2015-02-24 18:19:20 +00:00
|
|
|
# SSLsplit - transparent SSL/TLS interception [![Build Status](https://travis-ci.org/droe/sslsplit.svg?branch=master)](https://travis-ci.org/droe/sslsplit)
|
|
|
|
Copyright (C) 2009-2015, [Daniel Roethlisberger](//daniel.roe.ch/).
|
2012-04-13 12:47:30 +00:00
|
|
|
http://www.roe.ch/SSLsplit
|
|
|
|
|
|
|
|
|
|
|
|
## Overview
|
|
|
|
|
|
|
|
SSLsplit is a tool for man-in-the-middle attacks against SSL/TLS encrypted
|
|
|
|
network connections. Connections are transparently intercepted through a
|
|
|
|
network address translation engine and redirected to SSLsplit. SSLsplit
|
|
|
|
terminates SSL/TLS and initiates a new SSL/TLS connection to the original
|
2012-05-11 16:12:22 +00:00
|
|
|
destination address, while logging all data transmitted. SSLsplit is intended
|
|
|
|
to be useful for network forensics and penetration testing.
|
2012-04-13 12:47:30 +00:00
|
|
|
|
|
|
|
SSLsplit supports plain TCP, plain SSL, HTTP and HTTPS connections over both
|
|
|
|
IPv4 and IPv6. For SSL and HTTPS connections, SSLsplit generates and signs
|
|
|
|
forged X509v3 certificates on-the-fly, based on the original server certificate
|
|
|
|
subject DN and subjectAltName extension. SSLsplit fully supports Server Name
|
|
|
|
Indication (SNI) and is able to work with RSA, DSA and ECDSA keys and DHE and
|
2014-11-05 19:06:11 +00:00
|
|
|
ECDHE cipher suites. Depending on the version of OpenSSL, SSLsplit supports
|
|
|
|
SSL 3.0, TLS 1.0, TLS 1.1 and TLS 1.2, and optionally SSL 2.0 as well.
|
|
|
|
SSLsplit can also use existing certificates of which the private key is
|
|
|
|
available, instead of generating forged ones. SSLsplit supports NULL-prefix CN
|
|
|
|
certificates and can deny OCSP requests in a generic way. For HTTP and HTTPS
|
|
|
|
connections, SSLsplit removes response headers for HPKP in order to prevent
|
|
|
|
public key pinning, for HSTS to allow the user to accept untrusted
|
2014-11-02 19:25:17 +00:00
|
|
|
certificates, and Alternate Protocols to prevent switching to QUIC/SPDY.
|
2012-04-13 12:47:30 +00:00
|
|
|
|
|
|
|
See the manual page sslsplit(1) for details on using SSLsplit and setting up
|
|
|
|
the various NAT engines.
|
|
|
|
|
|
|
|
|
|
|
|
## Requirements
|
|
|
|
|
|
|
|
SSLsplit depends on the OpenSSL and libevent 2.x libraries.
|
2012-05-13 16:22:23 +00:00
|
|
|
The build depends on GNU make and a POSIX.2 environment in `PATH`.
|
2014-01-14 00:23:09 +00:00
|
|
|
The optional unit tests depend on the check library.
|
2012-04-13 12:47:30 +00:00
|
|
|
|
2013-12-23 12:57:57 +00:00
|
|
|
SSLsplit currently supports the following operating systems and NAT mechanisms:
|
2014-11-04 19:39:20 +00:00
|
|
|
|
2013-12-23 13:13:27 +00:00
|
|
|
- FreeBSD: pf rdr and divert-to, ipfw fwd, ipfilter rdr
|
2013-12-23 12:57:57 +00:00
|
|
|
- OpenBSD: pf rdr-to and divert-to
|
2012-04-13 12:47:30 +00:00
|
|
|
- Linux: netfilter REDIRECT and TPROXY
|
2014-11-19 21:30:01 +00:00
|
|
|
- Mac OS X: pf rdr and ipfw fwd
|
2012-04-13 12:47:30 +00:00
|
|
|
|
2014-11-28 11:09:40 +00:00
|
|
|
Support for local process information (`-i`) is currently available on Mac OS X
|
|
|
|
and FreeBSD.
|
|
|
|
|
|
|
|
SSL/TLS features and compatibility greatly depend on the version of OpenSSL
|
|
|
|
linked against; for optimal results, use the latest 1.0.1 series release.
|
|
|
|
|
2012-04-13 12:47:30 +00:00
|
|
|
|
|
|
|
## Installation
|
|
|
|
|
2012-05-13 16:22:23 +00:00
|
|
|
make
|
|
|
|
make test # optional unit tests
|
|
|
|
make install # optional install
|
2012-04-13 12:47:30 +00:00
|
|
|
|
2012-04-22 23:03:38 +00:00
|
|
|
Dependencies are autoconfigured using pkg-config. If dependencies are not
|
2012-05-13 16:22:23 +00:00
|
|
|
picked up and fixing `PKG_CONFIG_PATH` does not help, you can specify their
|
|
|
|
respective locations manually by setting `OPENSSL_BASE`, `LIBEVENT_BASE` and/or
|
|
|
|
`CHECK_BASE` to the respective prefixes.
|
2012-04-13 12:47:30 +00:00
|
|
|
|
2012-05-13 16:22:23 +00:00
|
|
|
You can override the default install prefix (`/usr/local`) by setting `PREFIX`.
|
2014-11-04 19:39:20 +00:00
|
|
|
For more build options see `GNUmakefile`.
|
2012-04-13 12:47:30 +00:00
|
|
|
|
|
|
|
|
2014-11-28 11:09:40 +00:00
|
|
|
## Documentation
|
2012-04-13 12:47:30 +00:00
|
|
|
|
2014-11-28 11:18:40 +00:00
|
|
|
See `NEWS.md` for release notes listing significant changes between releases.
|
|
|
|
See `HACKING.md` for information on development and how to submit bug reports.
|
|
|
|
See `AUTHORS.md` for the list of contributors.
|
2012-04-13 12:47:30 +00:00
|
|
|
|
|
|
|
|
|
|
|
## License
|
|
|
|
|
2014-11-30 00:39:57 +00:00
|
|
|
SSLsplit is provided under a 2-clause BSD license.
|
2014-01-14 00:23:09 +00:00
|
|
|
SSLsplit contains components licensed under the MIT and APSL licenses.
|
2014-11-30 00:39:57 +00:00
|
|
|
See `LICENSE.md` and the respective source file headers for details.
|
2012-04-13 12:47:30 +00:00
|
|
|
|
|
|
|
|
|
|
|
## Credits
|
|
|
|
|
2014-11-04 19:39:20 +00:00
|
|
|
SSLsplit was inspired by `mitm-ssl` by Claes M. Nyberg and `sslsniff` by Moxie
|
2012-04-13 12:47:30 +00:00
|
|
|
Marlinspike, but shares no source code with them.
|
|
|
|
|
|
|
|
|