search

droe / sslsplit

Transparent SSL/TLS interception
https://www.roe.ch/SSLsplit
BSD 2-Clause "Simplified" License
1.75k stars 328 forks source link

Error 24 on listener: Too many open files #23

Closed stb1 closed 10 years ago

stb1 commented 10 years ago

Hello,

i´ve tried several Options: sudo sslsplit -D -l connections.log -j /tmp/sslsplit/ -S logdir/ -k ca.key -c ca.crt ssl 0.0.0.0 8443 tcp 0.0.0.0 8080 and also the minimized Version: sudo sslsplit -D -k ca.key -c ca.crt -P https 0.0.0.0 8443

After Setting up my iptables, and try to connect to a SSL Site i read These Messages:

"kali@ip-X-X-X-X:~$ sudo sslsplit -D -k ca.key -c ca.crt -P https 0.0.0.0 8443 Generated RSA key for leaf certs. SSLsplit 0.4.6 (built 2013-06-06) Copyright (c) 2009-2013, Daniel Roethlisberger daniel@roe.ch http://www.roe.ch/SSLsplit Features: -DDISABLE_SSLV2_SESSION_CACHE -DHAVE_NETFILTER NAT engines: netfilter* tproxy netfilter: IP_TRANSPARENT SOL_IPV6 !IPV6_ORIGINAL_DST compiled against OpenSSL 1.0.1e 11 Feb 2013 (1000105f) rtlinked against OpenSSL 1.0.1e 11 Feb 2013 (1000105f) TLS Server Name Indication (SNI) supported OpenSSL is thread-safe with THREADID Using direct access workaround when loading certs SSL/TLS algorithm availability: RSA DSA ECDSA DH ECDH EC OpenSSL option availability: SSL_OP_NO_COMPRESSION SSL_OP_NO_TICKET SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION SSL_OP_TLS_ROLLBACK_BUG compiled against libevent 2.0.19-stable rtlinked against libevent 2.0.19-stable 1 CPU cores detected proxyspecs:

My IPTables: kali@ip-X-X-X-X:~$ sudo iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination REDIRECT tcp -- anywhere anywhere tcp dpt:http redir ports 8080 REDIRECT tcp -- anywhere anywhere tcp dpt:https redir ports 8443

Chain INPUT (policy ACCEPT) target prot opt source destination

Chain OUTPUT (policy ACCEPT) target prot opt source destination

Chain POSTROUTING (policy ACCEPT) target prot opt source Destination

net.ipv4.ip_forward = 1

Version: Amazon EC2 Kali (1.0.6), and virtual installed on local Virtualbox from 1.0.6 CD Image

Thanks in advance

droe commented 10 years ago

Looks like you produced an endless loop in your netfilter config. You need to fix your netfilter config so that it does not redirect connections from sslsplit to the original destinations. Ways to do that include to limit the redirection rules to the incoming traffic interface, another to limit it to a certain range of source IPs as in the manual page, or to explicitly exclude connections originating on localhost. Which strategy works for you depends on your specific use case.

Not a bug, closing issue.

mailinglists35 commented 1 year ago

I don't even have setup iptables rules yet I still get this error.

mailinglists35 commented 1 year ago

I was doing a tcp connect test from localhost to sslsplit - maybe that was normal behaviour?

sonertari commented 1 year ago

You need to redirect packets to sslsplit (sslsplit is not like a network proxy). The relevant paragraph in sslsplit(1) man page is: https://github.com/droe/sslsplit/blob/e17de8454a65d2b9ba432856971405dfcf1e7522/sslsplit.1.in#L108 So if you haven't configured iptables yet, that seems like a normal behavior.