search

sonertari / SSLproxy

Transparent SSL/TLS proxy for decrypting and diverting network traffic to other programs, such as UTM services, for deep SSL inspection
BSD 2-Clause "Simplified" License
385 stars 100 forks source link

Child proc 18590 killed by signal 11 Error from bufferevent: 111:Connection refused 0:0:-:0:-:0 #30

Closed Leonschmitt closed 3 years ago

Leonschmitt commented 3 years ago

Hello, I am very new to this repo. I am a student and I want to use it for a university project, so I started trying things out.

First I wanted to know how to get the dynamic port or where to find the dynamically generated port to send the packets back to the proxy. So I used the lp program (test/testproxy). But whenever I tried to use the program with a logdir, I got the error "Child proc 22407 killed by signal 11". When I start the program without the "-S logdir" option, the program works. I don't know if this is a bug or if I am doing something wrong. Mabye the issue is more like a question

I generated .cer file and imported ca.crt to my client firefox browser

Run lp: Programm with sudo lp -J -S logdir 127.0.0.1 1212

btw im in the directory and the logdir exist i tried it also with the option -L same result

After i run the SSLProxy with this Input and tried to Get www.ebay.com sudo sslproxy -D -k test.key -c test.crt -l connect.log -J -S logdir -Y pcaplogdir https 192.168.0.168 8443 up:1212

The Output of the lp programm shows immediatly: Child proc 22407 killed by signal 11

As i mentioned above if i run the lp without the option logdir it works

This is the Output of the SSLProxy 👍 **sudo sslproxy -D -k test.key -c test.crt -l connect.log -J -S logdir -Y pcaplogdir https 192.168.0.168 8443 up:1212**

