sonertari
commented
2 years ago Can you please enable the DEBUG_PROXY switch in Mk/main.mk, rebuild sslproxy, start it with the -D4 option, and post the very verbose debug logs of the crash?
Closed swiftbird07 closed 2 years ago
sonertari
commented
2 years ago Can you please enable the DEBUG_PROXY switch in Mk/main.mk, rebuild sslproxy, start it with the -D4 option, and post the very verbose debug logs of the crash?
swiftbird07
commented
2 years ago Here it is:
SSLproxy v0.9.2-3-g3dea854-dirty (built 2022-04-02)
Copyright (c) 2017-2021, Soner Tari <sonertari@gmail.com>
https://github.com/sonertari/SSLproxy
Copyright (c) 2009-2019, Daniel Roethlisberger <daniel@roe.ch>
https://www.roe.ch/SSLsplit
Build info: V:GIT
Features: -DDEBUG_PROXY -DHAVE_NETFILTER
NAT engines: netfilter* tproxy
netfilter: IP_TRANSPARENT IP6T_SO_ORIGINAL_DST
Local process info support: no
compiled against OpenSSL 1.1.1j 16 Feb 2021 (101010af)
rtlinked against OpenSSL 1.1.1j 16 Feb 2021 (101010af)
OpenSSL has support for TLS extensions
TLS Server Name Indication (SNI) supported
OpenSSL is thread-safe with THREADID
OpenSSL has engine support
Using SSL_MODE_RELEASE_BUFFERS
SSL/TLS protocol availability: tls10 tls11 tls12 tls13
SSL/TLS algorithm availability: !SHA0 RSA DSA ECDSA DH ECDH EC
OpenSSL option availability: SSL_OP_NO_COMPRESSION SSL_OP_NO_TICKET SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION SSL_OP_TLS_ROLLBACK_BUG
compiled against libevent 2.1.12-stable
rtlinked against libevent 2.1.12-stable
compiled against libnet 1.1.6
rtlinked against libnet 1.1.6
compiled against libpcap n/a
rtlinked against libpcap 1.10.0 (with TPACKET_V3)
compiled against sqlite 3.34.1
rtlinked against sqlite 3.34.1
2 CPU cores detected
Generated 2048 bit RSA key for leaf certs.
Global conn opts: negotiate>=tls10<=tls13|ALL:-aNULL|TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|no user_auth_url|300|8192
proxyspecs:
- listen=[0.0.0.0]:8443 ssl|http netfilter
return addr= [127.0.0.1]:0
opts= conn opts: negotiate>=tls10<=tls13|ALL:-aNULL|TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|no user_auth_url|300|8192
split||
filter rule 0: dstip=, dstport=, srcip=, user=, desc=, exact=||||, all=conns||sites|, action=|split|||, log=connect|master|cert|content|pcap|mirror, precedence=2, line=14
conn opts: negotiate>=tls10<=tls13|ALL:-aNULL|TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|no user_auth_url|300|8192
filter=>
userdesc_filter_exact->
userdesc_filter_substring->
user_filter_exact->
user_filter_substring->
desc_filter_exact->
desc_filter_substring->
user_filter_all->
ip_filter_exact->
ip_filter_substring->
filter_all->
ip all:
0: (all_sites, substring, action=|split|||, log=connect|master|cert|content|pcap|mirror, precedence=2, line=14
conn opts: negotiate>=tls10<=tls13|ALL:-aNULL|TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|no user_auth_url|300|8192)
No Global CA loaded.
Loaded ProxySpec CA: '/CN=internal-ca/C=DE'
Loaded FilterRule CA: '/CN=internal-ca/C=DE'
SSL/TLS leaf certificates taken from:
- Global connection drop
Privsep fastpath disabled
Created self-pipe [r=4,w=5]
Created chld-pipe [r=6,w=7]
Created socketpair 0 [p=8,c=9]
Created socketpair 1 [p=10,c=11]
Created socketpair 2 [p=12,c=13]
Created socketpair 3 [p=14,c=15]
Created socketpair 4 [p=16,c=17]
Created socketpair 5 [p=18,c=19]
Privsep parent pid 26626
Privsep child pid 26627
Using libevent backend 'epoll'
Event base supports: edge yes, O(1) yes, anyfd no
[FINEST] proxy_listener_setup: ENTER
Received privsep req type 03 sz 9 on srvsock 8
Dropped privs to user nobody group - chroot -
Received privsep req type 00 sz 1 on srvsock 10
Received privsep req type 00 sz 1 on srvsock 14
Received privsep req type 00 sz 1 on srvsock 16
Received privsep req type 00 sz 1 on srvsock 18
Inserted events:
0x555e2bfed338 [fd 5] Read Persist Internal
0x555e2bfed510 [fd 7] Read Persist Internal
0x555e2bfe89a8 [fd 8] Read Persist
0x555e2bfeab90 [sig 1] Signal Persist
0x555e2bfbed20 [sig 2] Signal Persist
0x555e2bfea050 [sig 3] Signal Persist
0x555e2bfe3f00 [sig 10] Signal Persist
0x555e2bfe6d50 [sig 13] Signal Persist
0x555e2bfe5dc0 [sig 15] Signal Persist
0x555e2bfeb9f0 [fd -1] Persist Timeout=1648892081.268698
Active events:
Initialized 4 connection handling threads
Started 4 connection handling threads
Starting main event loop.
