aph3rson
commented
4 years ago To make this a bit easier, it might be nicer to have options to put the forged name in the SAN field, or directly in the Subject field.
Open aph3rson opened 4 years ago
aph3rson
commented
4 years ago To make this a bit easier, it might be nicer to have options to put the forged name in the SAN field, or directly in the Subject field.
Per the
ssl_x509_forgefunction, it looks like there's support for adding extra SANs to the generated certificates:https://github.com/droe/sslsplit/blob/657b70b4ac2a3559fda8c700e5b003094ef6ca3d/ssl.c#L966-L967
However, in
pxyconn.c, this is always set toNULLif generating a new certificate for the first time (at least from what I can tell, my C's not great):https://github.com/droe/sslsplit/blob/18399d7265b9d8c8d69eb221ca8b1d3555c475d6/pxyconn.c#L958-L963
In some instances (e.g. weird network routing topology/client options), a request might come in for a hostname which is not the hostname of the upstream server. In those instances, it might be nice to add a SAN to the generated certificates, e.g. with a command line option.