Environment: sslproxy deployed on a web server I can access the web normally using an HTTP proxy, but not using HTTPS. Can you take a look at the traffic logs I intercepted? Is there a redirection issue? thank you #53
Comments
|
You don't mention any listening program in your report. So I think you need two things:
But you can run sslproxy in split mode too, in which case you don't need a listening program. So I don't know the details of your setup, but you can try the following proxyspec:
Or use the IP address of your http server in place of the second 127.0.0.1 above. Btw, perhaps you need sslsplit, not sslproxy? |
|
Is the error reported below due to an error in my certificate Do you see any issues with the keys httpd.key and httpd.crt used on my command line? Should there be a file with the suffix pem? [root@iZuf62gz7wcz2kez5kk495Z SSLproxy]# sslproxy -k /root/ssl/httpd.key -c /root/ssl/httpd.crt https 0.0.0.0 10443 0.0.0.0 443 -X q.pcap -D4
|
|
Is there a problem with this public key format and the format defined in sslproxy [root@iZuf62gz7wcz2kez5kk495Z ssl]# sslproxy -k /root/ssl/httpd.key -c /root/ssl/cacert.pem https 0.0.0.0 10443 0.0.0.0 443 -X q.pcap -D4 |
|
You should use a CA cert/key pair with sslproxy. I see above that sslproxy complains about not matching key and cert. So you should generate a CA cert/key pair and use them on your sslproxy command line. And you should install the CA cert to the web browser too. However, I don't know your setup, but it seems like you are trying to run sslproxy as a reverse proxy. If that's the case, you cannot install it to the web browsers of those remote clients, of course, in which case there is no solution but to ask the person connecting to install the CA cert to his/her web browser him/herself. Also, another reason for those errors may be related with cert verification. You can disable server cert verification in sslproxy. But you should use a config file for that, and set the VerifyPeer option to no. |
|
Thank you for your answer. Could you please tell me where this configuration file is. Can this sslproxy be deployed on devices without an IP, which means it is strung in the architecture as a transparent mode. Can this be achieved. Thank you very much for your answer |
|
You can find a sample config file in the sources. If you're asking about L2 bridge mode, no, sslproxy does not support bridge mode. SSLproxy runs at L3/L4 level. |
|
OK.Thank you for your answer. |
[root@iZuf62gz7wcz2kez5kk495Z ~]# sslproxy -k /root/ssl/httpd.key -c /root/ssl/httpd.crt https 0.0.0.0 10443 up:443 -X q.pcap -D4
SSLproxy v0.9.4 (built 2023-04-20)
Copyright (c) 2017-2022, Soner Tari [email protected]
https://github.com/sonertari/SSLproxy
Copyright (c) 2009-2019, Daniel Roethlisberger [email protected]
https://www.roe.ch/SSLsplit
Build info: V:GIT
Features: -DHAVE_NETFILTER
NAT engines: netfilter* tproxy
netfilter: IP_TRANSPARENT IP6T_SO_ORIGINAL_DST
Local process info support: no
compiled against OpenSSL 1.0.2k 26 Jan 2017 (100020bf)
rtlinked against OpenSSL 1.0.2k-fips 26 Jan 2017 (100020bf)
OpenSSL has support for TLS extensions
TLS Server Name Indication (SNI) supported
OpenSSL is thread-safe with THREADID
OpenSSL has engine support
Using SSL_MODE_RELEASE_BUFFERS
SSL/TLS protocol availability: ssl3 tls10 tls11 tls12
SSL/TLS algorithm availability: SHA0 RSA DSA ECDSA DH ECDH EC
OpenSSL option availability: SSL_OP_NO_COMPRESSION SSL_OP_NO_TICKET SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION SSL_OP_TLS_ROLLBACK_BUG
compiled against libevent 2.1.12-stable
rtlinked against libevent 2.1.12-stable
compiled against libnet 1.1.6
rtlinked against libnet 1.1.6
compiled against libpcap n/a
rtlinked against libpcap 1.5.3
compiled against sqlite 3.7.5
rtlinked against sqlite 3.7.5
4 CPU cores detected
Generated 2048 bit RSA key for leaf certs.