[FINEST] pxy_thr_timer_cb: thr=0, load=0, to=0
[FINEST] pxy_thr_timer_cb: thr=1, load=0, to=0
[FINEST] pxy_thr_timer_cb: thr=3, load=0, to=0
[FINEST] pxy_thr_timer_cb: thr=2, load=0, to=0
[FINEST] proxy_listener_acceptcb: ENTER, fd=27
[FINEST] proxy_conn_ctx_new: ENTER, fd=27
[FINEST] [0.0 fd=27 cfd=0] proxy_conn_ctx_new: Created new conn
[FINEST] [0.0 fd=27 cfd=0] pxy_thrmgr_assign_thr: ENTER
[FINEST] [0.0 fd=27 cfd=0] protossl_init_conn: ENTER
[FINEST] [0.0 fd=27 cfd=0] pxy_conn_init: ENTER
[FINEST] [0.0 fd=27 cfd=0] pxy_thr_attach: Adding conn
[FINER] [0.0 fd=27 cfd=0] check_fd_usage: descriptor_table_size=1024, dtablecount=29, reserve=10
[FINEST] [0.0 fd=27 cfd=0] pxy_conn_init: srcaddr= [10.21.0.3]:58145
[FINEST] [0.0 fd=27 cfd=0] protossl_fd_readcb: ENTER
SNI peek: [login.live.com] [complete], fd=27
[FINEST] [0.0 fd=27 cfd=0] pxy_conn_connect: ENTER
[FINEST] [0.0 fd=27 cfd=0] pxy_conn_filter: Searching ip exact: 10.21.0.3
[FINEST] [0.0 fd=27 cfd=0] pxy_conn_filter: Searching ip substring: 10.21.0.3
[FINEST] [0.0 fd=27 cfd=0] pxy_conn_filter: Searching all
[FINE] [0.0 fd=27 cfd=0] pxy_conn_filter_match_ip: Found site (line=14): for 10.21.0.3:58145, 20.190.159.73:443
[FINEST] [0.0 fd=27 cfd=0] pxy_conn_filter_match_ip: Match all dst (line=14): , 20.190.159.73
[FINEST] [0.0 fd=27 cfd=0] pxy_conn_filter_port: No filter match with port: 10.21.0.3:58145, 20.190.159.73:443
[FINE] [0.0 fd=27 cfd=0] pxy_conn_set_filter_action: Filter split action for 20.190.159.73, precedence 2 (line=14)
[FINE] [0.0 fd=27 cfd=0] pxy_conn_set_filter_action: Filter enable connect log for 20.190.159.73, precedence 2 (line=14)
[FINE] [0.0 fd=27 cfd=0] pxy_conn_set_filter_action: Filter enable master log for 20.190.159.73, precedence 2 (line=14)
[FINE] [0.0 fd=27 cfd=0] pxy_conn_set_filter_action: Filter enable cert log for 20.190.159.73, precedence 2 (line=14)
[FINE] [0.0 fd=27 cfd=0] pxy_conn_set_filter_action: Filter enable content log for 20.190.159.73, precedence 2 (line=14)
[FINE] [0.0 fd=27 cfd=0] pxy_conn_set_filter_action: Filter enable pcap log for 20.190.159.73, precedence 2 (line=14)
[FINE] [0.0 fd=27 cfd=0] pxy_conn_set_filter_action: Filter enable mirror log for 20.190.159.73, precedence 2 (line=14)
Connecting to [20.190.159.73]:443
[FINEST] [0.0 fd=27 cfd=0] protossl_conn_connect: ENTER
[FINEST] [0.0 fd=27 cfd=0] protossl_bufferevent_setup: ENTER, fd=-1
[FINEST] [0.0 fd=27 cfd=0] protossl_bufferevent_setup: bufferevent_openssl_set_allow_dirty_shutdown, fd=-1
[FINEST] [0.0 fd=27 cfd=0] protossl_bev_eventcb_connected_srvdst: ENTER
[FINEST] [0.0 fd=27 cfd=0] pxy_conn_filter: Searching ip exact: 10.21.0.3
[FINEST] [0.0 fd=27 cfd=0] pxy_conn_filter: Searching ip substring: 10.21.0.3
[FINEST] [0.0 fd=27 cfd=0] pxy_conn_filter: Searching all
[FINE] [0.0 fd=27 cfd=0] pxy_conn_filter_match_ip: Found site (line=14): for 10.21.0.3:58145, 20.190.159.73:443
[FINEST] [0.0 fd=27 cfd=0] pxy_conn_filter_match_ip: Match all dst (line=14): , 20.190.159.73
[FINEST] [0.0 fd=27 cfd=0] pxy_conn_filter_port: No filter match with port: 10.21.0.3:58145, 20.190.159.73:443
[FINE] [0.0 fd=27 cfd=0] pxy_conn_set_filter_action: Filter split action for 20.190.159.73, precedence 2 (line=14)
[FINE] [0.0 fd=27 cfd=0] pxy_conn_set_filter_action: Filter enable connect log for 20.190.159.73, precedence 2 (line=14)
[FINE] [0.0 fd=27 cfd=0] pxy_conn_set_filter_action: Filter enable master log for 20.190.159.73, precedence 2 (line=14)
[FINE] [0.0 fd=27 cfd=0] pxy_conn_set_filter_action: Filter enable cert log for 20.190.159.73, precedence 2 (line=14)
[FINE] [0.0 fd=27 cfd=0] pxy_conn_set_filter_action: Filter enable content log for 20.190.159.73, precedence 2 (line=14)
[FINE] [0.0 fd=27 cfd=0] pxy_conn_set_filter_action: Filter enable pcap log for 20.190.159.73, precedence 2 (line=14)
[FINE] [0.0 fd=27 cfd=0] pxy_conn_set_filter_action: Filter enable mirror log for 20.190.159.73, precedence 2 (line=14)
