sonertari / SSLproxy

Transparent SSL/TLS proxy for decrypting and diverting network traffic to other programs, such as UTM services, for deep SSL inspection
BSD 2-Clause "Simplified" License
387 stars 101 forks source link

SSLProxy with nginx #58

Open migs017 opened 1 year ago

migs017 commented 1 year ago

uname 13~22.04.1-Ubuntu

SSLProxy version SSLproxy v0.9.4 (built 2023-09-28)

NAT redirection rule -A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443

Current Listener and port: Nginx : 443/80

Description: I'm trying to decrypt https traffic with SSLProxy. Nginx handles the reverse proxy and I'm not sure why SSLProxy is forging certificate even though I supplied a privatekey and a certkey from Let's encrypt. I'm planning on running IPS using suricata in the future and will probably tweak more our setup to listen first in suricata and then pass it to nginx that's why the divert method is required.

miguel@logarchiveipds:/opt/SSLproxy/src/testfolder$ sudo ../sslproxy -f testsslproxy.conf -D4 SSLproxy v0.9.4 (built 2023-09-28) Copyright (c) 2017-2022, Soner Tari sonertari@gmail.com https://github.com/sonertari/SSLproxy Copyright (c) 2009-2019, Daniel Roethlisberger daniel@roe.ch https://www.roe.ch/SSLsplit Build info: V:GIT Features: -DHAVE_NETFILTER NAT engines: netfilter* tproxy netfilter: IP_TRANSPARENT IP6T_SO_ORIGINAL_DST Local process info support: no compiled against OpenSSL 3.0.2 15 Mar 2022 (30000020) rtlinked against OpenSSL 3.0.2 15 Mar 2022 (30000020) OpenSSL has support for TLS extensions TLS Server Name Indication (SNI) supported OpenSSL is thread-safe with THREADID OpenSSL has engine support Using SSL_MODE_RELEASE_BUFFERS SSL/TLS protocol availability: tls10 tls11 tls12 tls13 SSL/TLS algorithm availability: !SHA0 RSA DSA ECDSA DH ECDH EC OpenSSL option availability: SSL_OP_NO_COMPRESSION SSL_OP_NO_TICKET SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION SSL_OP_TLS_ROLLBACK_BUG compiled against libevent 2.1.12-stable rtlinked against libevent 2.1.12-stable compiled against libnet 1.1.6 rtlinked against libnet 1.1.6 compiled against libpcap n/a rtlinked against libpcap 1.10.1 (with TPACKET_V3) compiled against sqlite 3.37.2 rtlinked against sqlite 3.37.2 2 CPU cores detected Generated 2048 bit RSA key for leaf certs. Global conn opts: negotiate>=tls10<=tls13|ALL:-aNULL|TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|no user_auth_url|300|8192 proxyspecs:

Using the command 'echo | openssl s_client -servername testwebserver123.civicom.us -connect testwebserver123.civicom.us:443' to check for the certificate that currently being used

My web certificate before SSLProxy: Certificate chain 0 s:/CN=testwebserver123.civicom.us i:/C=US/O=Let's Encrypt/CN=R3 1 s:/C=US/O=Let's Encrypt/CN=R3 i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1 2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1 i:/O=Digital Signature Trust Co./CN=DST Root CA X3

-----BEGIN CERTIFICATE----- MIIFAzCCA+ugAwIBAgISA2UdVOOuaaNTxDxyhjKONN1dMA0GCSqGSIb3DQEBCwUA MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD EwJSMzAeFw0yMzA5MjgxOTIxNDdaFw0yMzEyMjcxOTIxNDZaMCYxJDAiBgNVBAMT G3Rlc3R3ZWJzZXJ2ZXIxMjMuY2l2aWNvbS51czCCASIwDQYJKoZIhvcNAQEBBQAD ggEPADCCAQoCggEBALcz3k0drEqDfjNMOsZGeTu8M29r+R4r/nLvu+X1g3aXAVjk Od1OX48JZM9B4jcn1ZMPP20cs/xjiEPk1KGDQbMApxiiSAsNSM238mOUIVs6+NyS vaPsTU6MbDjyD6+OkZdAIpBAebdsnXuYI37eQcRhj1Y2fr8/4oB5wTUAt3j+SX22 CE21mYmsrmasCg+y6CEd60pcB9QSCruOUW7YagOgrjEv1wYO+dzCIypM3I1dzJOI YcNglcEjNeObuShxKcaAf+ntDI6AzcjcKWabmVeWKAxtSWQaS9y/zDv4aUYcVnjN F/47YaQnkCjihXlUbO5wsYEAzjema2M1BaDS2cECAwEAAaOCAh0wggIZMA4GA1Ud DwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0T AQH/BAIwADAdBgNVHQ4EFgQUMGdta11rD3Got/mpvmTHgSTviFUwHwYDVR0jBBgw FoAUFC6zF7dYVsuuUAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUF BzABhhVodHRwOi8vcjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9y My5pLmxlbmNyLm9yZy8wJgYDVR0RBB8wHYIbdGVzdHdlYnNlcnZlcjEyMy5jaXZp Y29tLnVzMBMGA1UdIAQMMAowCAYGZ4EMAQIBMIIBBAYKKwYBBAHWeQIEAgSB9QSB 8gDwAHYAejKMVNi3LbYg6jjgUh7phBZwMhOFTTvSK8E6V6NS61IAAAGK3XRkbgAA BAMARzBFAiA2qH6/f4gnMahnhBM0HOEkoGBqKXSRyDe9QVk9dJ5RegIhANMehG7g xv0OWkcvfeW7FTxkejL4Ig/Vp9faZX/jHearAHYAtz77JN+cTbp18jnFulj0bF38 Qs96nzXEnh0JgSXttJkAAAGK3XRkfwAABAMARzBFAiAZNC/UGe3uxQA70OPVnPxA IggP2qfQBYTq092FsQl++gIhANPsnU53q8jvh0jBDM0eyt3QQh5ib1es0LDpDksh 3oSpMA0GCSqGSIb3DQEBCwUAA4IBAQBMrPGpFCPeWsal9FzveXBQIHosDLp5L5tL 4TAUUjaX4cG1M5Ezk9bdCq3flb9d1V1wllJ7EJrz/RImEaIYABicvBumGjiiiT7U 8thqHuxh5HlHDTGXHKTrNFwyaYIDb2lByxSYun5zq4JqvDh6rAed3RoftBGYwD2o HEBhb7qiI3Du3hWwRThNVMy/WosHd/5vQhr/Kr+ncD7zhLkAMvYIxLDWJSg1ezK6 2Zdq+4Em3E8mu3f3R/Wy7rKlpYkOoYMh7subDlEAtbk7mJfhqxD8nN5DFiHVNNxt vf4h4VDAmKUMWR7BBPsgoCUfU9RszJxvSZbTV8Ou6oGQtwH93yJ1 -----END CERTIFICATE-----

