2012-04-13 12:47:30 +00:00
|
|
|
SSLsplit - transparent and scalable SSL/TLS interception
|
2013-04-24 18:36:38 +00:00
|
|
|
Copyright (C) 2009-2013, Daniel Roethlisberger <daniel@roe.ch>
|
2012-04-13 12:47:30 +00:00
|
|
|
http://www.roe.ch/SSLsplit
|
|
|
|
|
|
|
|
|
|
|
|
## Overview
|
|
|
|
|
|
|
|
SSLsplit is a tool for man-in-the-middle attacks against SSL/TLS encrypted
|
|
|
|
network connections. Connections are transparently intercepted through a
|
|
|
|
network address translation engine and redirected to SSLsplit. SSLsplit
|
|
|
|
terminates SSL/TLS and initiates a new SSL/TLS connection to the original
|
2012-05-11 16:12:22 +00:00
|
|
|
destination address, while logging all data transmitted. SSLsplit is intended
|
|
|
|
to be useful for network forensics and penetration testing.
|
2012-04-13 12:47:30 +00:00
|
|
|
|
|
|
|
SSLsplit supports plain TCP, plain SSL, HTTP and HTTPS connections over both
|
|
|
|
IPv4 and IPv6. For SSL and HTTPS connections, SSLsplit generates and signs
|
|
|
|
forged X509v3 certificates on-the-fly, based on the original server certificate
|
|
|
|
subject DN and subjectAltName extension. SSLsplit fully supports Server Name
|
|
|
|
Indication (SNI) and is able to work with RSA, DSA and ECDSA keys and DHE and
|
|
|
|
ECDHE cipher suites. SSLsplit can also use existing certificates of which the
|
|
|
|
private key is available, instead of generating forged ones. SSLsplit supports
|
2012-04-22 17:12:38 +00:00
|
|
|
NULL-prefix CN certificates and can deny OCSP requests in a generic way.
|
2013-06-29 21:29:31 +00:00
|
|
|
SSLsplit removes HPKP response headers in order to prevent public key pinning.
|
2012-04-13 12:47:30 +00:00
|
|
|
|
|
|
|
See the manual page sslsplit(1) for details on using SSLsplit and setting up
|
|
|
|
the various NAT engines.
|
|
|
|
|
|
|
|
|
|
|
|
## Requirements
|
|
|
|
|
|
|
|
SSLsplit depends on the OpenSSL and libevent 2.x libraries.
|
2012-05-13 16:22:23 +00:00
|
|
|
The build depends on GNU make and a POSIX.2 environment in `PATH`.
|
2013-06-27 07:59:18 +00:00
|
|
|
The (optional) unit tests depend on check and on Internet connectivity.
|
|
|
|
The latter is necessary to create an SSL session for testing.
|
2012-04-13 12:47:30 +00:00
|
|
|
|
|
|
|
SSLsplit currently supports the following operating systems and NAT engines:
|
|
|
|
- FreeBSD: pf rdr, ipfw fwd, ipfilter rdr
|
|
|
|
- OpenBSD: pf rdr
|
|
|
|
- Linux: netfilter REDIRECT and TPROXY
|
|
|
|
- Mac OS X: ipfw fwd
|
|
|
|
|
|
|
|
|
|
|
|
## Installation
|
|
|
|
|
2012-05-13 16:22:23 +00:00
|
|
|
make
|
|
|
|
make test # optional unit tests
|
|
|
|
make install # optional install
|
2012-04-13 12:47:30 +00:00
|
|
|
|
2012-04-22 23:03:38 +00:00
|
|
|
Dependencies are autoconfigured using pkg-config. If dependencies are not
|
2012-05-13 16:22:23 +00:00
|
|
|
picked up and fixing `PKG_CONFIG_PATH` does not help, you can specify their
|
|
|
|
respective locations manually by setting `OPENSSL_BASE`, `LIBEVENT_BASE` and/or
|
|
|
|
`CHECK_BASE` to the respective prefixes.
|
2012-04-13 12:47:30 +00:00
|
|
|
|
2012-05-13 16:22:23 +00:00
|
|
|
You can override the default install prefix (`/usr/local`) by setting `PREFIX`.
|
2012-04-13 12:47:30 +00:00
|
|
|
|
|
|
|
|
|
|
|
## Development
|
|
|
|
|
|
|
|
SSLsplit is being developed on Github. For bug reports, please use the Github
|
|
|
|
issue tracker. For patch submissions, please send me pull requests.
|
|
|
|
|
|
|
|
https://github.com/droe/sslsplit
|
|
|
|
|
|
|
|
|
|
|
|
## License
|
|
|
|
|
|
|
|
SSLsplit is provided under the simplified BSD license.
|
|
|
|
SSLsplit contains components licensed under the MIT license.
|
|
|
|
See the respective source file headers for details.
|
|
|
|
|
|
|
|
|
|
|
|
## Credits
|
|
|
|
|
2012-05-13 16:22:23 +00:00
|
|
|
SSLsplit was inspired by mitm-ssl by Claes M. Nyberg and sslsniff by Moxie
|
2012-04-13 12:47:30 +00:00
|
|
|
Marlinspike, but shares no source code with them.
|
|
|
|
|
2012-05-13 16:22:23 +00:00
|
|
|
SSLsplit includes khash.h by Attractive Chaos.
|
2012-04-13 12:47:30 +00:00
|
|
|
|
|
|
|
|