Global conn opts: negotiate|ALL:-aNULL|TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|no user_auth_url|300|8192
proxyspecs:
divert addr= [127.0.0.1]:443
return addr= [127.0.0.1]:0
opts= conn opts: negotiate|ALL:-aNULL|TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|no user_auth_url|300|8192
divert||
Loaded Global CA: '/C=cn/ST=cn/O=cn/OU=cn/CN=cn'
Loaded ProxySpec CA: '/C=cn/ST=cn/O=cn/OU=cn/CN=cn'
SSL/TLS leaf certificates taken from:
Privsep fastpath disabled
Created self-pipe [r=4,w=5]
Created chld-pipe [r=6,w=7]
Created socketpair 0 [p=8,c=9]
Created socketpair 1 [p=10,c=11]
Created socketpair 2 [p=12,c=13]
Created socketpair 3 [p=14,c=15]
Created socketpair 4 [p=16,c=17]
Created socketpair 5 [p=18,c=19]
Privsep parent pid 2578
Privsep child pid 2579
Using libevent backend 'epoll'
Event base supports: edge yes, O(1) yes, anyfd no
Received privsep req type 03 sz 9 on srvsock 8
Dropped privs to user nobody group - chroot -
Received privsep req type 00 sz 1 on srvsock 10
Received privsep req type 00 sz 1 on srvsock 12
Received privsep req type 00 sz 1 on srvsock 14
Inserted events:
0xfeae88 [fd 5] Read Persist Internal
0xfeb060 [fd 7] Read Persist Internal
0xfea1b8 [fd 8] Read Persist
0xfebb20 [sig 1] Signal Persist
0xfebc50 [sig 2] Signal Persist
0xfeb9f0 [sig 3] Signal Persist
0xfebeb0 [sig 10] Signal Persist
0xfebd80 [sig 13] Signal Persist
0xfeb290 [sig 15] Signal Persist
0xfec000 [fd -1] Persist Timeout=1682239211.430419
Active events:
Initialized 8 connection handling threads
Received privsep req type 00 sz 1 on srvsock 18
Started 8 connection handling threads
Starting main event loop.
SNI peek: [n/a] [complete], fd=43
Connecting to [172.16.0.167]:10443
SNI peek: [n/a] [complete], fd=45
Connecting to [172.16.0.167]:10443
SNI peek: [n/a] [complete], fd=47
Connecting to [172.16.0.167]:10443
SNI peek: [n/a] [complete], fd=49
Connecting to [172.16.0.167]:10443
SNI peek: [n/a] [complete], fd=51
Connecting to [172.16.0.167]:10443
SNI peek: [n/a] [complete], fd=53
Connecting to [172.16.0.167]:10443
SNI peek: [n/a] [complete], fd=55
Connecting to [172.16.0.167]:10443
SNI peek: [n/a] [complete], fd=57
Connecting to [172.16.0.167]:10443
SNI peek: [n/a] [complete], fd=59
Connecting to [172.16.0.167]:10443
SNI peek: [n/a] [complete], fd=61
Connecting to [172.16.0.167]:10443
SNI peek: [n/a] [complete], fd=62
Connecting to [172.16.0.167]:10443
SNI peek: [n/a] [complete], fd=65
Connecting to [172.16.0.167]:10443
SNI peek: [n/a] [complete], fd=66
Connecting to [172.16.0.167]:10443
SNI peek: [n/a] [complete], fd=69
Connecting to [172.16.0.167]:10443
SNI peek: [n/a] [complete], fd=71
Connecting to [172.16.0.167]:10443
SNI peek: [n/a] [complete], fd=73
Connecting to [172.16.0.167]:10443
SNI peek: [n/a] [complete], fd=75
Connecting to [172.16.0.167]:10443
SNI peek: [n/a] [complete], fd=77
Connecting to [172.16.0.167]:10443
SNI peek: [n/a] [complete], fd=79
Connecting to [172.16.0.167]:10443
SNI peek: [n/a] [complete], fd=81
Connecting to [172.16.0.167]:10443
SNI peek: [n/a] [complete], fd=83
The text was updated successfully, but these errors were encountered: