search

droe / sslsplit

Transparent SSL/TLS interception
https://www.roe.ch/SSLsplit
BSD 2-Clause "Simplified" License
1.73k stars 327 forks source link

debug mode works well, daemon mode gives ssl warning immediately #280

Open laoshaw opened 3 years ago

laoshaw commented 3 years ago

basic info:

sslsplit -V
SSLsplit 0.5.5 (built 2020-11-17)
Copyright (c) 2009-2019, Daniel Roethlisberger <daniel@roe.ch>
https://www.roe.ch/SSLsplit
Build info: V:FILE HDIFF:0 N:83c4edf
Features: -DHAVE_NETFILTER -DWITHOUT_MIRROR
NAT engines: netfilter* tproxy
netfilter: IP_TRANSPARENT IP6T_SO_ORIGINAL_DST
Local process info support: no
compiled against OpenSSL 1.1.1h  22 Sep 2020 (1010108f)
rtlinked against OpenSSL 1.1.1h  22 Sep 2020 (1010108f)
OpenSSL has support for TLS extensions
TLS Server Name Indication (SNI) supported
OpenSSL is thread-safe with THREADID
OpenSSL has engine support
Using SSL_MODE_RELEASE_BUFFERS
SSL/TLS protocol availability: tls10 tls11 tls12 
SSL/TLS algorithm availability: !SHA0 RSA DSA ECDSA DH ECDH EC
OpenSSL option availability: SSL_OP_NO_COMPRESSION SSL_OP_NO_TICKET SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION SSL_OP_TLS_ROLLBACK_BUG
compiled against libevent 2.1.11-stable
rtlinked against libevent 2.1.11-stable
1 CPU cores detected

uname
 Linux kernel 5.4.75 mips GNU/Linux

openssl version: 1.1.11h

libevent version: 2.1.11

Debug mode works as expected on the router, daemon mode always gave ssl-certificate warnings.

sonertari commented 3 years ago

Afaik, there shouldn't be any such difference between debug and daemon modes. Can you enable the DEBUG_PROXY switch in GNUmakefile, recompile, try and see if it provides further info?