SSLproxy/README.md

# SSLsplit - transparent SSL/TLS interception [![Build Status](https://travis-ci.org/droe/sslsplit.svg?branch=master)](https://travis-ci.org/droe/sslsplit)
Copyright (C) 2009-2015, [Daniel Roethlisberger](//daniel.roe.ch/).  
http://www.roe.ch/SSLsplit


## Overview

SSLsplit is a tool for man-in-the-middle attacks against SSL/TLS encrypted
network connections.  It is intended to be useful for network forensics,
application security analysis and penetration testing.

SSLsplit is designed to transparently terminate connections that are redirected
to it using a network address translation engine.  SSLsplit then terminates
SSL/TLS and initiates a new SSL/TLS connection to the original destination
address, while logging all data transmitted.  Besides NAT based operation,
SSLsplit also supports static destinations and using the server name indicated
by SNI as upstream destination.  SSLsplit is purely a transparent proxy and
cannot act as a HTTP or SOCKS proxy configured in a browser.

SSLsplit supports plain TCP, plain SSL, HTTP and HTTPS connections over both
IPv4 and IPv6.  SSLsplit fully supports Server Name Indication (SNI) and is
able to work with RSA, DSA and ECDSA keys and DHE and ECDHE cipher suites.
Depending on the version of OpenSSL built against, SSLsplit supports SSL 3.0,
TLS 1.0, TLS 1.1 and TLS 1.2, and optionally SSL 2.0 as well.

For SSL and HTTPS connections, SSLsplit generates and signs forged X509v3
certificates on-the-fly, mimicking the original server certificate's subject
DN, subjectAltName extension and other  characteristics.  SSLsplit has the
ability to use existing certificates of which the private key is available,
instead of generating forged ones.  SSLsplit supports NULL-prefix CN
certificates but otherwise does not implement exploits against specific
certificate verification vulnerabilities in SSL/TLS stacks.

SSLsplit implements a number of defences against mechanisms which would
normally prevent MitM attacks or make them more difficult.  SSLsplit can deny
OCSP requests in a generic way.  For HTTP and HTTPS connections, SSLsplit
removes response headers for HPKP in order to prevent public key pinning, for
HSTS to allow the user to accept untrusted certificates, and Alternate
Protocols to prevent switching to QUIC/SPDY.  HTTP compression, encodings and
keep-alive are disabled to make the logs more readable.

See the manual page sslsplit(1) for details on using SSLsplit and setting up
the various NAT engines.


## Requirements

SSLsplit depends on the OpenSSL and libevent 2.x libraries.
The build depends on GNU make and a POSIX.2 environment in `PATH`.
If available, pkg-config is used to locate and configure the dependencies.
The optional unit tests depend on the check library.

SSLsplit currently supports the following operating systems and NAT mechanisms:

-   FreeBSD: pf rdr and divert-to, ipfw fwd, ipfilter rdr
-   OpenBSD: pf rdr-to and divert-to
-   Linux: netfilter REDIRECT and TPROXY
-   Mac OS X: pf rdr and ipfw fwd

Support for local process information (`-i`) is currently available on Mac OS X
and FreeBSD.

SSL/TLS features and compatibility greatly depend on the version of OpenSSL
linked against; for optimal results, use a recent release of OpenSSL proper.
OpenSSL forks like LibreSSL and BoringSSL may or may not work.


## Installation

With OpenSSL, libevent 2.x, pkg-config and check available, run:

    make
    make test       # optional unit tests
    make install    # optional install

Dependencies are autoconfigured using pkg-config.  If dependencies are not
picked up and fixing `PKG_CONFIG_PATH` does not help, you can specify their
respective locations manually by setting `OPENSSL_BASE`, `LIBEVENT_BASE` and/or
`CHECK_BASE` to the respective prefixes.

You can override the default install prefix (`/usr/local`) by setting `PREFIX`.
For more build options see `GNUmakefile`.


## Documentation

See `NEWS.md` for release notes listing significant changes between releases.
See `HACKING.md` for information on development and how to submit bug reports.
See `AUTHORS.md` for the list of contributors.


## License

SSLsplit is provided under a 2-clause BSD license.
SSLsplit contains components licensed under the MIT and APSL licenses.
See `LICENSE.md` and the respective source file headers for details.


