droe / sslsplit

Transparent SSL/TLS interception
https://www.roe.ch/SSLsplit
BSD 2-Clause "Simplified" License
1.76k stars 327 forks source link

Error while writing full data content log to a file #65

Closed vmarteev closed 9 years ago

vmarteev commented 9 years ago

Firstly, thanks for a great tool. I'm experiencing a problem when I choose to write content log to a file.

I run sslsplit with following command: ./sslsplit -D -l ./connections.log -L ./connections_data.log -k my.key -c my.crt ssl 127.0.0.1 8443

It results in the following error message and nothing works:

Error from ioctl(DIOCNATLOOK): Operation not permitted Connection not found in NAT state table, aborting connection

However, when I run sslsplit with:

./sslsplit -D -l ./connections.log -S ./logdir -k my.key -c my.crt ssl 127.0.0.1 8443

It works fine! What I'm doing wrong?

Thanks.

droe commented 9 years ago

That's a very system dependent problem; it means that ioctl(DIOCNATLOOK) on /dev/pf fails for some reason. Can you provide the output of uname -a and sslsplit -V?

vmarteev commented 9 years ago

Here you are:

uname -a

Darwin MacBook-Pro-5.local 14.0.0 Darwin Kernel Version 14.0.0: Fri Sep 19 00:26:44 PDT 2014; root:xnu-2782.1.97~2/RELEASE_X86_64 x86_64

sslsplit -V

SSLsplit 0.4.9 (built 2014-11-27)
Copyright (c) 2009-2014, Daniel Roethlisberger <daniel@roe.ch>
http://www.roe.ch/SSLsplit
Build info: OSX:10.10.1 XNU:2782.1.97 V:GIT
Features: -DHAVE_PF
NAT engines: pf*
compiled against OpenSSL 1.0.1j 15 Oct 2014 (100010af)
rtlinked against OpenSSL 1.0.1j 15 Oct 2014 (100010af)
TLS Server Name Indication (SNI) supported
OpenSSL is thread-safe with THREADID
Using SSL_MODE_RELEASE_BUFFERS
SSL/TLS algorithm availability: RSA DSA ECDSA DH ECDH EC
OpenSSL option availability: SSL_OP_NO_COMPRESSION SSL_OP_NO_TICKET SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION SSL_OP_TLS_ROLLBACK_BUG
compiled against libevent 2.0.21-stable
rtlinked against libevent 2.0.21-stable
8 CPU cores detected
droe commented 9 years ago

It's a bug. The difference between the two invocations is that SSLsplit automatically drops privileges to user nobody if you use -L, but not if you use -S, since with the latter, SSLsplit needs to create and open new log files for which it might not have permission to do so as user nobody. However, the good old Unix trick of opening a file before dropping privileges and then writing to it as user nobody works for -L. The same is being done for /dev/pf, but it would appear that XNU (the OS X kernel) does not allow writes from user nobody to the file descriptor of /dev/pf opened by root. The same code works fine on FreeBSD. I will investigate why this is the case.

There is a workaround: add -u root to the command line. This will prevent SSLsplit from dropping privs to user nobody and the NAT lookups will work.

droe commented 9 years ago

For the record, Mac OS X / Darwin XNU kernel has the following check for super user privileges in pfioctl() in pf_ioctl.c:

if (kauth_cred_issuser(kauth_cred_get()) == 0)
    return (EPERM);

This basically checks whether the process has EUID == 0 at the time of calling ioctl(), as opposed to at the time of opening /dev/pf. From a Unix philosophy perspective, I would consider this a bug in XNU. However, SSLsplit will have to work around it, e.g. by disabling the automatic dropping to nobody if pf is used on Mac OS X, and warning if it is explicitly used through -u.

rajhlinux commented 1 year ago

i also get

"Connection not found in NAT state table, aborting connection"

This is what I use on terminal: sslsplit -k ca.key -c ca.crt -D -l connect.log -S logdir -L sslsplit.log https 127.0.0.1 10443 http 127.0.0.1 10080

On FreeBSD 13.1

# sslsplit -V

SSLsplit 0.5.5 (built 2023-02-20)
Copyright (c) 2009-2019, Daniel Roethlisberger <daniel@roe.ch>
https://www.roe.ch/SSLsplit
Build info: V:FILE HDIFF:0 N:83c4edf
Features: -DHAVE_IPFILTER -DHAVE_IPFW -DHAVE_PF
NAT engines: pf* ipfw ipfilter
ipfilter: version 5010200
Local process info support: yes (FreeBSD sysctl)
compiled against OpenSSL 1.1.1o-freebsd  3 May 2022 (101010ff)
rtlinked against OpenSSL 1.1.1o-freebsd  3 May 2022 (101010ff)
OpenSSL has support for TLS extensions
TLS Server Name Indication (SNI) supported
OpenSSL is thread-safe with THREADID
OpenSSL has engine support
Using SSL_MODE_RELEASE_BUFFERS
SSL/TLS protocol availability: tls10 tls11 tls12 
SSL/TLS algorithm availability: !SHA0 RSA DSA ECDSA DH ECDH EC
OpenSSL option availability: SSL_OP_NO_COMPRESSION SSL_OP_NO_TICKET SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION SSL_OP_TLS_ROLLBACK_BUG
compiled against libevent 2.1.12-stable
rtlinked against libevent 2.1.12-stable
compiled against libnet 1.2
rtlinked against libnet 1.2
compiled against libpcap n/a
rtlinked against libpcap 1.9.1
8 CPU cores detected

uname -a

FreeBSD user.user.user 13.1-RELEASE-p3 FreeBSD 13.1-RELEASE-p3 GENERIC amd64

Thanks.

sonertari commented 1 year ago

That usually happens if you cannot redirect traffic to sslsplit properly. Please read the man page paragraph starting with "SSLsplit does not automagically redirect any network traffic.", if you haven't yet.