===> Original server certificate:
Subject DN: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=graph.windows.net
Common Names: graph.windows.net/graph.windows.net/*.aadg.windows.net/*.aadkds.ppe.reporting.msidentity.com/*.aadkds.prd.reporting.msidentity.com/*.accesscontrol.aadtst3.windows-int.net/*.accesscontrol.windows-ppe.net/*.accesscontrol.windows.net/*.adls.aadkds.ppe.reporting.msidentity.com/*.adls.aadkds.prd.reporting.msidentity.com/*.adti.aadkds.ppe.reporting.msidentity.com/*.adti.aadkds.prd.reporting.msidentity.com/*.authapp.net/*.authorization.azure-ppe.net/*.authorization.azure.net/*.b2clogin.com/*.cpim.windows.net/*.d2k.aadkds.ppe.reporting.msidentity.com/*.d2k.aadkds.prd.reporting.msidentity.com/*.fp.measure.office.com/*.gateway.windows.net/*.Identity.azure-int.net/*.Identity.azure.net/*.login.live.com/*.login.microsoft.com/*.login.microsoftonline.com/*.login.windows-ppe.net/*.logincert.microsoft.com/*.logincert.windows-ppe.net/*.microsoftaik-int.azure-int.net/*.microsoftaik.azure.net/*.r.login.microsoft.com/*.r.login.microsoftonline.com/*.windows-ppe.net/aadg.windows.net/aadgv6.ppe.windows.net/aadgv6.windows.net/accesscontrol.aadtst3.windows-int.net/account.live-int.com/account.live.com/api.login.live-int.com/api.login.microsoftonline.com/api.password.ccsctp.com/api.passwordreset.microsoftonline.com/autologon.microsoftazuread-sso.com/becws.ccsctp.com/clientconfig.microsoftonline-p-int.net/clientconfig.microsoftonline-p.net/companymanager.ccsctp.com/companymanager.microsoftonline.com/cpim.windows.net/device.login.microsoftonline.com/device.login.windows-ppe.net/directoryproxy.ppe.windows.net/directoryproxy.windows.net/gatewayforking.windows.net/graph.ppe.windows.net/graphstore.windows.net/ipv6.login.live-int.com/login-us.microsoftonline.com/login.live-int.com/login.live.com/login.microsoft-ppe.com/login.microsoft.com/login.microsoftonline-int.com/login.microsoftonline-p.com/login.microsoftonline-pst.com/login.microsoftonline.com/login.passport-int.com/login.windows.net/logincert.microsoftonline-int.com/logincert.microsoftonline.com/loginnet.passport-int.com/microsoftaik-int.azure-int.net/microsoftaik.azure.net/msnia.login.live-int.com/msnialogin.passport-int.com/nexus.microsoftonline-p-int.com/nexus.microsoftonline-p.com/nexus.passport-int.com/pas.windows-ppe.net/pas.windows.net/password.ccsctp.com/passwordreset.activedirectory.windowsazure.us/passwordreset.microsoftonline.com/provisioning.microsoftonline.com/signup.live-int.com/signup.live.com/sts.windows.net/tools.login.live-int.com/xml.login.live-int.com/xml.login.live.com
Fingerprint: 72:DC:EB:14:27:2F:CF:B8:8D:5183:92:8D:75:D5:DC:7E:D1:CA:0D
Certificate cache: MISS
Child pid 26627 killed by signal 11In your filter rule, can you change your Log line to Log !*, or simply comment out that line, and try please? I guess it crashes because all logs are enabled in the rule but no logging is configured in general (filtering rule do not configure logger as mentioned in README). I hope this fixes the crash.
swiftbird07
commented
2 years ago Nope, sadly it still crashes.
Here is my updated default.cnf:
ProxySpec {
Proto https
Addr 10.23.0.2 # inline
Port 8443 # comments
# Divert or split
Divert no
# Connection options
CACert Cloud+SwiftBird+SSLProxy+CA.crt
CAKey Cloud+SwiftBird+SSLProxy+CA.key
UserAuth no
Passthrough no
FilterRule {
Action Split
SrcIp *
DstIp *
CACert Cloud+SwiftBird+SSLProxy+CA.crt
CAKey Cloud+SwiftBird+SSLProxy+CA.key
#UserAuth no
}
}If it helps here is my installation history of installing SSLProxy on the Ubuntu Container:
1 apt update
2 apt upgrade
3 apt install git
4 git clone
5 git clone https://github.com/sonertari/SSLproxy.git
6 ls
7 cd SSLproxy/
8 make
9 apt install make make-guile
10 make-guile
11 apt install make make-guile
12 apt install make
13 make
14 ls
15 cd Mk
16 ls
17 make
18 apt install pkg-config
19 cd ..
