and HTTP/2 filters.
Build 1.2.9.5 (March 6, 2023)
- OpenSSL is upgraded to version 1.1.1s.
- Fixed an issue with window size in HTTP/2 filter.
- Optimized the procedure of importing root certificate to Mozilla storages.
- Fixed a security issue in HTTP filter.
Build 1.2.9.1 (December 1, 2022)
- It is possible to specify a client certificate for TLS session in the streams of OT_SSL_CLIENT_CERT_REQUEST object.
Build 1.2.9.0 (October 25, 2022)
- Fixed an issue with filtering SOCKS4 requests in FT_PROXY filter.
- Minor bugfixes.
Build 1.2.8.9 (October 20, 2022)
- Implemented a correct flow control for HTTP/2 data frames.
- Fixed an issue with content-length for HTTP/2 data streams with injected content.
- Fixed a possible issue with object streams, which use temporary files.
- Several security fixes.
Build 1.2.8.8 (August 21, 2022)
- Fixed an issue in proxy filter with handling large HTTPS proxy requests.
Build 1.2.8.5 (July 15, 2022)
- Fixed an issue with the flag FF_SSL_DISABLE_TLS_1_1 for SSL filter.
- Fixed an issue in SSL exceptions code.
Build 1.2.8.3 (June 7, 2022)
- Fixed an issue in HTTP/2 filter with splitting large headers.
- Added support of HTTP/2 early hints headers with code 103.
Build 1.2.8.1 (May 27, 2022)
- Websocket packets in read only mode were indicated to subsequent filters in chain.
Build 1.2.8.0 (May 21, 2022)
- Added HTTP/2 protocol filter FT_HTTP2. The usage is demonstrated in modified HTTP filtering samples.
- The new flag FF_SSL_INDICATE_ALPN_SELECT_PROTOCOL for SSL filter enables indication of each ALPN protocol offered by client via dataPartAvailable as OT_SSL_HANDSHAKE_OUTGOING_PROTOCOL objects. It allows to select the set of protocols for negotiation with server when FF_SSL_ENABLE_ALPN flag is enabled.
- Fixed an issue with filtering SOCKS responses in proxy filter.
- On Linux the root certificate is imported to system storage.
Build 1.2.7.8 (March 2, 2022)
- Fixed parsing of HTTPS proxy responses in proxy filter.
- Fixed an issue with reinitialization of OpenSSL.
Build 1.2.7.6 (February 7, 2022)
- Fixed an issue with HTTP protocol upgrade responses with data.
- It is possible to specify additional attributes for root certificate subject in pf_setRootSSLCertSubject(Ex).
- Implemented support for additional deflate encodings.
- Added a flag FF_HTTP_IGNORE_RESPONSE_ERRORS for HTTP filter, disabling checking HTTP standard for responses.
- Fixed debug static build configuration of OpenSSL, which used /MT flag instead of /MDd.
- Added a workaround to support WebSocket protocol with x-webkit-deflate-frame encoding in Safari.
Build 1.2.6.9 (October 21, 2021)
- FF_SSL_STRICT_VERIFICATION disables DH keys having less than 2048 bits.
- 3DES algorithm is disabled for TLS connections.
- Bugfixes in certificate database code.
- Fixed OpenSSL configurations for static linking, which missed multithreading support.
Build 1.2.6.7 (October 10, 2021)
- FT_PROXY filter supports new flag FF_PROXY_INDICATE_HTTPS_PROXY_RESPONSE, enabling to filter HTTPS proxy responses as OT_HTTPS_PROXY_RESPONSE objects in dataAvailable and dataPartAvailable.
- SCT verification is enabled using a separate flag FF_SSL_SCT_VERIFICATION for SSL filter.
- When FF_SSL_STRICT_VERIFICATION flag is enabled, the full DH key checks are executed no more than once a day for each host.
Build 1.2.6.4 (September 16, 2021)
- Fixed the filtering of IMAP requests for compatibility with Thunderbird.
- Fixed a compatibility issue with Thunderbird in SMTP filter.
- OpenSSL is updated to version 1.1.1l.
