search

sonertari / SSLproxy

Transparent SSL/TLS proxy for decrypting and diverting network traffic to other programs, such as UTM services, for deep SSL inspection
BSD 2-Clause "Simplified" License
386 stars 101 forks source link

sslproxy prematurely closing connections #15

Closed Mac-O-War closed 4 years ago

Mac-O-War commented 4 years ago

I have an environment that works with sslsplit. However I have been unable to get sslproxy to work in this same environment with TLS, HTTP, or TCP.

With sslproxy configred for HTTP and wireshark running on the proxied network I see a request made followed by an immediate TCP RST from sslproxy. With wireshark running on the Internet side I see that sslproxy proxy completes the three way handshake and then immediately sends a TCP FIN without transmitting any data.

With sslproxy configured for HTTPS I see similar behavior. The client hello is sent, the server hello is received, and then sslproxy sends a "Encrypted Alert" that appears to end the connection. I have not decrypted this alert because in this error case no key data gets written to masterkeys.log.

No indications of an errors are outputed to the log. However, by enabling DDEBUG_PROXY I found the below error on line 687 of prototcp.c

prototcp_bev_eventcb_connected_srvdst: FAILED bufferevent_socket_connect for dst, fd=27

The function 'bufferevent_socket_connect' is returning -1

With a debugger I was able to see that at the time that error is printed, errno is set to 97 (Address family not supported by protocol)

I am uncertain of the cause. I can only theorize that maybe ctx->spec->conn_dst_addr on line 685 is the incorrect type? (struct sockaddr *)&ctx->spec->conn_dst_addr

sonertari commented 4 years ago

As you probably know, sslproxy uses a different mode of operation from the sslsplit's. This enables sslproxy to divert/receive packets to/from a listening program. So, first things first, are you running a listening program, such as the sample listening program (lp) under the extra folder in the sources?

Mac-O-War commented 4 years ago

You called it. Thank you! I did not notice the lp program. Now that I am intercepting to the lp program I am able to fully connect and communicate with web servers over http and https. I had incorrectly assumed that using an intercepting process was optional. Maybe an error message or warning message could inform the user that configuring an intercepting IP/port is mandatory.