20 make
21 apt install openssl
22 apt install openssl-devel
23 apt install libssl-dev
24 make
25 apt install libevent-dev
26 make
27 apt install libcap-dev
28 make
29 apt install libpcap-dev
30 make
31 apt install SQLite3
32 apt install SQLite
33 apt install sqlite
34 apt install sqlite3
35 make
36 apt install sqlite3-dev
37 apt install libsqlite3-dev
38 make
39 apt install libnet
40 apt install libnet-dev
41 make
42 apt install cc
43 apt install gcc
44 make
45 ls
46 make install
47 make test
48 apt install check
49 make testI just build SSLProxy on a CentOS container to test if it work there, but here make test produces this more interesting output:
make -C src
make[1]: Entering directory '/root/SSLproxy/src'
------------------------------------------------------------------------------
SSLproxy v0.9.2-3-g3dea854
------------------------------------------------------------------------------
Report bugs at https://github.com/sonertari/SSLproxy/issues/new
Please supply this header for diagnostics when reporting build issues
Before reporting bugs, make sure to try the latest develop branch first:
% git clone -b develop https://github.com/sonertari/SSLproxy.git
------------------------------------------------------------------------------
Via pkg-config: openssl libevent libevent_openssl libevent_pthreads libpcap sqlite3 check
LIBNET_BASE: /usr
Build options: -DHAVE_NETFILTER
Build info: V:GIT
uname -a: Linux pSSLProxy 5.13.19-6-pve #1 SMP PVE 5.13.19-14 (Thu, 10 Mar 2022 16:24:52 +0100) x86_64 x86_64 x86_64 GNU/Linux
------------------------------------------------------------------------------
cc -c -isystem/usr/include -D_GNU_SOURCE -D"PKGLABEL=\"SSLproxy\"" -DHAVE_NETFILTER -D"BUILD_PKGNAME=\"sslproxy\"" -D"BUILD_VERSION=\"v0.9.2-3-g3dea854\"" -D"BUILD_DATE=\"2022-04-02\"" -D"BUILD_INFO=\"V:GIT\"" -D"BUILD_FEATURES=\"-DHAVE_NETFILTER\"" -g -pthread -std=c99 -Wall -Wextra -pedantic -D_FORTIFY_SOURCE=2 -fstack-protector-all -pthread -O2 -o build.o build.c
cc -L/usr/lib -pthread -o sslproxy protoautossl.o prototcp.o cert.o opts.o protopop3.o sys.o cachetgcrt.o build.o cachemgr.o protohttp.o main.o protopassthrough.o cache.o dynbuf.o pxyconn.o proxy.o cachessess.o nat.o url.o ssl.o logpkt.o log.o thrqueue.o cachefkcrt.o protossl.o logbuf.o privsep.o logger.o protosmtp.o base64.o cachedsess.o filter.o util.o pxythrmgr.o proc.o pxythr.o -lnet -lssl -lcrypto -levent_openssl -levent_pthreads -levent -lpcap -lsqlite3
make[1]: Leaving directory '/root/SSLproxy/src'
make unittest
make[1]: Entering directory '/root/SSLproxy'
make -C src
make[2]: Entering directory '/root/SSLproxy/src'
------------------------------------------------------------------------------
SSLproxy v0.9.2-3-g3dea854
------------------------------------------------------------------------------
Report bugs at https://github.com/sonertari/SSLproxy/issues/new
Please supply this header for diagnostics when reporting build issues
Before reporting bugs, make sure to try the latest develop branch first:
% git clone -b develop https://github.com/sonertari/SSLproxy.git
------------------------------------------------------------------------------
Via pkg-config: openssl libevent libevent_openssl libevent_pthreads libpcap sqlite3 check
LIBNET_BASE: /usr
Build options: -DHAVE_NETFILTER
Build info: V:GIT
uname -a: Linux pSSLProxy 5.13.19-6-pve #1 SMP PVE 5.13.19-14 (Thu, 10 Mar 2022 16:24:52 +0100) x86_64 x86_64 x86_64 GNU/Linux
------------------------------------------------------------------------------
cc -c -isystem/usr/include -D_GNU_SOURCE -D"PKGLABEL=\"SSLproxy\"" -DHAVE_NETFILTER -D"BUILD_PKGNAME=\"sslproxy\"" -D"BUILD_VERSION=\"v0.9.2-3-g3dea854\"" -D"BUILD_DATE=\"2022-04-02\"" -D"BUILD_INFO=\"V:GIT\"" -D"BUILD_FEATURES=\"-DHAVE_NETFILTER\"" -g -pthread -std=c99 -Wall -Wextra -pedantic -D_FORTIFY_SOURCE=2 -fstack-protector-all -pthread -O2 -o build.o build.c
cc -L/usr/lib -pthread -o sslproxy protoautossl.o prototcp.o cert.o opts.o protopop3.o sys.o cachetgcrt.o build.o cachemgr.o protohttp.o main.o protopassthrough.o cache.o dynbuf.o pxyconn.o proxy.o cachessess.o nat.o url.o ssl.o logpkt.o log.o thrqueue.o cachefkcrt.o protossl.o logbuf.o privsep.o logger.o protosmtp.o base64.o cachedsess.o filter.o util.o pxythrmgr.o proc.o pxythr.o -lnet -lssl -lcrypto -levent_openssl -levent_pthreads -levent -lpcap -lsqlite3
make[2]: Leaving directory '/root/SSLproxy/src'
make -C tests/check
make[2]: Entering directory '/root/SSLproxy/tests/check'
------------------------------------------------------------------------------
SSLproxy v0.9.2-3-g3dea854
------------------------------------------------------------------------------
Report bugs at https://github.com/sonertari/SSLproxy/issues/new
Please supply this header for diagnostics when reporting build issues
Before reporting bugs, make sure to try the latest develop branch first:
% git clone -b develop https://github.com/sonertari/SSLproxy.git
------------------------------------------------------------------------------
Via pkg-config: openssl libevent libevent_openssl libevent_pthreads libpcap sqlite3 check
LIBNET_BASE: /usr
Build options: -DHAVE_NETFILTER
Build info: V:GIT
uname -a: Linux pSSLProxy 5.13.19-6-pve #1 SMP PVE 5.13.19-14 (Thu, 10 Mar 2022 16:24:52 +0100) x86_64 x86_64 x86_64 GNU/Linux
------------------------------------------------------------------------------
cc -L/usr/lib -pthread -o sslproxy.test pxythrmgr.t.o base64.t.o sys.t.o cachessess.t.o dynbuf.t.o filter.t.o proto.t.o url.t.o logbuf.t.o cert.t.o cachefkcrt.t.o opts.t.o ssl.t.o defaults.t.o cachetgcrt.t.o filterstruct.t.o cachemgr.t.o cachedsess.t.o main.t.o util.t.o ../../src/protoautossl.o ../../src/prototcp.o ../../src/cert.o ../../src/opts.o ../../src/protopop3.o ../../src/sys.o ../../src/cachetgcrt.o ../../src/build.o ../../src/cachemgr.o ../../src/protohttp.o ../../src/protopassthrough.o ../../src/cache.o ../../src/dynbuf.o ../../src/pxyconn.o ../../src/proxy.o ../../src/cachessess.o ../../src/nat.o ../../src/url.o ../../src/ssl.o ../../src/logpkt.o ../../src/log.o ../../src/thrqueue.o ../../src/cachefkcrt.o ../../src/protossl.o ../../src/logbuf.o ../../src/privsep.o ../../src/logger.o ../../src/protosmtp.o ../../src/base64.o ../../src/cachedsess.o ../../src/filter.o ../../src/util.o ../../src/pxythrmgr.o ../../src/proc.o ../../src/pxythr.o -lnet -lssl -lcrypto -levent_openssl -levent_pthreads -levent -lpcap -lsqlite3 -lcheck
make -C engine
make[3]: Entering directory '/root/SSLproxy/tests/check/engine'
make[3]: Nothing to be done for 'all'.
make[3]: Leaving directory '/root/SSLproxy/tests/check/engine'
make -C pki testreqs
make[3]: Entering directory '/root/SSLproxy/tests/check/pki'
rm -f rsa.srl
make[3]: Leaving directory '/root/SSLproxy/tests/check/pki'
./sslproxy.test
Running suite(s):
main
opts
filter
filter_struct
sslproxy: unknown curve 'prime192v1'
Error in conf: 'ECDHCurve' on line 14
sslproxy: unknown curve 'prime192v1'
Error in conf: 'ECDHCurve' on line 18
dynbuf
logbuf
cert
cachemgr
cachefkcrt
cachetgcrt
cachedsess
cachessess
ssl
sys
base64
url
util
pxythrmgr
defaults
proto
84%: Checks: 212, Failures: 2, Errors: 31
opts.t.c:660:E:proxyspec_parse:proxyspec_struct_parse_01:0: (after this point) Received signal 6 (Aborted)
filterstruct.t.c:4287:F:set_filter_struct:set_filter_struct_16:0: failed to parse rule
filterstruct.t.c:4408:F:set_filter_struct:set_filter_struct_17:0: failed to parse rule
proto.t.c:97:E:protohttp_validate:protohttp_validate_01:0: (after this point) Received signal 11 (Segmentation fault)
proto.t.c:116:E:protohttp_validate:protohttp_validate_02:0: (after this point) Received signal 11 (Segmentation fault)
proto.t.c:134:E:protohttp_validate:protohttp_validate_03:0: (after this point) Received signal 11 (Segmentation fault)
proto.t.c:152:E:protohttp_validate:protohttp_validate_04:0: (after this point) Received signal 11 (Segmentation fault)
proto.t.c:189:E:protohttp_validate:protohttp_validate_05:0: (after this point) Received signal 11 (Segmentation fault)
proto.t.c:229:E:protohttp_validate:protohttp_validate_06:0: (after this point) Received signal 11 (Segmentation fault)
proto.t.c:247:E:protohttp_validate:protohttp_validate_07:0: (after this point) Received signal 11 (Segmentation fault)
proto.t.c:266:E:protohttp_validate:protohttp_validate_08:0: (after this point) Received signal 11 (Segmentation fault)
proto.t.c:285:E:protohttp_validate:protohttp_validate_09:0: (after this point) Received signal 11 (Segmentation fault)
proto.t.c:305:E:protohttp_validate:protohttp_validate_10:0: (after this point) Received signal 11 (Segmentation fault)
proto.t.c:349:E:protopop3_validate:protopop3_validate_01:0: (after this point) Received signal 11 (Segmentation fault)
proto.t.c:366:E:protopop3_validate:protopop3_validate_02:0: (after this point) Received signal 11 (Segmentation fault)
proto.t.c:391:E:protopop3_validate:protopop3_validate_03:0: (after this point) Received signal 11 (Segmentation fault)
proto.t.c:424:E:protopop3_validate:protopop3_validate_04:0: (after this point) Received signal 11 (Segmentation fault)
proto.t.c:476:E:protopop3_validate:protopop3_validate_05:0: (after this point) Received signal 11 (Segmentation fault)
proto.t.c:500:E:protopop3_validate:protopop3_validate_06:0: (after this point) Received signal 11 (Segmentation fault)
proto.t.c:544:E:protosmtp_validate:protosmtp_validate_01:0: (after this point) Received signal 11 (Segmentation fault)
proto.t.c:561:E:protosmtp_validate:protosmtp_validate_02:0: (after this point) Received signal 11 (Segmentation fault)
proto.t.c:586:E:protosmtp_validate:protosmtp_validate_03:0: (after this point) Received signal 11 (Segmentation fault)
proto.t.c:619:E:protosmtp_validate:protosmtp_validate_04:0: (after this point) Received signal 11 (Segmentation fault)
proto.t.c:671:E:protosmtp_validate:protosmtp_validate_05:0: (after this point) Received signal 11 (Segmentation fault)
proto.t.c:695:E:protosmtp_validate:protosmtp_validate_06:0: (after this point) Received signal 11 (Segmentation fault)
proto.t.c:712:E:protosmtp_validate_response:protosmtp_validate_response_01:0: (after this point) Received signal 11 (Segmentation fault)
proto.t.c:729:E:protosmtp_validate_response:protosmtp_validate_response_02:0: (after this point) Received signal 11 (Segmentation fault)