Build 1.2.6.2 (August 8, 2021)
- IMAP filter disables data compression for filtered connections.
- HTTP filter keeps the original Transfer-Encoding for both requests and responses for compatibility.
Build 1.2.6.0 (July 9, 2021)
- The temporary files with stream content remaining in configiration folder are deleted automatically during library initialization.
- Fixed an internal issue with resizing memory buffers.
- The certificate database is rebuilt during library initialization, with removing old and replaced certificates.
- SSL filter added with FF_SSL_STRICT_VERIFICATION flag adds exceptions for TLS connections with certificates missing SCT field.
Build 1.2.5.6 (June 3, 2021)
- Added FT_IMAP filter for IMAP protocol.
- Fixed an issue with adding SSL exceptions when client closes connection gracefully after receiving server certificate.
- Added a flag FF_SSL_STRICT_VERIFICATION for SSL filter, which enables strict verification rules for DH keys when FF_SSL_VERIFY flag is turned on.
- SSL filter supports small DH keys in compatibility mode with FF_SSL_TLS_COMPATIBILITY flag enabled.
Build 1.2.5.2 (December 29, 2020)
- Added support of Brotli (br) encoding for HTTP requests and responses. The HTTP request field Accept-Encoding is not changed, and FF_HTTP_KEEP_ACCEPT_ENCODING flag is deprecated.
- Added support of WebSocket protocol, enabled when FT_HTTP filter is added with FF_HTTP_FILTER_WEBSOCKET flag. The decoded and decompressed WebSocket payload is indicated as OT_WEBSOCKET_REQUEST/OT_WEBSOCKET_RESPONSE objects via dataAvailable.
- Modified SSL filter for compatibility with Yandex browser.
- Fixed HTTP filtering issue when pf_postObject is called from a separate thread.
Build 1.2.5.0 (September 15, 2020)
- Fixed issues in HTTP classification code and with updating Content-Length header.
- By default SSL filter doesn't try to switch to TLS 1.0. The new flag for SSL filter FF_SSL_TLS_COMPATIBILITY can be added to enable automatic switching to deprecated protocol TLS 1.0, when server doesn't support newer versions.
Build 1.2.4.8 (July 15, 2020)
- The exceptions in SSL filter are added for google.com similar to other domains.
- Fixed an issue in a procedure returning file stream size.
Build 1.2.4.7 (June 29, 2020)
- Added a flag FF_HTTP_KEEP_ACCEPT_ENCODING for HTTP filter, allowing to disable modifying Accept-Encoding header field for HTTP requests.
Build 1.2.4.6 (June 4, 2020)
- SSL filter uses a certificate subject name for generating domain certificates instead of TLS SNI name.
- Fixed an issue with processing Content-Transfer header in HTTP filter for HEAD requests.
- Fixed an issue with ref counting for sessions on Linux and Mac.
Build 1.2.4.3 (April 24, 2020)
- Fixed an issue in HTTP filter with parsing Connection: upgrade responses with chunked encoding.
- Fixed an issue in SSL filter.
- The flags for file opening calls are modified to close handles after fork() on Linux.
- Fixed a compatibility TLS issue with servers like https://sanso-elec.e-show-buy.jp.
Build 1.2.4.1 (March 14, 2020)
- Fixed a compatibility issue with Firefox 74 in SSL filter.
Build 1.2.4.0 (March 10, 2020)
- SSL filter uses TLS 1.0 when host name is not specified in TLS SNI field, for compatibility with old SSL clients.
- Removed /MP switch from make/msvc.mak to avoid errors.
- Fixed some build issues in code.
- SSL filter saves exception databases each time on adding new exception.
- SSL filter disables for client the versions of TLS protocol higher than TLS version negotiated with server.
Build 1.2.3.5 (January 30, 2020)
- Fixed an issue with parsing chunked encoding in HTTP filter.
- Fixed an issue in code searching for control connection for FTP data connection.
- Fixed possible filtering of SSL connections with hosts having revoked certificates with FF_SSL_VERIFY flag enabled.
