Open love200103223 opened 1 year ago
You don't mention any listening program in your report.
So I think you need two things:
But you can run sslproxy in split mode too, in which case you don't need a listening program. So I don't know the details of your setup, but you can try the following proxyspec:
https 127.0.0.1 10443 127.0.0.1 443
Or use the IP address of your http server in place of the second 127.0.0.1 above.
Btw, perhaps you need sslsplit, not sslproxy?
Is the error reported below due to an error in my certificate
Do you see any issues with the keys httpd.key and httpd.crt used on my command line? Should there be a file with the suffix pem?
[root@iZuf62gz7wcz2kez5kk495Z SSLproxy]# sslproxy -k /root/ssl/httpd.key -c /root/ssl/httpd.crt https 0.0.0.0 10443 0.0.0.0 443 -X q.pcap -D4 SSLproxy v0.9.4 (built 2023-04-20) Copyright (c) 2017-2022, Soner Tari sonertari@gmail.com https://github.com/sonertari/SSLproxy Copyright (c) 2009-2019, Daniel Roethlisberger daniel@roe.ch https://www.roe.ch/SSLsplit Build info: V:GIT Features: -DHAVE_NETFILTER NAT engines: netfilter* tproxy netfilter: IP_TRANSPARENT IP6T_SO_ORIGINAL_DST Local process info support: no compiled against OpenSSL 1.0.2k 26 Jan 2017 (100020bf) rtlinked against OpenSSL 1.0.2k-fips 26 Jan 2017 (100020bf) OpenSSL has support for TLS extensions TLS Server Name Indication (SNI) supported OpenSSL is thread-safe with THREADID OpenSSL has engine support Using SSL_MODE_RELEASE_BUFFERS SSL/TLS protocol availability: ssl3 tls10 tls11 tls12 SSL/TLS algorithm availability: SHA0 RSA DSA ECDSA DH ECDH EC OpenSSL option availability: SSL_OP_NO_COMPRESSION SSL_OP_NO_TICKET SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION SSL_OP_TLS_ROLLBACK_BUG compiled against libevent 2.1.12-stable rtlinked against libevent 2.1.12-stable compiled against libnet 1.1.6 rtlinked against libnet 1.1.6 compiled against libpcap n/a rtlinked against libpcap 1.5.3 compiled against sqlite 3.7.5 rtlinked against sqlite 3.7.5 4 CPU cores detected Generated 2048 bit RSA key for leaf certs. Global conn opts: negotiate|ALL:-aNULL|TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|no user_auth_url|300|8192 proxyspecs:
Is there a problem with this public key format and the format defined in sslproxy
[root@iZuf62gz7wcz2kez5kk495Z ssl]# sslproxy -k /root/ssl/httpd.key -c /root/ssl/cacert.pem https 0.0.0.0 10443 0.0.0.0 443 -X q.pcap -D4 sslproxy: CA cert does not match key in ProxySpec. 140439748397120:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: CERTIFICATE 140439748397120:error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib:ssl_rsa.c:484: 140439748397120:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: DH PARAMETERS 140439748397120:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: DH PARAMETERS 140439748397120:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: ANY PRIVATE KEY 140439748397120:error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib:ssl_rsa.c:649: 140439748397120:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: DH PARAMETERS 140439748397120:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: DH PARAMETERS 140439748397120:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:x509_cmp.c:343:
You should use a CA cert/key pair with sslproxy. I see above that sslproxy complains about not matching key and cert. So you should generate a CA cert/key pair and use them on your sslproxy command line.
And you should install the CA cert to the web browser too. However, I don't know your setup, but it seems like you are trying to run sslproxy as a reverse proxy. If that's the case, you cannot install it to the web browsers of those remote clients, of course, in which case there is no solution but to ask the person connecting to install the CA cert to his/her web browser him/herself.
Also, another reason for those errors may be related with cert verification. You can disable server cert verification in sslproxy. But you should use a config file for that, and set the VerifyPeer option to no.
Thank you for your answer.
Could you please tell me where this configuration file is.
Can this sslproxy be deployed on devices without an IP, which means it is strung in the architecture as a transparent mode. Can this be achieved.
Thank you very much for your answer
You can find a sample config file in the sources.
If you're asking about L2 bridge mode, no, sslproxy does not support bridge mode. SSLproxy runs at L3/L4 level.
OK.Thank you for your answer.
[root@iZuf62gz7wcz2kez5kk495Z ~]# sslproxy -k /root/ssl/httpd.key -c /root/ssl/httpd.crt https 0.0.0.0 10443 up:443 -X q.pcap -D4
SSLproxy v0.9.4 (built 2023-04-20)
Copyright (c) 2017-2022, Soner Tari sonertari@gmail.com
https://github.com/sonertari/SSLproxy
Copyright (c) 2009-2019, Daniel Roethlisberger daniel@roe.ch
https://www.roe.ch/SSLsplit
Build info: V:GIT
Features: -DHAVE_NETFILTER
NAT engines: netfilter* tproxy
netfilter: IP_TRANSPARENT IP6T_SO_ORIGINAL_DST
Local process info support: no
compiled against OpenSSL 1.0.2k 26 Jan 2017 (100020bf)
rtlinked against OpenSSL 1.0.2k-fips 26 Jan 2017 (100020bf)
OpenSSL has support for TLS extensions
TLS Server Name Indication (SNI) supported
OpenSSL is thread-safe with THREADID
OpenSSL has engine support
Using SSL_MODE_RELEASE_BUFFERS
SSL/TLS protocol availability: ssl3 tls10 tls11 tls12
SSL/TLS algorithm availability: SHA0 RSA DSA ECDSA DH ECDH EC
OpenSSL option availability: SSL_OP_NO_COMPRESSION SSL_OP_NO_TICKET SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION SSL_OP_TLS_ROLLBACK_BUG
compiled against libevent 2.1.12-stable
rtlinked against libevent 2.1.12-stable
compiled against libnet 1.1.6
rtlinked against libnet 1.1.6
compiled against libpcap n/a
rtlinked against libpcap 1.5.3
compiled against sqlite 3.7.5
rtlinked against sqlite 3.7.5
4 CPU cores detected
Generated 2048 bit RSA key for leaf certs.
Global conn opts: negotiate|ALL:-aNULL|TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|no user_auth_url|300|8192
proxyspecs:
divert addr= [127.0.0.1]:443
return addr= [127.0.0.1]:0
opts= conn opts: negotiate|ALL:-aNULL|TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|no user_auth_url|300|8192
divert||
Loaded Global CA: '/C=cn/ST=cn/O=cn/OU=cn/CN=cn'
Loaded ProxySpec CA: '/C=cn/ST=cn/O=cn/OU=cn/CN=cn'
SSL/TLS leaf certificates taken from:
Privsep fastpath disabled
Created self-pipe [r=4,w=5]
Created chld-pipe [r=6,w=7]
Created socketpair 0 [p=8,c=9]
Created socketpair 1 [p=10,c=11]
Created socketpair 2 [p=12,c=13]
Created socketpair 3 [p=14,c=15]
Created socketpair 4 [p=16,c=17]
Created socketpair 5 [p=18,c=19]
Privsep parent pid 2578
Privsep child pid 2579
Using libevent backend 'epoll'
Event base supports: edge yes, O(1) yes, anyfd no
Received privsep req type 03 sz 9 on srvsock 8
Dropped privs to user nobody group - chroot -
Received privsep req type 00 sz 1 on srvsock 10
Received privsep req type 00 sz 1 on srvsock 12
Received privsep req type 00 sz 1 on srvsock 14
Inserted events:
0xfeae88 [fd 5] Read Persist Internal
0xfeb060 [fd 7] Read Persist Internal
0xfea1b8 [fd 8] Read Persist
0xfebb20 [sig 1] Signal Persist
0xfebc50 [sig 2] Signal Persist
0xfeb9f0 [sig 3] Signal Persist
0xfebeb0 [sig 10] Signal Persist
0xfebd80 [sig 13] Signal Persist
0xfeb290 [sig 15] Signal Persist
0xfec000 [fd -1] Persist Timeout=1682239211.430419
Active events:
Initialized 8 connection handling threads
Received privsep req type 00 sz 1 on srvsock 18
Started 8 connection handling threads
Starting main event loop.
SNI peek: [n/a] [complete], fd=43
Connecting to [172.16.0.167]:10443
SNI peek: [n/a] [complete], fd=45
Connecting to [172.16.0.167]:10443
SNI peek: [n/a] [complete], fd=47
Connecting to [172.16.0.167]:10443
SNI peek: [n/a] [complete], fd=49
Connecting to [172.16.0.167]:10443
SNI peek: [n/a] [complete], fd=51
Connecting to [172.16.0.167]:10443
SNI peek: [n/a] [complete], fd=53
Connecting to [172.16.0.167]:10443
SNI peek: [n/a] [complete], fd=55
Connecting to [172.16.0.167]:10443
SNI peek: [n/a] [complete], fd=57
Connecting to [172.16.0.167]:10443
SNI peek: [n/a] [complete], fd=59
Connecting to [172.16.0.167]:10443
SNI peek: [n/a] [complete], fd=61
Connecting to [172.16.0.167]:10443
SNI peek: [n/a] [complete], fd=62
Connecting to [172.16.0.167]:10443
SNI peek: [n/a] [complete], fd=65
Connecting to [172.16.0.167]:10443
SNI peek: [n/a] [complete], fd=66
Connecting to [172.16.0.167]:10443
SNI peek: [n/a] [complete], fd=69
Connecting to [172.16.0.167]:10443
SNI peek: [n/a] [complete], fd=71
Connecting to [172.16.0.167]:10443
SNI peek: [n/a] [complete], fd=73
Connecting to [172.16.0.167]:10443
SNI peek: [n/a] [complete], fd=75
Connecting to [172.16.0.167]:10443
SNI peek: [n/a] [complete], fd=77
Connecting to [172.16.0.167]:10443
SNI peek: [n/a] [complete], fd=79
Connecting to [172.16.0.167]:10443
SNI peek: [n/a] [complete], fd=81
Connecting to [172.16.0.167]:10443
SNI peek: [n/a] [complete], fd=83