proto.t.c:746:E:protosmtp_validate_response:protosmtp_validate_response_03:0: (after this point) Received signal 11 (Segmentation fault)
proto.t.c:783:E:protosmtp_validate_response:protosmtp_validate_response_04:0: (after this point) Received signal 11 (Segmentation fault)
proto.t.c:820:E:protosmtp_validate_response:protosmtp_validate_response_05:0: (after this point) Received signal 11 (Segmentation fault)
proto.t.c:837:E:protosmtp_validate_response:protosmtp_validate_response_06:0: (after this point) Received signal 11 (Segmentation fault)
proto.t.c:854:E:protosmtp_validate_response:protosmtp_validate_response_07:0: (after this point) Received signal 11 (Segmentation fault)
proto.t.c:871:E:protosmtp_validate_response:protosmtp_validate_response_08:0: (after this point) **Received signal 11** (Segmentation fault)
make[2]: *** [GNUmakefile:42: test] Error 1
make[2]: Leaving directory '/root/SSLproxy/tests/check'
make[1]: *** [GNUmakefile:17: unittest] Error 2
make[1]: Leaving directory '/root/SSLproxy'
make: *** [GNUmakefile:13: test] Error 2When I follow the debug logs and check with the source code, after debug printing Original server certificate and Certificate cache: MISS, it is supposed to forge that certificate, but it crashes. I wonder if something is wrong with your CA cert. Can you use a different CA cert? Also, can you pass a global CA cert also (perhaps just the same cert as in the ProxySpec and FilterRule), just in case? I cannot see anything else in the logs, but also note that you can debug certificate issues by enabling the DEBUG_CERTIFICATE switch in Mk/main.mk.
The unit test errors on CentOS look strange, they crash while trying to free certain structs created for the tests. It is not clear from the output, but did you clean and make sslsproxy on CentOS? I mean are you sure you have cleaned first, or did you just copy from Ubuntu? I wonder if it may be due to incompatible binaries. But it complains about ECDHCurve too, which makes me wonder what OpenSSL version it uses.
swiftbird07
commented
2 years ago I tried a different cert but it still crashes... I uploaded the log with every DEBUG flag build here because it was too long and I could not upload it for some reason.
On CentOS I git cloned and build everything from scratch did you mean that with clean?
openssl version
OpenSSL 1.1.1k FIPS 25 Mar 2021Do you have an example config with a vail example Cert pair to spare for me so I could try it? On what OS did you build your setup? FreeBSD right? Do you think it can't work on a LXC container (Proxmox)?
swiftbird07
commented
2 years ago Just checked out of curiosity and SSLsplit works. (Installed it with apt install sslsplit using the same certs as for SSLProxy.)
sonertari
commented
2 years ago Based on your reports, this really sounds like an issue with sslproxy, I cannot understand what's going on. Can you use gdb on the core dump of sslproxy and get its backtrace? I hope there is a core dump.
I have Mint and OpenBSD, travis has Ubuntu, but this should not depend on the Linux distro.
swiftbird07
commented
2 years ago Hey thanks for the reply but I am for no means a C programmer and not really familiar with gdb. I would give you this core dump if you can provide me with some info on how to do that exactly 😅
sonertari
commented
2 years ago Does it only crash with itunes.apple.com as target or with all possible targets? Its cert has a very long CN. I wonder if that's the cause.
swiftbird07
commented
2 years ago No it crashes every time :/
sonertari
commented
2 years ago In your config file, can you comment out Divert no in the ProxySpec or Action Split in the FilterRule and try for me? I wonder if Split action in Split mode is the cause. (I am trying to find some stupid bug in sslproxy, but that's all I can think of for now.)
swiftbird07
commented
2 years ago Tried this but commenting out Action Split will result in an error because the ProxySpec is not set right. Commenting out Divert no will crash as before.
sonertari
commented
2 years ago Since I am out of ideas, the only option left is gdb:
The backtrace should tell us the exact line in the source code where sslproxy crashes. This will most probably help us know the reason.
sonertari
commented
2 years ago I have fixed a crash in split mode on the develop branch, which may or may not be the same issue you have, but it is worth trying.
swiftbird07
commented
2 years ago Good news! I tried your fix in the develop branch and it works now! Thank you very much for your help!
I would buy you a coffee if you want, for the effort.
sonertari
commented
2 years ago It's great to hear that it worked. Thank you for the issue report, and for the offer. (Currently they don't support the currency where I live in, perhaps if I move somewhere they support, but thanks anyway.)
Hey it's me again :) I installed SSLProxy and finally got my divert rules in Pfsense in order so traffic is actually received by SSLProxy now, yea :) But the problem is that on every connection SSLProxy just crashes
I really don't know what that means and would appreciate any help!