- Fixed access flags in pf_getProcessOwner.
- openssl\Configurations\10-main.conf is patched for compatibility with MSVC 2005 for building Windows XP version of OpenSSL.
Build 1.2.3.3 (January 16, 2020)
- Fixed a compatibility issue in SSL filter with Windows XP.
- Increased session buffer limits for better performance of high speed connections.
- The private key size for generated certificates is raised to 2048 bits for compatibility on MacOS.
- pfc_setRootSSLCertSubjectEx didn't import root certificate to Windows storage.
- Fixed make\msvc.mak.
- Fixed an issue in pf_setExceptionsTimeout.
Build 1.2.2.9 (October 31, 2019)
- Fixed the code of SSL filter for better performance.
Build 1.2.2.8 (October 24, 2019)
- OpenSSL is upgraded to version 1.1.1d.
- Added a missing stream SSL_ICS_CERTIFICATE in OT_SSL_INVALID_SERVER_CERTIFICATE object.
- Added necessary fixes to compile the project with Unicode support option.
Build 1.2.2.6 (October 2, 2019)
- Added new streams for OT_SSL_INVALID_SERVER_CERTIFICATE objects.
- Fixed an issue in POP3 filter with parsing RETR responses.
Build 1.2.2.4 (August 28, 2019)
- Added a function pf_deleteExceptions.
- Added a flag for SSL filter FF_SSL_DISABLE_TLS_1_1, allowing to disable TLS 1.1 protocol.
Build 1.2.2.3 (August 7, 2019)
- Fixed an issue with C API code.
- Added new function pf_getRootSSLCertFileName, returning the full path to root certificate.
Build 1.2.2.1 (July 10, 2019)
- The flag enable-weak-ssl-ciphers is added for OpenSSL to support the servers with deprecated ciphers.
- Fixed an issue in file streams code for Windows.
Build 1.2.1.9 (July 06, 2019)
- Fixed an issue in certificate importing code for Linux and Mac OS.
Build 1.2.1.8 (June 27, 2019)
- OpenSSL configuration is updated to build with statically linked MSVC runtime.
- Fixed several issues with timers and internal variables.
Build 1.2.1.5 (June 19, 2019)
- ProtocolFilters is made cross-platform, suitable for Windows, Linux and Mac OS.
- OpenSSL upgraded to version 1.1.1b (supports TLS 1.3 and additional protocol features).
- Added make file make\msvc.mak for building the component using nmake.exe.
Build 1.2.0.8 (September 22, 2018)
- Optimized the filtering on TCP send path to avoid client timeouts.
- SSL filter with FF_SSL_VERIFY flag suspends TLS connections during validation of server certificate.
- zlib is upgraded to version 1.2.11.
Build 1.2.0.5 (August 1, 2018)
- SSL filter allows requesting a client certificate after the main handshake.
- The minimum DH key size is limited to 1024 with FF_SSL_VERIFY flag.
- Fixed an issue in HTTP filter with parsing requests after receiving unexpected responses.
- OCSP check in SSL filter is implemented using CryptoAPI for compatibility with fresh installations of Windows 10.
- Fixed a problem with handling client certificates in SSL filter.
Build 1.2.0.1
- Added a workaround for importing root certificate to Firefox with master password enabled.
- Added a new flag for FT_SSL filter FF_SSL_KEEP_SERIAL_NUMBERS, allowing to copy serial numbers from original server certificates.
- Minor performance enhancement for synchronization objects, PFObject streams.
- Added a function pf_setRootSSLCertSubjectEx, allowing to specify own root certificate for generating domain certificates.
- Several well known folders are bypassed during searching for Mozilla certificate databases in user profiles.
Build 1.1.9.6
- OpenSSL is upgraded to version 1.0.2n and built with no-asm flag to avoid issues with SHA (https://github.com/openssl/openssl/issues/4470).
- Fixed compatibility issues in SSL filter with Microsoft services using old TLS protocol (like OWA, Exchange RPC over HTTP).
- Fixed the parsing of HTTP responses having Content-Length and response code other than 200.
- NSS tools for importing root certificate to Mozilla products is upgraded to version 3.35 for compatibility with Firefox and other products using new certificate database in cert9.db.
Build 1.1.9.4
- Root SSL certificate is imported to storages located in remote APPDATA and LOCALAPPDATA folders taken from all user profile registry keys.
- x64 version of OpenSSL is rebuilt with no-asm flag for better compatibility.
- Fixed false classification of STARTTLS commands as a TLS handshake in SSL filter.
- Fixed an issue in HTTP filter with parsing responses having Content-Length field and empty body.
- Fixed a parsing error in FTP filter with FileZilla client which uses pipelining for PASV and PORT commands.
- FTP filter classifies properly the connections of FTP clients which use OPTS command.
- Added pf_waitForImportCompletion function allowing to wait until root certificate import is completed after a call to pf_setRootSSLCertSubject.
- Added a correct check for the situation when configuration folder specified in pf_init cannot be created.
- Added a manifest with requirement of elevated administrative rights and import to Windows certificate storage to ProtocolFilters\tools\import_root_cert
- Fixed overwriting Accept-Encoding header in HTTP filter for a case when browser requires "identity" encoding.
- Fixed a compatibility issue with Firefox 55/56 in SSL filter.
- The exceptions in SSL filter due to weak DH prime are added immediately without using a delay with counter.
Build 1.1.8.5
- Fixed a build issue with MSVC 2017.
Build 1.1.8.4
- Added a validity check for system root certificates in SSL filter.
- Implemented additional checks for known TLS vulneribilities when FF_SSL_VERIFY flag is enabled in SSL filter.
- Added a fix in SSL filter to avoid false positives with adding TLS exceptions.
- SSL filter uses graceful TLS shutdown to avoid issues in some clients.
- Fixed a bug in HTTP filter with parsing chunked encoding.
- SSL filter only adds exceptions instead of closing TLS connections with weak DH keys between 1024 and 1280 bits.
- Fixed an issue with filtering SMTP protocol of QQ mail service that uses a non-standard extension MAILCOMPRESS.
Build 1.1.7.8
- SSL filter: Removed the deprecated RC4 from the default TLS cipher list.
- SSL filter: DH keys smaller than 1280 bits are classified as weak, so the host is added to exceptions.
- Proxy filter: increased the limit for requests.
Build 1.1.7.7
- When SSL filter is added without FF_SSL_SUPPORT_CLIENT_CERTIFICATES flag, requesting a client certificate by server adds host to exceptions after 2 unsuccessful attempts.
Build 1.1.7.6
- HTTP filter modifies Accept-Encoding field in request headers to avoid receiving the responses with unsupported encodings.
- The procedure of adding automatic SSL exceptions is modified to avoid false positives with antiviruses.
Build 1.1.7.4
- Debug builds write a log file asyncronously for better performance.
- SSL filter adds host to the list of exceptions if SSL connection is closed immediately after establishing only for hardcoded hosts.
- OpenSSL and WinSock initialization/deinitialization is moved to pf_init/pf_free path.
Build 1.1.7.2
- SSL filter adds host to the list of exceptions if SSL connection is closed immediately after establishing.
Build 1.1.7.1
- Fixed an issue with filtering FTP over SOCKS proxy connections.
- HTTP filter uses for filtered response the same transfer encoding as in original response.
- OpenSSL is upgraded to version 1.0.2h.
Build 1.1.6.8
- Fixed a hang on loading broken file with SSL certificates (cert.db).
- Added support for TLS session resumtion in SSL filter, for compatibility with secure FTP servers.
- Minor performance optimization.
- SSL filter signs MITM certificates with the algorithm used for signing original certificates.
Build 1.1.6.4
- Fixed hangs of SSL connections on renegotiation when server requires a client certificate.
Build 1.1.6.3
- Removed the code for disabling filtering from PFEventsDefault.
- Fixed an issue with delayed remote disconnects for TCP sessions.
- Fixed an overflow issue occured in HTTP filter during updating Content-Length larger than MAX_INT after returning DPCR_UPDATE_AND_BYPASS or DPCR_UPDATE_AND_FILTER_READ_ONLY from dataPartAvailable.
- Fixed an issue in SSL filter with negotiating a set of algorithms for remote TLS connections.
- Root certificate is imported to Windows storage even if the certificate already exists.
Build 1.1.5.8
- Added a workaround in SSL filter for a case with flag FF_SSL_COMPATIBILITY when server closes connection by returning TLS response.
Build 1.1.5.7
- Added a fix to HTTP filter to avoid issues when a server returns content longer than specified in Content-Length.
- Minor optimization.
Build 1.1.5.6
- Fixed an issue with importing SSL root certificate to Opera.
- SSL filter uses OCSP stapling TLS extension for better performance when FF_SSL_VERIFY flag is enabled.
- Added a timeout in SSL filter for certificate revocation checks.
Build 1.1.5.4
- Added a flag FF_SSL_DECODE_ONLY for SSL filter, allowing to bypass encoding the traffic between proxy and server. It is useful for example when a local or remote server should handle both HTTP and HTTPS traffic as generic HTTP. It is possible to enable the flag dynamically, by returning DPCR_FILTER_READ_ONLY from dataPartAvailable for OT_SSL_HANDSHAKE_OUTGOING object, containing some known domain name.
- Added a patch for Logjam SSL vulnerability.
- Fixed a code for importing root certificate to old versions of Opera.
- OpesSSL is upgraded to version 1.0.2c.
Build 1.1.5.1
- Added a flag FF_SSL_ENABLE_ALPN for SSL filter, which enables using of TLS extension for negotiating the next protocol (e.g. HTTP/2,SPDY,HTTP/1.1). This feature is disabled by default to block HTTP/2 and SPDY.
- SSL exceptions are stored as records in container files x.db, xtls.db and xv.db for better performance.
- Fixed an issue in SSL filter with obtaining a client certificate from Windows storage for processes having low security privileges.
- When FF_SSL_INDICATE_CLIENT_CERT_REQUESTS flag is enabled, and server requests a client certificate, SSL filter indicates via dataPartAvailable an object of type OT_SSL_CLIENT_CERT_REQUEST, containing server domain name (or IP address the name is not specified in SNI) in a single stream. If dataPartAvailable returns DPCR_BYPASS, SSL filter adds host to internal list of exceptions and doesn't try to filter SSL for this host in future.
- When FF_SSL_VERIFY flag is enabled, SSL filter validates server certificates in a separate thread to avoid deadlocks. The synchronous validation checks only cached certificates and uses basic check rules.
- SSL validation checks only cached certificates when OCSP server is not available.
- pf_setRootSSLCertImportFlags supports new flag RSIF_GENERATE_ROOT_PRIVATE_KEY. When it is enabled, SSL filter generates a unique private key for root certificate.
- By default SSL filter tries to use TLS 1.2 for SSL/TLS connections.
Build 1.1.4.6
- A postfix is appended to root certificate, to re-generate old certificates signed with SHA1 to new signed with SHA256.
Build 1.1.4.5
- SSL filter stores all certificates in a single file cert.db. The certificates and keys are encrypted. The existing certificates are imported to the new storage automatically. The certificates are cached in memory for better performance.
- When FF_SSL_VERIFY flag is specified for SSL filter, the validation of SSL certificates occurs periodically, once per 24 hours. Also the filter validates full certificate chain to detect revoked, self-signed certificates and invalid certificate properties.
- Fixed an issue in SSL filter with switching to TLS 1.2 protocol.
- In some cases HTTP filter didn't work properly with old versions of Kaspersky antivirus.
- Fixed incorrect switching to TLS 1.2 protocol for SSL filter in compatibility mode.
- Added a flag FF_HTTP_BLOCK_SPDY for FT_HTTP filter, allowing to block SPDY protocol. When SPDY is blocked, the browsers switch to generic HTTP, which can be filtered.
Build 1.1.4.1
- OpenSSL is upgraded to version 1.0.2.
- Fixed the logic of adding exceptions in SSL filter.
