search

droe / sslsplit

Transparent SSL/TLS interception
https://www.roe.ch/SSLsplit
BSD 2-Clause "Simplified" License
1.73k stars 327 forks source link

Error from src bufferevent: 0:- 337092801:193:no shared cipher:20:SSL routines:378:tls_post_process_client_hello #309

Closed lyc8503 closed 2 years ago

lyc8503 commented 2 years ago

I tried to use sslsplit to intercept tls traffic, after setup, the CA is installed and the traffic from my web browsers gets decrypted successfully. However the connection from the specific application failed to finish the TLS handshake.

After sending its TLS Client Hello the connection got terminated with an TLS Alert, and the debug log is attached below, it says no shared cipher. The cipher suite the specific application uses is TLS_RSA_WITH_RC4_128_SHA(0x0005) and TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00ff).

and I have no idea what to do now.

-   Output of `uname -a`

lyc@lyc-virtual-machine:~/sslsplit$ uname -a Linux lyc-virtual-machine 5.13.0-44-generic #49~20.04.1-Ubuntu SMP Wed May 18 18:44:28 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

-   Exact command line arguments used to run `sslsplit`

sudo ./sslsplit -D -l connect.log -j ~/test -S ~/test/logdir -k ca.key -c ca.crt ssl 0.0.0.0 8443 tcp 0.0.0.0 8080

-   Relevant part of debug mode (-D) output, if applicable

SNI peek: [n/a] [complete] Attempt reuse dst SSL session Connecting to [218.94.142.100]:443 ===> Original server certificate: Subject DN: /C=CN/ST=jiangsu/L=nanjing/O=Nanjing University/CN=.nju.edu.cn Common Names: .nju.edu.cn/.nju.edu.cn/nju.edu.cn Fingerprint: DB:6F:6D:23:AC:02:54:1B:06:0B:1D:2A:13:AB:95:B5:20:B7:3F:7A Certificate cache: HIT ===> Forged server certificate: Subject DN: /C=CN/ST=jiangsu/L=nanjing/O=Nanjing University/CN=.nju.edu.cn Common Names: .nju.edu.cn/.nju.edu.cn/nju.edu.cn Fingerprint: 94:98:3B:AA:D2:0A:2C:62:C5:7B:73:1A:31:AC:8A:86:E6:F0:05:AA SSL connected to [218.94.142.100]:443 TLSv1.1 ECDHE-RSA-AES256-SHA CLIENT_RANDOM 7F2228EE9A6C25FB2505A5AEE6E5685F50DF05B3B6217AD525496C5243683EFB C71677CD4B60F4583C312B590B884923BD74802854EFED6425F1C5B40EE4859B7F0CBF5C768D40B99FD9E7DBCF678F14 SSL session cache: MISS Error from src bufferevent: 0:- 337092801:193:no shared cipher:20:SSL routines:378:tls_post_process_client_hello Received privsep req type 01 sz 80 on srvsock 14 Additional SSL error: 1:1:(null):0:(null):0:(null) SSL_free() in state 00000001 = 0001 = SSLOK (SSL negotiation finished successfully) [connect socket] SSL disconnected to [218.94.142.100]:443 SSL disconnected from [192.168.1.4]:55886 SSL_free() in state 00000014 = 0014 = SSLERR (error) [accept socket]

-   NAT redirection rules you are using, if applicable

iptables -t nat -F iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080 iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 8443

sonertari commented 2 years ago

OpenSSL documentation reads:

"Low" encryption cipher suites, currently those using 64 or 56 bit encryption algorithms but excluding export cipher suites. All these cipher suites have been removed as of OpenSSL 1.1.0.

So, since RC4 is a LOW cipher:

$ openssl version
OpenSSL 1.1.1f  31 Mar 2020
$ openssl ciphers -v 'LOW'
Error in cipher list
139784267822400:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:../ssl/ssl_lib.c:2564:
lyc8503 commented 2 years ago

I have referred to the OpenSSL documentation but I didn't realize the RC4 is a LOW Cipher mentioned in it. I also tried to change SECLEVEL in openssl.cnf but ended no luck, it seems the RC4 is completely removed instead of just being disabled.

I will try recompile it using the args you mentioned in #299 . Thanks for your help a lot!

lyc8503 commented 2 years ago

Problem solved when I downgraded the OpenSSL to 1.0.2, Thanks!