Here is all the debug/logging:
Output of
sslproxy -VOutput of
uname -aExact command line arguments used to run
sslproxy:Relevant part of debug mode (-D) output, if applicable
NAT redirection rules you are using, if applicable
Chain INPUT (policy ACCEPT) target prot opt source destination
Chain OUTPUT (policy ACCEPT) target prot opt source destination
Chain POSTROUTING (policy ACCEPT) target prot opt source destination
make -C src make[1]: Entering directory '/root/SSLproxy/src'
SSLproxy v0.9.2-3-g3dea854
Report bugs at https://github.com/sonertari/SSLproxy/issues/new Please supply this header for diagnostics when reporting build issues Before reporting bugs, make sure to try the latest develop branch first: % git clone -b develop https://github.com/sonertari/SSLproxy.git
Via pkg-config: openssl libevent libevent_openssl libevent_pthreads libpcap sqlite3 check LIBNET_BASE: /usr Build options: -DHAVE_NETFILTER Build info: V:GIT uname -a: Linux pHellcat 5.13.19-6-pve #1 SMP PVE 5.13.19-14 (Thu, 10 Mar 2022 16:24:52 +0100) x86_64 x86_64 x86_64 GNU/Linux
cc -c -isystem/usr/include -D_GNU_SOURCE -D"PKGLABEL=\"SSLproxy\"" -DHAVE_NETFILTER -D"BUILD_PKGNAME=\"sslproxy\"" -D"BUILD_VERSION=\"v0.9.2-3-g3dea854\"" -D"BUILD_DATE=\"2022-04-01\"" -D"BUILD_INFO=\"V:GIT\"" -D"BUILD_FEATURES=\"-DHAVE_NETFILTER\"" -g -pthread -std=c99 -Wall -Wextra -pedantic -D_FORTIFY_SOURCE=2 -fstack-protector-all -pthread -O2 -o build.o build.c cc -L/usr/lib -pthread -o sslproxy base64.o build.o cache.o cachedsess.o cachefkcrt.o cachemgr.o cachessess.o cachetgcrt.o cert.o dynbuf.o filter.o log.o logbuf.o logger.o logpkt.o main.o nat.o opts.o privsep.o proc.o protoautossl.o protohttp.o protopassthrough.o protopop3.o protosmtp.o protossl.o prototcp.o proxy.o pxyconn.o pxythr.o pxythrmgr.o ssl.o sys.o thrqueue.o url.o util.o -lnet -lssl -lcrypto -levent_openssl -levent_pthreads -levent -lpcap -lsqlite3 make[1]: Leaving directory '/root/SSLproxy/src' make unittest make[1]: Entering directory '/root/SSLproxy' make -C src make[2]: Entering directory '/root/SSLproxy/src'
SSLproxy v0.9.2-3-g3dea854
Report bugs at https://github.com/sonertari/SSLproxy/issues/new Please supply this header for diagnostics when reporting build issues Before reporting bugs, make sure to try the latest develop branch first: % git clone -b develop https://github.com/sonertari/SSLproxy.git
Via pkg-config: openssl libevent libevent_openssl libevent_pthreads libpcap sqlite3 check LIBNET_BASE: /usr Build options: -DHAVE_NETFILTER Build info: V:GIT uname -a: Linux pHellcat 5.13.19-6-pve #1 SMP PVE 5.13.19-14 (Thu, 10 Mar 2022 16:24:52 +0100) x86_64 x86_64 x86_64 GNU/Linux
cc -c -isystem/usr/include -D_GNU_SOURCE -D"PKGLABEL=\"SSLproxy\"" -DHAVE_NETFILTER -D"BUILD_PKGNAME=\"sslproxy\"" -D"BUILD_VERSION=\"v0.9.2-3-g3dea854\"" -D"BUILD_DATE=\"2022-04-01\"" -D"BUILD_INFO=\"V:GIT\"" -D"BUILD_FEATURES=\"-DHAVE_NETFILTER\"" -g -pthread -std=c99 -Wall -Wextra -pedantic -D_FORTIFY_SOURCE=2 -fstack-protector-all -pthread -O2 -o build.o build.c cc -L/usr/lib -pthread -o sslproxy base64.o build.o cache.o cachedsess.o cachefkcrt.o cachemgr.o cachessess.o cachetgcrt.o cert.o dynbuf.o filter.o log.o logbuf.o logger.o logpkt.o main.o nat.o opts.o privsep.o proc.o protoautossl.o protohttp.o protopassthrough.o protopop3.o protosmtp.o protossl.o prototcp.o proxy.o pxyconn.o pxythr.o pxythrmgr.o ssl.o sys.o thrqueue.o url.o util.o -lnet -lssl -lcrypto -levent_openssl -levent_pthreads -levent -lpcap -lsqlite3 make[2]: Leaving directory '/root/SSLproxy/src' make -C tests/check make[2]: Entering directory '/root/SSLproxy/tests/check'
SSLproxy v0.9.2-3-g3dea854
Report bugs at https://github.com/sonertari/SSLproxy/issues/new Please supply this header for diagnostics when reporting build issues Before reporting bugs, make sure to try the latest develop branch first: % git clone -b develop https://github.com/sonertari/SSLproxy.git
Via pkg-config: openssl libevent libevent_openssl libevent_pthreads libpcap sqlite3 check LIBNET_BASE: /usr Build options: -DHAVE_NETFILTER Build info: V:GIT uname -a: Linux pHellcat 5.13.19-6-pve #1 SMP PVE 5.13.19-14 (Thu, 10 Mar 2022 16:24:52 +0100) x86_64 x86_64 x86_64 GNU/Linux