- Fixed possible deadlocks during initialization and unloading the library.
- Fixed false positives in the code adding exceptions in SSL filter.
- Added a flag FF_SSL_INDICATE_SERVER_CERTIFICATES for FT_SSL filter. When it is specified, SSL filter indicates the objects with type OT_SSL_SERVER_CERTIFICATE via dataPartAvailable after receiving server certificate. The objects contain the certificate, it's subject and issuer in 3 streams. It is possible to check the certificates and return DPCR_FILTER, DPCR_BYPASS or DPCR_BLOCK to let SSL filter know what to do with SSL connection.
- Added a flag FF_SSL_INDICATE_EXCEPTIONS for FT_SSL filter. When it is specified, SSL filter indicates the objects with type OT_SSL_EXCEPTION via dataPartAvailable each time when server or client closes a connection during SSL handshake. The indicated objects with type OT_SSL_EXCEPTION have one stream, containing a remote host name from TLS SNI field, or remote endpoint string host:port in case if SNI field is empty. dataPartAvailable can return DPCR_BLOCK to avoid adding the host to list of exceptions.
- SSL filter tries to use TLS 1.2 protocol if the server doesn't support TLS 1.0.
- SSL filter tries to use for server connection the set of ciphers taken from client hanshake request. It can provide better compatibility if the client chooses a specific cipher list according to it's requirements.
- The signing algorithm for SSL certificates is changed to SHA256. To re-generate the existing certificates it is possible to change the name of root certificate, passed to pf_setRootSSLCertSubject. Or delete the files from SSL subfolder of ProtocolFilters configuration directory.
Build 1.1.3.4
- Fixed an issue with parsing chunked encoding in HTTP filter.
- SSL filter adds exception in case when a connection is disconnected because server requires client certificate.
- Fixed an issue in SMTP filter.
- Fixed an issue with 101 HTTP responses.
- SSL filter generates self-signed certificates having 2048 bits to avoid blocking SSL connections in latest versions of browsers.
Build 1.1.2.9
- Fixed random errors in OpenSSL when there are multiple worker threads.
- Fixed errors in library cleanup code.
Build 1.1.2.8
- Added fixes to HTTP filter for correct parsing non-standard HTTP requests and responses.
- Added a fix to HTTP filter for correct parsing the chunked HTTP requests without Content-Length header.
- Changed the locking model for better performance. The library uses session-level locks instead of global lock to allow filtering the connections simultaneously in several threads.
- Fixed an issue in HTTP filter related to finding the end of HTML responses.
Build 1.1.2.4
- The root certificate is generated with earlier start validity date to avoid issues on machines with invalid time.
- Added a workaround in HTTP filter for a situation of violating standard, when HTTP server returns several odd bytes after a response with specified Content-Length.
- Added a fix in HTTP filter for proper classification of the protocol.
- SSL filter works more properly during filtering TLS protocol.
- Added a fix in HTTP filter for proper handling of 204 responses with incorrectly formatted status.
- Added a fix in SSL filter, allowing to avoid issues with servers which don't support older SSL 2 protocols.
Build 1.1.1.8
- It is possible to change HTTP requests and responses in dataPartAvailable and return DPCR_UPDATE_AND_BYPASS or DPCR_UPDATE_AND_FILTER_READ_ONLY to skip the rest of object data or indicate later the full object via dataAvailable in read-only mode.
- Fixed SSL filtering code to avoid blocking SSL connections when a server requests a client certificate, but can continue handshake when the client certificate is not available.
- OpenSSL is updated to version 1.0.1g.
- Fixed the logic in HTTP filter related to parsing multiple subsequent requests and responses.
- HTTP filter reclassifies the protocol after receiving a response on HTTPS CONNECT request.
- HTTP filter handles the responses with code 100 more properly.
- Fixed a procotol classification issue in SSL filter.
- HTTP filter is able to avoid blocking the downloading of HTML pages having wrong Content-Length field value in headers.
Build 1.1.1.4
- Added new API function pf_setRootSSLCertImportFlags. It is possible to call this function before pf_setRootSSLCertSubject to avoid importing root certificate to certain types of storages.
