Closed vmarteev closed 9 years ago
That's a very system dependent problem; it means that ioctl(DIOCNATLOOK)
on /dev/pf
fails for some reason. Can you provide the output of uname -a
and sslsplit -V
?
Here you are:
uname -a
Darwin MacBook-Pro-5.local 14.0.0 Darwin Kernel Version 14.0.0: Fri Sep 19 00:26:44 PDT 2014; root:xnu-2782.1.97~2/RELEASE_X86_64 x86_64
sslsplit -V
SSLsplit 0.4.9 (built 2014-11-27)
Copyright (c) 2009-2014, Daniel Roethlisberger <daniel@roe.ch>
http://www.roe.ch/SSLsplit
Build info: OSX:10.10.1 XNU:2782.1.97 V:GIT
Features: -DHAVE_PF
NAT engines: pf*
compiled against OpenSSL 1.0.1j 15 Oct 2014 (100010af)
rtlinked against OpenSSL 1.0.1j 15 Oct 2014 (100010af)
TLS Server Name Indication (SNI) supported
OpenSSL is thread-safe with THREADID
Using SSL_MODE_RELEASE_BUFFERS
SSL/TLS algorithm availability: RSA DSA ECDSA DH ECDH EC
OpenSSL option availability: SSL_OP_NO_COMPRESSION SSL_OP_NO_TICKET SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION SSL_OP_TLS_ROLLBACK_BUG
compiled against libevent 2.0.21-stable
rtlinked against libevent 2.0.21-stable
8 CPU cores detected
It's a bug. The difference between the two invocations is that SSLsplit automatically drops privileges to user nobody
if you use -L
, but not if you use -S
, since with the latter, SSLsplit needs to create and open new log files for which it might not have permission to do so as user nobody
. However, the good old Unix trick of opening a file before dropping privileges and then writing to it as user nobody
works for -L. The same is being done for /dev/pf
, but it would appear that XNU (the OS X kernel) does not allow writes from user nobody
to the file descriptor of /dev/pf
opened by root. The same code works fine on FreeBSD. I will investigate why this is the case.
There is a workaround: add -u root
to the command line. This will prevent SSLsplit from dropping privs to user nobody
and the NAT lookups will work.
For the record, Mac OS X / Darwin XNU kernel has the following check for super user privileges in pfioctl()
in pf_ioctl.c
:
if (kauth_cred_issuser(kauth_cred_get()) == 0)
return (EPERM);
This basically checks whether the process has EUID == 0
at the time of calling ioctl()
, as opposed to at the time of opening /dev/pf
. From a Unix philosophy perspective, I would consider this a bug in XNU. However, SSLsplit will have to work around it, e.g. by disabling the automatic dropping to nobody
if pf is used on Mac OS X, and warning if it is explicitly used through -u
.
i also get
"Connection not found in NAT state table, aborting connection"
This is what I use on terminal:
sslsplit -k ca.key -c ca.crt -D -l connect.log -S logdir -L sslsplit.log https 127.0.0.1 10443 http 127.0.0.1 10080
On FreeBSD 13.1
# sslsplit -V
SSLsplit 0.5.5 (built 2023-02-20)
Copyright (c) 2009-2019, Daniel Roethlisberger <daniel@roe.ch>
https://www.roe.ch/SSLsplit
Build info: V:FILE HDIFF:0 N:83c4edf
Features: -DHAVE_IPFILTER -DHAVE_IPFW -DHAVE_PF
NAT engines: pf* ipfw ipfilter
ipfilter: version 5010200
Local process info support: yes (FreeBSD sysctl)
compiled against OpenSSL 1.1.1o-freebsd 3 May 2022 (101010ff)
rtlinked against OpenSSL 1.1.1o-freebsd 3 May 2022 (101010ff)
OpenSSL has support for TLS extensions
TLS Server Name Indication (SNI) supported
OpenSSL is thread-safe with THREADID
OpenSSL has engine support
Using SSL_MODE_RELEASE_BUFFERS
SSL/TLS protocol availability: tls10 tls11 tls12
SSL/TLS algorithm availability: !SHA0 RSA DSA ECDSA DH ECDH EC
OpenSSL option availability: SSL_OP_NO_COMPRESSION SSL_OP_NO_TICKET SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION SSL_OP_TLS_ROLLBACK_BUG
compiled against libevent 2.1.12-stable
rtlinked against libevent 2.1.12-stable
compiled against libnet 1.2
rtlinked against libnet 1.2
compiled against libpcap n/a
rtlinked against libpcap 1.9.1
8 CPU cores detected
uname -a
FreeBSD user.user.user 13.1-RELEASE-p3 FreeBSD 13.1-RELEASE-p3 GENERIC amd64
Thanks.
That usually happens if you cannot redirect traffic to sslsplit properly. Please read the man page paragraph starting with "SSLsplit does not automagically redirect any network traffic.", if you haven't yet.
Firstly, thanks for a great tool. I'm experiencing a problem when I choose to write content log to a file.
I run sslsplit with following command:
./sslsplit -D -l ./connections.log -L ./connections_data.log -k my.key -c my.crt ssl 127.0.0.1 8443
It results in the following error message and nothing works:
Error from ioctl(DIOCNATLOOK): Operation not permitted Connection not found in NAT state table, aborting connection
However, when I run sslsplit with:
./sslsplit -D -l ./connections.log -S ./logdir -k my.key -c my.crt ssl 127.0.0.1 8443
It works fine! What I'm doing wrong?
Thanks.