cc -L/usr/lib -pthread -pthread -o sslproxy.test base64.t.o cachedsess.t.o cachefkcrt.t.o cachemgr.t.o cachessess.t.o cachetgcrt.t.o cert.t.o defaults.t.o dynbuf.t.o filter.t.o filterstruct.t.o logbuf.t.o main.t.o opts.t.o proto.t.o pxythrmgr.t.o ssl.t.o sys.t.o url.t.o util.t.o ../../src/base64.o ../../src/build.o ../../src/cache.o ../../src/cachedsess.o ../../src/cachefkcrt.o ../../src/cachemgr.o ../../src/cachessess.o ../../src/cachetgcrt.o ../../src/cert.o ../../src/dynbuf.o ../../src/filter.o ../../src/log.o ../../src/logbuf.o ../../src/logger.o ../../src/logpkt.o ../../src/nat.o ../../src/opts.o ../../src/privsep.o ../../src/proc.o ../../src/protoautossl.o ../../src/protohttp.o ../../src/protopassthrough.o ../../src/protopop3.o ../../src/protosmtp.o ../../src/protossl.o ../../src/prototcp.o ../../src/proxy.o ../../src/pxyconn.o ../../src/pxythr.o ../../src/pxythrmgr.o ../../src/ssl.o ../../src/sys.o ../../src/thrqueue.o ../../src/url.o ../../src/util.o -lnet -lssl -lcrypto -levent_openssl -levent_pthreads -levent -lpcap -lsqlite3 -lcheck_pic -lrt -lm -lsubunit make -C engine make[3]: Entering directory '/root/SSLproxy/tests/check/engine' make[3]: Nothing to be done for 'all'. make[3]: Leaving directory '/root/SSLproxy/tests/check/engine' make -C pki testreqs make[3]: Entering directory '/root/SSLproxy/tests/check/pki' rm -f rsa.srl make[3]: Leaving directory '/root/SSLproxy/tests/check/pki' ./sslproxy.test Running suite(s): main opts filter filter_struct dynbuf logbuf cert cachemgr cachefkcrt cachetgcrt cachedsess cachessess ssl sys base64 url util pxythrmgr defaults proto 100%: Checks: 212, Failures: 0, Errors: 0 make[2]: Leaving directory '/root/SSLproxy/tests/check' make[1]: Leaving directory '/root/SSLproxy' make e2etest make[1]: Entering directory '/root/SSLproxy' make -C src make[2]: Entering directory '/root/SSLproxy/src'
SSLproxy v0.9.2-3-g3dea854
Report bugs at https://github.com/sonertari/SSLproxy/issues/new Please supply this header for diagnostics when reporting build issues Before reporting bugs, make sure to try the latest develop branch first: % git clone -b develop https://github.com/sonertari/SSLproxy.git
Via pkg-config: openssl libevent libevent_openssl libevent_pthreads libpcap sqlite3 check LIBNET_BASE: /usr Build options: -DHAVE_NETFILTER Build info: V:GIT uname -a: Linux pHellcat 5.13.19-6-pve #1 SMP PVE 5.13.19-14 (Thu, 10 Mar 2022 16:24:52 +0100) x86_64 x86_64 x86_64 GNU/Linux
cc -c -isystem/usr/include -D_GNU_SOURCE -D"PKGLABEL=\"SSLproxy\"" -DHAVE_NETFILTER -D"BUILD_PKGNAME=\"sslproxy\"" -D"BUILD_VERSION=\"v0.9.2-3-g3dea854\"" -D"BUILD_DATE=\"2022-04-01\"" -D"BUILD_INFO=\"V:GIT\"" -D"BUILD_FEATURES=\"-DHAVE_NETFILTER\"" -g -pthread -std=c99 -Wall -Wextra -pedantic -D_FORTIFY_SOURCE=2 -fstack-protector-all -pthread -O2 -o build.o build.c cc -L/usr/lib -pthread -o sslproxy base64.o build.o cache.o cachedsess.o cachefkcrt.o cachemgr.o cachessess.o cachetgcrt.o cert.o dynbuf.o filter.o log.o logbuf.o logger.o logpkt.o main.o nat.o opts.o privsep.o proc.o protoautossl.o protohttp.o protopassthrough.o protopop3.o protosmtp.o protossl.o prototcp.o proxy.o pxyconn.o pxythr.o pxythrmgr.o ssl.o sys.o thrqueue.o url.o util.o -lnet -lssl -lcrypto -levent_openssl -levent_pthreads -levent -lpcap -lsqlite3 make[2]: Leaving directory '/root/SSLproxy/src' make -C tests/testproxy make[2]: Entering directory '/root/SSLproxy/tests/testproxy' /bin/sh: 1: /root/.cargo/bin/testproxy: not found /bin/sh: 1: /root/.cargo/bin/testproxy: not found GNUmakefile:6: Use Testproxy v0.0.4 with this version of SSLproxy, found . Stop. make[2]: Leaving directory '/root/SSLproxy/tests/testproxy' make[1]: [GNUmakefile:20: e2etest] Error 2 make[1]: Leaving directory '/root/SSLproxy' make: *** [GNUmakefile:14: test] Error 2
ProxySpec { Proto https Addr 0.0.0.0 # inline Port 8443 # comments
FilterRule { Action Split SrcIp DstIp Log * CACert Cloud+SwiftBird+SSLProxy+CA.crt CAKey Cloud+SwiftBird+SSLProxy+CA.key UserAuth no } }