search

droe / sslsplit

Transparent SSL/TLS interception
https://www.roe.ch/SSLsplit
BSD 2-Clause "Simplified" License
1.73k stars 327 forks source link

HTTPS failing because ClientHello cannot be parsed #288

Open mincymathew opened 3 years ago

mincymathew commented 3 years ago

[root@c240-wzp2322007 ~]# curl -v -x -x 172.29.148.11:10025 --key /root/ca.key -cert --tlsv1.2 /root/ca.crt https://172.22.254.126

sslsplit -D -l connections.log -j /tmp/sslsplit/ -S /tmp/sslsplit/ -P -k /home/mimathew/MyClient1.key -c /home/mimathew/MyClient1.pem autossl 172.29.148.11 10025 https 172.29.148.11 8443 173.36.240.184 443 http 172.29.148.11 8080 173.36.240.184 80 TCP disconnected to [172.29.148.11]:10025 TCP disconnected from [172.29.148.11]:40139 Checking for a client hello parsing buffer of sz 120 candidate at offset 0 : 43 : 4f : 4e : 4e TCP disconnected to [172.29.148.11]:10025 TCP disconnected from [172.29.148.11]:40137 : 45 : 43 : 54 : 20 TCP disconnected to [172.29.148.11]:10025 : 31 : 37 : 32 : 2e TCP disconnected to [172.29.148.11]:10025 TCP disconnected from [172.29.148.11]:40133 : 32 : 32 : 2e : 32 : 35 TCP disconnected to [172.29.148.11]:10025 TCP disconnected from [172.29.148.11]:40131 : 34
TCP disconnected from [172.29.148.11]:40135 : 2e : 31 : 32 : 36 : 3a : 34 : 34 : 33 : 20 : 48 : 54 : 54 : 50 : 2f : 31 : 2e
TCP disconnected to [172.29.148.11]:10025 TCP disconnected to [172.29.148.11]:10025 : 31 : 0d : 0a TCP disconnected from [172.29.148.11]:40129 TCP disconnected to [172.29.148.11]:10025 TCP disconnected from [172.29.148.11]:40125 : 48 : 6f TCP disconnected from [172.29.148.11]:40127 : 73 : 74 : 3a : 20 : 31 : 37 : 32 : 2e : 32 : 32 : 2e : 32 : 35 : 34 : 2e : 31 : 32 : 36 : 3a : 34 : 34 : 33 : 0d : 0a : 55 : 73 : 65 : 72 : 2d : 41 : 67 : 65 : 6e : 74 : 3a : 20 : 63 : 75 : 72 : 6c : 2f : 37 : 2e : 32 : 39 : 2e : 30 : 0d : 0a : 50 : 72 : 6f : 78 : 79 : 2d : 43 : 6f : 6e : 6e : 65 : 63 : 74 : 69 : 6f : 6e : 3a : 20 : 4b : 65 : 65 : 70 : 2d : 41 : 6c : 69 : 76 : 65 : 0d : 0a : 0d : 0a ===> No match: rv 1, *clienthello NULL Peek found no ClientHello Received privsep req type 00 sz 1 on srvsock 15 Received privsep req type 00 sz 1 on srvsock 13 Child pid 175217 exited with status 0

Sslsplit fails to find ClientHello. This goes on in a loop and SSLSplit finally exits.

mincymathew commented 3 years ago

When I give a fwdaddr, then the issue of packet looping goes away. How can this work for SSL requests coming for multiple unknown destination servers? Perhaps, I am configuring something wrong.

sonertari commented 3 years ago

I see that you have a proxyspec like autossl 172.29.148.11 10025 in your sslsplit command line, but then you also use the same IP:port pair 172.29.148.11:10025 as the proxy in your curl command line. That's not how you are supposed to redirect traffic to sslsplit. You should redirect traffic using a packet filtering rule, such as the following on OpenBSD/pf:

pass in log quick on $int_if proto tcp from $int_net to !$int_if port submission divert-to lo port 8466

Note that the above rule does not redirect the traffic destined to $int_if. But in your setup you do redirect it, and in fact, that's why you get an infinite redirection, I think. I have never used autossl with http/s, and the above pf rule is for smtp, but they should be similar. You can find sample packet filter rules on the sslsplit man page.