| Warning: -F requires a privileged operation for each connection!
| Warning: -Y requires a privileged operation for each connection!
| Privileged operations require communication between parent and child process
| and will negatively impact latency and performance on each connection.
SSLproxy v0.8.3-3-g1bb5bd2 (built 2021-07-15)
Copyright (c) 2017-2021, Soner Tari <sonertari@gmail.com>
https://github.com/sonertari/SSLproxy
Copyright (c) 2009-2019, Daniel Roethlisberger <daniel@roe.ch>
https://www.roe.ch/SSLsplit
Build info: V:GIT
Features: -DHAVE_NETFILTER
NAT engines: netfilter* tproxy
netfilter: IP_TRANSPARENT IP6T_SO_ORIGINAL_DST
Local process info support: no
compiled against OpenSSL 1.1.1d  10 Sep 2019 (1010104f)
rtlinked against OpenSSL 1.1.1d  10 Sep 2019 (1010104f)
OpenSSL has support for TLS extensions
TLS Server Name Indication (SNI) supported
OpenSSL is thread-safe with THREADID
OpenSSL has engine support
Using SSL_MODE_RELEASE_BUFFERS
SSL/TLS protocol availability: tls10 tls11 tls12 tls13 
SSL/TLS algorithm availability: !SHA0 RSA DSA ECDSA DH ECDH EC
OpenSSL option availability: SSL_OP_NO_COMPRESSION SSL_OP_NO_TICKET SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION SSL_OP_TLS_ROLLBACK_BUG
compiled against libevent 2.1.8-stable
rtlinked against libevent 2.1.8-stable
compiled against libnet 1.1.6
rtlinked against libnet 1.1.6
compiled against libpcap n/a
rtlinked against libpcap 1.8.1
compiled against sqlite 3.27.2
rtlinked against sqlite 3.27.2
4 CPU cores detected
Generated 2048 bit RSA key for leaf certs.
Global SSL/TLS protocol: negotiate>=tls10<=tls13
proxyspecs:
- listen=[192.168.0.168]:8443 ssl|http netfilter
parent dst addr= [127.0.0.1]:1212
child src addr= [127.0.0.1]:0
opts=|ALL:-aNULL|TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|no user_auth_url|300|||8192
SSL/TLS protocol: negotiate>=tls10<=tls13
Loaded CA: '/C=DE/ST=Germany/L=Regensburg/O=Uni/OU=Janet/CN=Cool/emailAddress=cool@cool.de'
Loaded ProxySpec CA: '/C=DE/ST=Germany/L=Regensburg/O=Uni/OU=Janet/CN=Cool/emailAddress=cool@cool.de'
SSL/TLS leaf certificates taken from:
- Global generated on the fly
Privsep fastpath disabled
Created self-pipe [r=4,w=5]
Created chld-pipe [r=6,w=7]
Created socketpair 0 [p=8,c=9]
Created socketpair 1 [p=10,c=11]
Created socketpair 2 [p=12,c=13]
Created socketpair 3 [p=14,c=15]
Created socketpair 4 [p=16,c=17]
Created socketpair 5 [p=18,c=19]
Privsep parent pid 30856
Privsep child pid 30869
Using libevent backend 'epoll'
Event base supports: edge yes, O(1) yes, anyfd no
Received privsep req type 03 sz 5 on srvsock 8
Dropped privs to user nobody group - chroot -
Received privsep req type 00 sz 1 on srvsock 10
Received privsep req type 00 sz 1 on srvsock 18
Inserted events:
  0x10e59e8 [fd  5] Read Persist Internal
  0x10e5b04 [fd  7] Read Persist Internal
  0x10e5f74 [fd  8] Read Persist
  0x10db868 [sig 1] Signal Persist
  0x10dba48 [sig 2] Signal Persist
  0x10c9708 [sig 3] Signal Persist
  0x10ddfa0 [sig 10] Signal Persist
  0x10dbac0 [sig 13] Signal Persist
  0x10e0040 [sig 15] Signal Persist
  0x10e7180 [fd  -1] Persist Timeout=1626435824.931029
Active events:
Initialized 8 connection handling threads
Started 8 connection handling threads
Starting main event loop.
STATS: thr=0, mld=0, mfd=0, mat=0, mct=0, iib=0, iob=0, eib=0, eob=0, swm=0, uwm=0, to=0, err=0, si=0
STATS: thr=1, mld=0, mfd=0, mat=0, mct=0, iib=0, iob=0, eib=0, eob=0, swm=0, uwm=0, to=0, err=0, si=0
STATS: thr=6, mld=0, mfd=0, mat=0, mct=0, iib=0, iob=0, eib=0, eob=0, swm=0, uwm=0, to=0, err=0, si=0
STATS: thr=4, mld=0, mfd=0, mat=0, mct=0, iib=0, iob=0, eib=0, eob=0, swm=0, uwm=0, to=0, err=0, si=0
STATS: thr=7, mld=0, mfd=0, mat=0, mct=0, iib=0, iob=0, eib=0, eob=0, swm=0, uwm=0, to=0, err=0, si=0
STATS: thr=2, mld=0, mfd=0, mat=0, mct=0, iib=0, iob=0, eib=0, eob=0, swm=0, uwm=0, to=0, err=0, si=0
STATS: thr=3, mld=0, mfd=0, mat=0, mct=0, iib=0, iob=0, eib=0, eob=0, swm=0, uwm=0, to=0, err=0, si=0
STATS: thr=5, mld=0, mfd=0, mat=0, mct=0, iib=0, iob=0, eib=0, eob=0, swm=0, uwm=0, to=0, err=0, si=0
SNI peek: [www.ebay.de] [complete], fd=45
Connecting to [84.53.189.188]:443
===> Original server certificate:
Subject DN: /C=US/ST=California/L=San Jose/O=eBay, Inc./CN=www.ebay.com