## Credits

SSLsplit was inspired by `mitm-ssl` by Claes M. Nyberg and `sslsniff` by Moxie
Marlinspike, but shares no source code with them.
Update copyright, license and tagline - Update copyright to 2015 - Remove the non-standard "unmodified" from the 2-clause BSD license - Remove scalable from the tagline to avoid misinterpretations 2015-02-24 18:19:20 +00:00			`# SSLsplit - transparent SSL/TLS interception [![Build Status](https://travis-ci.org/droe/sslsplit.svg?branch=master)](https://travis-ci.org/droe/sslsplit)`
			`Copyright (C) 2009-2015, [Daniel Roethlisberger](//daniel.roe.ch/).`
Initial import of sslsplit-0.4.2 2012-04-13 12:47:30 +00:00			`http://www.roe.ch/SSLsplit`


			`## Overview`

			`SSLsplit is a tool for man-in-the-middle attacks against SSL/TLS encrypted`
Rewrite description for clarity Issue: #60, #93 2015-05-01 09:54:20 +00:00			`network connections. It is intended to be useful for network forensics,`
			`application security analysis and penetration testing.`

			`SSLsplit is designed to transparently terminate connections that are redirected`
			`to it using a network address translation engine. SSLsplit then terminates`
			`SSL/TLS and initiates a new SSL/TLS connection to the original destination`
			`address, while logging all data transmitted. Besides NAT based operation,`
			`SSLsplit also supports static destinations and using the server name indicated`
			`by SNI as upstream destination. SSLsplit is purely a transparent proxy and`
			`cannot act as a HTTP or SOCKS proxy configured in a browser.`
Initial import of sslsplit-0.4.2 2012-04-13 12:47:30 +00:00
			`SSLsplit supports plain TCP, plain SSL, HTTP and HTTPS connections over both`
Rewrite description for clarity Issue: #60, #93 2015-05-01 09:54:20 +00:00			`IPv4 and IPv6. SSLsplit fully supports Server Name Indication (SNI) and is`
			`able to work with RSA, DSA and ECDSA keys and DHE and ECDHE cipher suites.`
			`Depending on the version of OpenSSL built against, SSLsplit supports SSL 3.0,`
			`TLS 1.0, TLS 1.1 and TLS 1.2, and optionally SSL 2.0 as well.`

			`For SSL and HTTPS connections, SSLsplit generates and signs forged X509v3`
			`certificates on-the-fly, mimicking the original server certificate's subject`
			`DN, subjectAltName extension and other characteristics. SSLsplit has the`
			`ability to use existing certificates of which the private key is available,`
			`instead of generating forged ones. SSLsplit supports NULL-prefix CN`
			`certificates but otherwise does not implement exploits against specific`
			`certificate verification vulnerabilities in SSL/TLS stacks.`

			`SSLsplit implements a number of defences against mechanisms which would`
			`normally prevent MitM attacks or make them more difficult. SSLsplit can deny`
			`OCSP requests in a generic way. For HTTP and HTTPS connections, SSLsplit`
			`removes response headers for HPKP in order to prevent public key pinning, for`
			`HSTS to allow the user to accept untrusted certificates, and Alternate`
Further improve wording for clarity 2015-05-01 10:11:44 +00:00			`Protocols to prevent switching to QUIC/SPDY. HTTP compression, encodings and`
			`keep-alive are disabled to make the logs more readable.`
Initial import of sslsplit-0.4.2 2012-04-13 12:47:30 +00:00
			`See the manual page sslsplit(1) for details on using SSLsplit and setting up`
			`the various NAT engines.`


