search

droe / sslsplit

Transparent SSL/TLS interception
https://www.roe.ch/SSLsplit
BSD 2-Clause "Simplified" License
1.75k stars 328 forks source link

loading src server certificate failed #244

Closed fmaacmab closed 5 years ago

fmaacmab commented 5 years ago

Hi,

Straightforward brand new set up Windows 10 client using a gateway to a kali mitm traffic flow is fine to/fro client to the Internet via kali

I get loading src server certificate failed on port 443 (if (SSL_CTX_use_certificate(sslctx, crt) != 1)). Same behavior if using chrome browser or edge browser on the client, also same behavior when request comes from a locally installed app that attempts authentication to a remote server via port 443

I used https://blog.heckel.xyz/2013/08/04/use-sslsplit-to-transparently-sniff-tls-ssl-connections/ for basic configuration. The sslsplit certificate is installed in trusted root certification authorities on Windows client

Please let me know.

Thanks!

ca_crt.txt iptables_rules.txt openssl_version.txt sslsplit_command.txt sslsplit_debug_output.txt sslsplit_V.txt uname_a.txt

ca.key.txt

sonertari commented 5 years ago

This may be related with OpenSSL 1.1.1 (see the comments on issue #242). But I couldn't test it, because I guess you have replaced the actual url with company.net in the debug output, am I right? (My DNS server gives me a different IP for company.net, which goes to sedoparking.com anyway.) If so, can you send me the actual url so I can test with LibreSSL at least?

fmaacmab commented 5 years ago

Hi, thank you very much for your reply!

While I cannot disclose the actual name/IP needed by the locally installed app (NDA related), I get the same behavior when using Google https://www.google.com:443 in any locally installed browsers Windows client, in my case I tested chrome and edge.

Thank you again for taking the time to reply!

sonertari commented 5 years ago

If google.com causes the same error, then I am almost certain that it is due to OpenSSL 1.1.1. Can you downgrade OpenSSL to, say, 1.1.0 to see if that will fix it? I hope you are able downgrade OpenSSL, if this is urgent for you.

fmaacmab commented 5 years ago

Thank you, I will try a downgrade ASAP. Meanwhile, your LibreSSL comment made me curious, if you have some time and it's not too much trouble can you perhaps give it a try and test it with LibreSSL?

Thanks!

fmaacmab commented 5 years ago

Hi, even after the downgrade I still get the same error. But at this point I don't think it's sslsplit the problem.

Thanks for all your help!

droe commented 5 years ago

Duplicate of #248