Common Names: www.ebay.com/www.ebay.com/aka-sandbox.ebay.com/cache.ebay.com/cache.vivanuncios.com.mx/careers.ebayinc.com/cdn.roma.ebay.com/cr.qa.ebaystatic.com/dsa.ebay.co.uk/dsa.ebay.com/dsa.ebay.de/ebay.com.au/ebay.us/ebaypartnernetwork.ebay.com/ecg-api.vivanuncios.com.mx/ecg-apis.vivanuncios.com.mx/feed.ebay.com.au/galleryplus.ebayimg.com/gh.ebaystatic.com/ir.ebaystatic.com/ir.sandbox.ebaystatic.com/m.ebay.at/m.ebay.ca/m.ebay.ie/m.ebay.ph/p.ebaystatic.com/pages.ebay.ca/pages.ebay.com.au/pages.ebay.in/partnernetwork.ebay.co.uk/partnernetwork.ebay.com/partnernetwork.ebay.com.au/partnernetwork.ebay.de/partnernetwork.ebay.es/partnernetwork.ebay.fr/partnernetwork.ebay.it/pics.ebaystatic.com/poc.ebay.com/protool.vivanuncios.com.mx/q.ebaystatic.com/reco.ebay.com/rest.ebay.com/rs.sandbox.ebaystatic.com/rs.xstage.ebaystatic.com/rtm.ebaystatic.com/securepics.ebaystatic.com/securertm.ebaystatic.com/sslgalleryplus.ebayimg.com/static.ebayinc.com/tech.ebayinc.com/vivanuncios.com.mx/vmp.ebay.com/www.befr.ebay.be/www.benl.ebay.be/www.cafr.ebay.ca/www.ebay.at/www.ebay.be/www.ebay.ca/www.ebay.ch/www.ebay.co.uk/www.ebay.com.au/www.ebay.com.hk/www.ebay.com.my/www.ebay.com.sg/www.ebay.de/www.ebay.es/www.ebay.fr/www.ebay.ie/www.ebay.in/www.ebay.it/www.ebay.nl/www.ebay.ph/www.ebay.pl/www.ebay.us/www.ebayinc.com/www.vivanuncios.com.mx
Fingerprint: DD:AC:89:D2:F5:70:7C:BF:A4:6C4C:3B:42:0E:F1:7E:F4:56:FB:C5
Certificate cache: MISS
===> Forged server certificate:
Subject DN: /C=US/ST=California/L=San Jose/O=eBay, Inc./CN=www.ebay.com
Common Names: www.ebay.com/www.ebay.com/aka-sandbox.ebay.com/cache.ebay.com/cache.vivanuncios.com.mx/careers.ebayinc.com/cdn.roma.ebay.com/cr.qa.ebaystatic.com/dsa.ebay.co.uk/dsa.ebay.com/dsa.ebay.de/ebay.com.au/ebay.us/ebaypartnernetwork.ebay.com/ecg-api.vivanuncios.com.mx/ecg-apis.vivanuncios.com.mx/feed.ebay.com.au/galleryplus.ebayimg.com/gh.ebaystatic.com/ir.ebaystatic.com/ir.sandbox.ebaystatic.com/m.ebay.at/m.ebay.ca/m.ebay.ie/m.ebay.ph/p.ebaystatic.com/pages.ebay.ca/pages.ebay.com.au/pages.ebay.in/partnernetwork.ebay.co.uk/partnernetwork.ebay.com/partnernetwork.ebay.com.au/partnernetwork.ebay.de/partnernetwork.ebay.es/partnernetwork.ebay.fr/partnernetwork.ebay.it/pics.ebaystatic.com/poc.ebay.com/protool.vivanuncios.com.mx/q.ebaystatic.com/reco.ebay.com/rest.ebay.com/rs.sandbox.ebaystatic.com/rs.xstage.ebaystatic.com/rtm.ebaystatic.com/securepics.ebaystatic.com/securertm.ebaystatic.com/sslgalleryplus.ebayimg.com/static.ebayinc.com/tech.ebayinc.com/vivanuncios.com.mx/vmp.ebay.com/www.befr.ebay.be/www.benl.ebay.be/www.cafr.ebay.ca/www.ebay.at/www.ebay.be/www.ebay.ca/www.ebay.ch/www.ebay.co.uk/www.ebay.com.au/www.ebay.com.hk/www.ebay.com.my/www.ebay.com.sg/www.ebay.de/www.ebay.es/www.ebay.fr/www.ebay.ie/www.ebay.in/www.ebay.it/www.ebay.nl/www.ebay.ph/www.ebay.pl/www.ebay.us/www.ebayinc.com/www.vivanuncios.com.mx
Fingerprint: 77:59:E9:85:D8:EE:22:49:0B:AED1:93:72:1E:05:20:53:41:09:89
HTTPS connected to [84.53.189.188]:443 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
CLIENT_RANDOM A59BF6ACD8C1D7AA67246320C0AFC5AE93F64915DF353F7BD33E3BE8F6A19B57 616513BAAB6974CCF41A1CAB36B975939ACF9159BC0BFC124C16552434C3FDCF3768D87E8B65849C8B3A776939D79223
Received privsep req type 01 sz 92 on srvsock 14
Received privsep req type 01 sz 97 on srvsock 16
Certificate cache: KEEP (SNI match or target mode)
HTTPS connected to [84.53.189.188]:443 TLSv1.3 TLS_CHACHA20_POLY1305_SHA256
CLIENT_RANDOM 39BE8F1F724A9D97BDBF67F87CC0125662AE87DB13D118F4947EEE080FFD9A9D 30B9FEC22A4614687311720882693E5783CFCAB469D5E62FE41ACA64AE4361439C7C89B4D0DDF1B3007228F1C8DDF0B3
SSL_free() in state 00000001 = 0001 = SSLOK  (SSL negotiation finished successfully) [accept socket]
HTTPS disconnected to [84.53.189.188]:443, fd=45
HTTPS disconnected from [192.168.0.238]:40098, fd=45
SSL_free() in state 00000001 = 0001 = SSLOK  (SSL negotiation finished successfully) [connect socket]
SNI peek: [www.ebay.de] [complete], fd=45
Connecting to [84.53.189.188]:443
Attempt reuse dst SSL session
Client-side BEV_EVENT_ERROR
Error from bufferevent: 111:Connection refused 0:0:-:0:-:0:-
HTTPS disconnected to [-]:-, fd=45
HTTPS disconnected from [192.168.0.238]:40100, fd=45
SSL_free() in state 00000001 = 0001 = SSLOK  (SSL negotiation finished successfully) [connect socket]
STATS: thr=1, mld=0, mfd=0, mat=0, mct=0, iib=0, iob=0, eib=0, eob=0, swm=0, uwm=0, to=0, err=0, si=1
STATS: thr=4, mld=0, mfd=0, mat=0, mct=0, iib=0, iob=0, eib=0, eob=0, swm=0, uwm=0, to=0, err=0, si=1
STATS: thr=3, mld=0, mfd=0, mat=0, mct=0, iib=0, iob=0, eib=0, eob=0, swm=0, uwm=0, to=0, err=0, si=1
STATS: thr=2, mld=0, mfd=0, mat=0, mct=0, iib=0, iob=0, eib=0, eob=0, swm=0, uwm=0, to=0, err=0, si=1
STATS: thr=5, mld=0, mfd=0, mat=0, mct=0, iib=0, iob=0, eib=0, eob=0, swm=0, uwm=0, to=0, err=0, si=1
STATS: thr=7, mld=0, mfd=0, mat=0, mct=0, iib=0, iob=0, eib=0, eob=0, swm=0, uwm=0, to=0, err=0, si=1
STATS: thr=6, mld=0, mfd=0, mat=0, mct=0, iib=0, iob=0, eib=0, eob=0, swm=0, uwm=0, to=0, err=0, si=1
STATS: thr=0, mld=1, mfd=48, mat=0, mct=0, iib=1714, iob=0, eib=0, eob=0, swm=0, uwm=0, to=0, err=1, si=1