			`## Requirements`

			`SSLsplit depends on the OpenSSL and libevent 2.x libraries.`
Use some more markdown syntax 2012-05-13 16:22:23 +00:00			The build depends on GNU make and a POSIX.2 environment in `PATH`.
Add a note that pkg-config is used when available 2015-05-02 10:47:10 +00:00			`If available, pkg-config is used to locate and configure the dependencies.`
Update README for the APSL components 2014-01-14 00:23:09 +00:00			`The optional unit tests depend on the check library.`
Initial import of sslsplit-0.4.2 2012-04-13 12:47:30 +00:00
Improve IPFW and pf wording in the documentation 2013-12-23 12:57:57 +00:00			`SSLsplit currently supports the following operating systems and NAT mechanisms:`
Migrate documentation to markdown Issue: #33 2014-11-04 19:39:20 +00:00
FreeBSD pf also has divert-to since 9.0-RELEASE 2013-12-23 13:13:27 +00:00			`- FreeBSD: pf rdr and divert-to, ipfw fwd, ipfilter rdr`
Improve IPFW and pf wording in the documentation 2013-12-23 12:57:57 +00:00			`- OpenBSD: pf rdr-to and divert-to`
Initial import of sslsplit-0.4.2 2012-04-13 12:47:30 +00:00			`- Linux: netfilter REDIRECT and TPROXY`
Add local process lookup on FreeBSD using sysctl() API 2014-11-19 21:30:01 +00:00			`- Mac OS X: pf rdr and ipfw fwd`
Initial import of sslsplit-0.4.2 2012-04-13 12:47:30 +00:00
Split out AUTHORS.md and HACKING.md from README.md 2014-11-28 11:09:40 +00:00			Support for local process information (`-i`) is currently available on Mac OS X
			`and FreeBSD.`

			`SSL/TLS features and compatibility greatly depend on the version of OpenSSL`
Update docs and -V for LibreSSL and BoringSSL 2015-08-02 20:06:51 +00:00			`linked against; for optimal results, use a recent release of OpenSSL proper.`
			`OpenSSL forks like LibreSSL and BoringSSL may or may not work.`
Split out AUTHORS.md and HACKING.md from README.md 2014-11-28 11:09:40 +00:00
Initial import of sslsplit-0.4.2 2012-04-13 12:47:30 +00:00
			`## Installation`

List the dependencies in the install notes 2015-05-02 10:52:37 +00:00			`With OpenSSL, libevent 2.x, pkg-config and check available, run:`

Use some more markdown syntax 2012-05-13 16:22:23 +00:00			`make`
			`make test # optional unit tests`
			`make install # optional install`
Initial import of sslsplit-0.4.2 2012-04-13 12:47:30 +00:00
Mention PKG_CONFIG_PATH 2012-04-22 23:03:38 +00:00			`Dependencies are autoconfigured using pkg-config. If dependencies are not`
Use some more markdown syntax 2012-05-13 16:22:23 +00:00			picked up and fixing `PKG_CONFIG_PATH` does not help, you can specify their
			respective locations manually by setting `OPENSSL_BASE`, `LIBEVENT_BASE` and/or
			`CHECK_BASE` to the respective prefixes.
Initial import of sslsplit-0.4.2 2012-04-13 12:47:30 +00:00
Use some more markdown syntax 2012-05-13 16:22:23 +00:00			You can override the default install prefix (`/usr/local`) by setting `PREFIX`.
Migrate documentation to markdown Issue: #33 2014-11-04 19:39:20 +00:00			For more build options see `GNUmakefile`.
Initial import of sslsplit-0.4.2 2012-04-13 12:47:30 +00:00

Split out AUTHORS.md and HACKING.md from README.md 2014-11-28 11:09:40 +00:00			`## Documentation`
Initial import of sslsplit-0.4.2 2012-04-13 12:47:30 +00:00
Format file refs with backticks 2014-11-28 11:18:40 +00:00			See `NEWS.md` for release notes listing significant changes between releases.
			See `HACKING.md` for information on development and how to submit bug reports.
			See `AUTHORS.md` for the list of contributors.
Initial import of sslsplit-0.4.2 2012-04-13 12:47:30 +00:00

			`## License`

Update licensing information 2014-11-30 00:39:57 +00:00			`SSLsplit is provided under a 2-clause BSD license.`
Update README for the APSL components 2014-01-14 00:23:09 +00:00			`SSLsplit contains components licensed under the MIT and APSL licenses.`
Update licensing information 2014-11-30 00:39:57 +00:00			See `LICENSE.md` and the respective source file headers for details.
Initial import of sslsplit-0.4.2 2012-04-13 12:47:30 +00:00

			`## Credits`

Migrate documentation to markdown Issue: #33 2014-11-04 19:39:20 +00:00			SSLsplit was inspired by `mitm-ssl` by Claes M. Nyberg and `sslsniff` by Moxie
Initial import of sslsplit-0.4.2 2012-04-13 12:47:30 +00:00			`Marlinspike, but shares no source code with them.`