Build 1.1.1.3
- Fixed an issue in HTTP filter, related to handling responses with code 204.
- Added TLS exceptions to SSL filter. When a client tries to establish TLS connection with SSL server that doesn't support TLS, SSL filter adds host:port to exceptions as *.ssl file in SSL subfolder of ProtocolFilters configuration directory. Next time a connection with this server is established using SSL instead of TLS.
Build 1.1.1.2
- Fixed an issue in SSL filter, related to used set of OpenSSL encryption protocols.
Build 1.1.1.1
- Fixed an issue with validating SSL certificates with inline intermediate CAs when FF_SSL_VERIFY is enabled for SSL filter.
Build 1.1.1.0
- Added flags FF_SSL_VERIFY and FF_SSL_SUPPORT_CLIENT_CERTIFICATES for SSL filter.
Build 1.1.0.9
- Fixed an issue with filtering HTTP requests containing national characters in URL.
- SSL filter adds an automatic exception when server requests a client certificate immediately, i.e. doesn't wait for repeating the same situation for process, IP and port.
Build 1.1.0.7
- SSL filter adds an automatic exception when server requests a client certificate.
- SSL filter doesn't add exceptions for connections redirected to local proxy.
- The files of SSL certificates have root certificate name as a prefix, to avoid issues after changing the name of root certificate.
Build 1.1.0.3
- Implemented more correct disconnect for TCP sessions when a filter process emulates server disconnection.
- SSL filter generates a self-signed certificate if the original certificate is self-signed.
- SSL filter doesn't try graceful shutdown during disconnecting SSL session.
Build 1.1.0.0
- Fixed an issue with filtering pipelined requests in HTTP filter.
- Implemented a protection from non-standard usage of protocol in HTTP filter. It fixes hangs during filtering connections of some flash applications.
Build 1.0.9.8
- Fixed an issue in FT_PROXY filter.
- Fixed an issue with filtering outgoing ICQ messages.
- Fixed breaking SSL connections with some servers, which require TLS.
Build 1.0.9.5
- Fixed issues with filtering SSL connections to old servers.
- Added FTP proxy support in FT_FTP filter.
- Fixed issues in HTTPS proxy filtering code in FT_PROXY filter.
Build 1.0.9.3
- XMPP filter automatically decompresses gzipped XML streams for read-only objects.
- Added function pf_unzipStream, allowing to decompress data streams compressed with gzip.
- OpenSSL is upgraded to latest version 1.0.1c.
- Updated XMPP filter to support flash:stream requests.
- Fixed an issue in HTTP filter with filtering responses missing required headers.
- Fixed an issue with filtering 304 requests in HTTP filter.
- Fixed the incompatibilities with new builds of Opera.
- The call to nss\certutil.exe doesn't create conhost.exe.
- Fixed an issue in HTTP parser related to filtering responses with status code other than 200.
Build 1.0.8.5
- SSL exceptions are not added on breaking SSL handshake due to connection abort.
Build 1.0.8.4
- The hosts which require client SSL certificates are added to the list of exceptions automatically by SSL filter.
- SSL filter didn't work properly with the server certificates missing CN field.
- SSL filter specifies remote IP address in OT_SSL_HANDSHAKE_* objects when the server name from TLS SNI extension in unavailable.
- HTTP filter saves as-is the objects compressed with unsupported algorithms.
- SSL filter adds host to exception list when the client aborts connection after receiving a certificate.
- Added XMPP filter.
- Fixed an issue in HTTP parser related to filtering chunked encoding.
- ProtocolFilters cuts off Kaspersky KAVCONN_ID packets from traffic automatically.
- HTTP filter more correctly handles the cases with responses missing header divider.
Build 1.0.7.5
- In SSL filter implemented a workaround for the cases when SSL server returns a certificate with different host name in properties.
- SSL certificates are re-generated if original certificate changes.
- When a client uses TLS SNI extension, SSL filter generates certificate with the specified domain name.
- SSL filter uses notBefore and notAfter fields from original certificate for generating new certificate.