All this leads me to another question. Where exactly is the dynamically created port located within a package. I know the documentation says it is inserted in the first packet, but looking at the logs and pcaplog, I can't find the information about the port in the first TCP packet. I only see the port information in the HTTP packets but i dont know how to find them within the TCP Packets. Please can you specify where to find the ports within the tcp packets send to the LP. So that I can program a LP that sends me the packets back the proxy for my purpose

I hope you can help me in this matter.

Best regards

sonertari commented 3 years ago

It's a bug, content logging with tcp is broken.

I have investigated TCP connections with content logging enabled. Content logging needs to be initialized before writing any content, obviously. This initialization is done in the connect event handler. But in TCP connections the read callback for src fires before the connect event callback for dst does. In brief, we are trying to write content before init.

Since TCP is not encrypted, I don't use content logging for it, hence never noticed this issue. This bug should exist in sslproxy too. But, content logging for encrypted connections should work fine in sslproxy.

I will fix it asap. But until then I suggest that you use tcpdump or a similar program to listen on port 1212 in your setup.

The SSLproxy line is the second line in HTTP connections, right after, say, the GET line for ebay.com in your tests.

Thanks for reporting.

Leonschmitt commented 3 years ago

Thank you very much for your quick reply. I have one more question in this context Did I understand it correctly that I need to recover the Http packets from the TCP packets which are sent to my self-written LP (via sockets) to get the SSLproxy line with the dynamically generated port. In order to send the packets back to the proxy in the next step?

sonertari commented 3 years ago

Can you try the develop branch now? Content logging in lp must be fixed now, except that it is initialized before dst info is ready, so the filenames with -S and -F options will be missing dst addresses. I should probably make lp behave similarly to sslproxy.

Btw, content logging in sslproxy is fine, because sslproxy does not enable readcb until after connect eventcb.

sonertari commented 3 years ago

Yes, your LP will receive decrypted HTTP (TCP) packets, which will have an SSLproxy line in the first packet, which in turn will contain the dynamically assigned IP address as the first address in it, so you can return the first and subsequent packets to sslproxy listening on that address.

Leonschmitt commented 3 years ago

I have just tested the development branch. The content logging of the lp is now fixed in the development branch. Thanks for answering my questions that will help me a lot. Now I just need to write a program that reassembles the TCP packets into Http packets to get the dynamic generated port.

sonertari commented 3 years ago

Great, so I am closing this issue, thanks again for reporting.