My web certificate after SSLProxy: Certificate chain 0 s:/CN=testwebserver123.civicom.us i:/CN=testwebserver123.civicom.us 1 s:/CN=testwebserver123.civicom.us i:/C=US/O=Let's Encrypt/CN=R3

Server certificate -----BEGIN CERTIFICATE----- MIIDyDCCArCgAwIBAgISA2UdVOOuaaNTxDxyhjLvRFAIMA0GCSqGSIb3DQEBCwUA MCYxJDAiBgNVBAMTG3Rlc3R3ZWJzZXJ2ZXIxMjMuY2l2aWNvbS51czAeFw0yMzEw MTIxNjQ1MjVaFw0yNDEwMTExNjQ1MjVaMCYxJDAiBgNVBAMTG3Rlc3R3ZWJzZXJ2 ZXIxMjMuY2l2aWNvbS51czCCASAwDQYJKoZIhvcNAQEBBQADggENADCCAQgCggEB ALUtPRRqsqg90AnHvvbexNw0PW/JeRTnsUBCKJJOvdQAWC+LgYxvOsBmavF4/Dho tVrRhichPHZJuI2pbKUXXoNntplK521wJ/WqiiqyvhL6UHjtMQWTR7jN2N6Oaxj+ yH5BgGtTp3orB/OsR3wXLryQ0YxbIzjpEpTT4bvy6JA6IylJsW8fzmm3ALodm9PT sB+IuKn05r5QXEVY4nsnzn0g4if8bAsSms7cGLm1M5MA54uop8jI2EdZVLXlO75B cgPnqkx76iC0Cafw691gmFOEjuP6m0SWH/ASUTx5a9OuLaOgw81yuh6jSQfjOyan HVXBDG/+bYUgui9NHiyvaF8CAQOjgfEwge4wHQYDVR0OBBYEFO/a94/lENT/JNlr pqe2KPhdpdfsMGsGA1UdIwRkMGKAFDBnbWtdaw9xqLf5qb5kx4Ek74hVoTakNDAy MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3MgRW5jcnlwdDELMAkGA1UEAxMC UjOCEgNlHVTjrmmjU8Q8coYyjjTdXTAMBgNVHRMBAf8EAjAAMAsGA1UdDwQEAwIF oDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwJgYDVR0RBB8wHYIbdGVz dHdlYnNlcnZlcjEyMy5jaXZpY29tLnVzMA0GCSqGSIb3DQEBCwUAA4IBAQAnZ2W0 w3U+c6HM+s+h402e+G1fhLaqcC7TobnLa9emCzDxcl0S7GrhouWu6uEmsQRFJMru +iX8DXSbA4XO21MkP/BN1+iil15bNFXQ0G9dRpc/4oPIlRD8RBA8BolUynmzla0E nTF4nTAir6VC+srq7D9Yhd0+yHEeIjqMcrvJ4LiEBHXlxZ56DgjQ10KSFuGLRUaF UzN+sdii/8xDA/c5qLdNg5Ynsc3GwhX9hiPrFg9OZErKxwNJPqS3URP8ZHI22SeO MM+22EZfpLfNFoz931IoiypiHbybE+lnbajRrwbC1aPvGQrfH2jxkDu3pjdn506k xSknjGEpz/gz4cwF -----END CERTIFICATE-----

This is the error message in browser image

sonertari commented 1 year ago

SSLproxy forges the server certificate using the CA cert supplied, which in your case is in a structured proxyspec in your config file. This is how it decrypts the traffic. If you install that same CA cert into your browser, then it will not complain about it.

Having said that, I think your understanding of how SSLproxy is supposed to be used is not correct (i.e. that's not how SSLproxy works). Because you're trying to use nginx as a listening program, but I don't think you have modified its source code to support the mode of operation requried by SSLproxy, have you?

Please read the README and review the Mode of Operation diagram again.

migs017 commented 1 year ago

Alright thank you for your quick response sonertari! really appreciate it