- Added flag FF_SSL_COMPATIBILITY for SSL filter. It is necessary to use this flag during filtering HTTPS connections of Outlook, to avoid issues with RPC over HTTPS.
- SSL filter uses TLS SNI field obtained from client applications during SSL handshake with servers.
- SSL filter is fixed for compatibility with Google Chrome.
- Added flags FF_HTTP_KEEP_PIPELINING and FF_HTTP_INDICATE_SKIPPED_OBJECTS for HTTP filter.
- FT_PROXY filter works for both incoming and outgoing connections.
- Fixed several bugs in HTTP and POP3 filters.
- The buffer limits are updated for SMTP, POP3, Proxy and NNTP filters.
- Fixed SSL filtering code to support PF_NO_SSL_FILTER configuration.
- Added new flag for SSL filter: FF_SSL_TLS_AUTO. It is useful for decoding TLS for unknown protocols, which establish encoded session dynamically using a special protocol command.
- pf_setRootSSLCertSubject imports root certificate to Pidgin.
- pf_deleteFilter marks the filter as deleted, and actually deletes the filter object when it is possible to do it safely. Now it is possible to call pf_deleteFilter from dataAvailable/dataPartAvailable.
- Added new API function pf_canDisableFiltering. It returns true when it is safe to disable filtering for the connection with specified id (there are no filters in chain and internal buffers are empty).
- pf_isFilterActive returns true only if the appropriate protocol is classified. pf_getFilterCount counts only active filters.
Build 1.0.6.7
- pf_setRootSSLCertSubject automatically adds root SSL certificate with given name to certificate storages (Windows internal storage, Mozilla products, Opera).
Build 1.0.6.5
- Fixed bugs in HTTP and HTTP/SOCKS proxy filters.
- PFHeader ignores invalid header fields.
Build 1.0.6.3
- Added a method detach() for PFObject. It works like clone(), but moves all streams to new object instead of copying the data, thus it works faster.
Build 1.0.6.2
- Added FF_SSL_INDICATE_HANDSHAKE_REQUESTS for SSL filter. It enables indicating OT_SSL_HANDSHAKE_OUTGOING/OT_SSL_HANDSHAKE_INCOMING objects during SSL handshake.
Build 1.0.6.1
- HTTP filter splits pipelined requests.
Build 1.0.5.8
- Several fixes in HTTP filter and Delphi API.
Build 1.0.5.7
[-] Additional checking is implemented in HTTP filter to detect violations of HTTP standard.
Build 1.0.5.5
[*] Updated UDP filtering code.
build 1.0.5.4
[-] HTTP filter handles HEAD requests properly.
build 1.0.5.3
[-] Fixed an incompatibility with old versions of QIP in FT_ICQ filter.
[+] Added a new API function pf_isFilterActive.
[-] Patched OpenSSL libraries to avoid long delays on Windows 7 in some cases.
[-] Minor bugfixes.
build 1.0.5.1
[+] Added SOCKS v4/4a/5 support to FT_PROXY filter.[+] Added new filters: FT_ICQ, FT_FTP, FT_NNTP.
[+] Added a tool import_root_cert for automatic importing root SSL certificate to Mozilla Firefox/Thunderbird and Opera.
[-] Fixed several issues in FT_POP3, FT_SMTP, FT_SSL.
[*] The documentation and samples are updated according to changes above.
build 1.0.0.6
[-] Fixed a problem in HTTP filter related to parsing HTTP responses without Content-Length and Content-Type fields.[-] Minor optimization.
build 1.0.0.4
[+] The new function pf_getFilterCount returns the number of active filters for a connection.[+] The new functions nf_tcpDisableFiltering and pf_getFilterCount are used in PFEventsDefault to disable filtering the connections with unknown protocols.
[-] HTTP filter skipped the content of aborted connections, filtered in read-only mode.
[*] HTTP filter is able to filter the incoming connections.
[-] Other minor bugfixes.
build 1.0.0.1
[-] Fixed a problem in HTTP classifier.build 1.0
September 22, 2009 - Initial release.