From cbb2a179f9bb73d8e15436f608a3f2bd6ab5790a Mon Sep 17 00:00:00 2001 From: PsychoMario Date: Tue, 9 Dec 2014 19:08:11 +0000 Subject: [PATCH 01/10] naive implementation with -X, no help, validation, logging --- main.c | 9 ++++++++- opts.h | 1 + pxyconn.c | 34 ++++++++++++++++++++++++++++++++++ 3 files changed, 43 insertions(+), 1 deletion(-) diff --git a/main.c b/main.c index 617047f..b0cbccb 100644 --- a/main.c +++ b/main.c @@ -275,7 +275,7 @@ main(int argc, char *argv[]) } while ((ch = getopt(argc, argv, OPT_g OPT_G OPT_Z OPT_i - "k:c:C:K:t:OPs:r:R:e:Eu:m:j:p:l:L:S:F:dDVh")) != -1) { + "k:c:C:K:t:OPs:r:R:e:Eu:m:j:p:l:L:S:F:dDVhX:")) != -1) { switch (ch) { case 'c': if (opts->cacrt) @@ -519,6 +519,13 @@ main(int argc, char *argv[]) opts->contentlog_isdir = 0; opts->contentlog_isspec = 1; break; + case 'X': + if (opts->certgendir) + free(opts->certgendir); + opts->certgendir = strdup(optarg); + if (!opts->certgendir) + oom_die(argv0); + break; #ifdef HAVE_LOCAL_PROCINFO case 'i': opts->lprocinfo = 1; diff --git a/opts.h b/opts.h index abbf5e8..6098b83 100644 --- a/opts.h +++ b/opts.h @@ -100,6 +100,7 @@ typedef struct opts { char *ecdhcurve; #endif /* !OPENSSL_NO_ECDH */ proxyspec_t *spec; + char *certgendir; } opts_t; opts_t *opts_new(void) MALLOC; diff --git a/pxyconn.c b/pxyconn.c index 3cefc66..8c643d5 100644 --- a/pxyconn.c +++ b/pxyconn.c @@ -702,6 +702,40 @@ pxy_srcsslctx_create(pxy_conn_ctx_t *ctx, X509 *crt, STACK_OF(X509) *chain, SSL_CTX_add_extra_chain_cert(sslctx, c); } + if (ctx->opts->certgendir) { + unsigned char origfpr[SSL_X509_FPRSZ], newfpr[SSL_X509_FPRSZ]; + char origfprstr[SSL_X509_FPRSZ*2], newfprstr[SSL_X509_FPRSZ*2]; + ssl_x509_fingerprint_sha1(ctx->origcrt, origfpr); + ssl_x509_fingerprint_sha1(crt, newfpr); + sprintf(origfprstr,"%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x" + "%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x", + origfpr[0], origfpr[1], origfpr[2], origfpr[3], origfpr[4], + origfpr[5], origfpr[6], origfpr[7], origfpr[8], origfpr[9], + origfpr[10], origfpr[11], origfpr[12], origfpr[13], origfpr[14], + origfpr[15], origfpr[16], origfpr[17], origfpr[18], origfpr[19]); + sprintf(newfprstr,"%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x" + "%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x", + newfpr[0], newfpr[1], newfpr[2], newfpr[3], newfpr[4], + newfpr[5], newfpr[6], newfpr[7], newfpr[8], newfpr[9], + newfpr[10], newfpr[11], newfpr[12], newfpr[13], newfpr[14], + newfpr[15], newfpr[16], newfpr[17], newfpr[18], newfpr[19]); + char *keyfn = malloc(strlen(ctx->opts->certgendir)+1+SSL_X509_FPRSZ*4+1+4); + char *crtfn = malloc(strlen(ctx->opts->certgendir)+1+SSL_X509_FPRSZ*4+1+4); + sprintf(keyfn, "%s/%s-%s.key", ctx->opts->certgendir, origfprstr, newfprstr); + sprintf(crtfn, "%s/%s-%s.crt", ctx->opts->certgendir, origfprstr, newfprstr); + FILE *keyfd, *crtfd; + keyfd = fopen(keyfn, "w"); + crtfd = fopen(crtfn, "w"); + if (keyfd) { + PEM_write_PrivateKey(keyfd, key, NULL, 0, 0, NULL, NULL); + fclose(keyfd); + } + if (crtfd) { + PEM_write_X509(crtfd, crt); + fclose(crtfd); + } + } + #ifdef DEBUG_SESSION_CACHE if (OPTS_DEBUG(ctx->opts)) { int mode = SSL_CTX_get_session_cache_mode(sslctx); From 61d5186864e3c4bab2e5ace4f97f122d2dacc8c2 Mon Sep 17 00:00:00 2001 From: PsychoMario Date: Tue, 9 Dec 2014 19:40:07 +0000 Subject: [PATCH 02/10] added exclusivity with -K, man page and -h --- main.c | 6 ++++++ sslsplit.1 | 9 ++++++--- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/main.c b/main.c index b0cbccb..e8aa164 100644 --- a/main.c +++ b/main.c @@ -112,6 +112,7 @@ main_usage(void) " -k pemfile use CA key (and cert) from pemfile to sign forged certs\n" " -C pemfile use CA chain from pemfile (intermediate and root CA certs)\n" " -K pemfile use key from pemfile for leaf certs (default: generate)\n" +" -X gendir write generated key/cert pairs to gendir\n" " -t certdir use cert+chain+key PEM files from certdir to target all sites\n" " matching the common names (non-matching: generate if CA)\n" " -O deny all OCSP requests on all proxyspecs\n" @@ -561,6 +562,11 @@ main(int argc, char *argv[]) argv0); exit(EXIT_FAILURE); } + if (opts->certgendir && opts->key)) { + fprintf(stderr, "%s: -K and -X are mutually exclusive.\n", + argv0); + exit(EXIT_FAILURE); + } if (!opts->spec) { fprintf(stderr, "%s: no proxyspec specified.\n", argv0); exit(EXIT_FAILURE); diff --git a/sslsplit.1 b/sslsplit.1 index e888b4d..278a58b 100644 --- a/sslsplit.1 +++ b/sslsplit.1 @@ -30,15 +30,15 @@ sslsplit \-\- transparent and scalable SSL/TLS interception .SH SYNOPSIS .na .B sslsplit -[\fB-kCKOPZdDgGsrReumjplLSFi\fP] \fB-c\fP \fIpem\fP +[\fB-kCKXOPZdDgGsrReumjplLSFi\fP] \fB-c\fP \fIpem\fP \fIproxyspecs\fP [...] .br .B sslsplit -[\fB-kCKOPZdDgGsrReumjplLSFi\fP] \fB-c\fP \fIpem\fP \fB-t\fP \fIdir\fP +[\fB-kCKXOPZdDgGsrReumjplLSFi\fP] \fB-c\fP \fIpem\fP \fB-t\fP \fIdir\fP \fIproxyspecs\fP [...] .br .B sslsplit -[\fB-OPZdDgGsrReumjplLSFi\fP] \fB-t\fP \fIdir\fP +[\fB-OPZXdDgGsrReumjplLSFi\fP] \fB-t\fP \fIdir\fP \fIproxyspecs\fP [...] .br .B sslsplit -E @@ -185,6 +185,9 @@ no matching certificate in the provided certificate directory. Use private key from \fIpemfile\fP for certificates forged on-the-fly. If \fB-K\fP is not given, SSLsplit will generate a random 1024-bit RSA key. .TP +.B \-X \fIgendir\fP +Write generated keys and certificates to individual files in \fIgendir\fP. +.TP .B \-l \fIlogfile\fP Log connections to \fIlogfile\fP in a single line per connection format, including addresses and ports and some HTTP and SSL information, if available. From 73042d4daa1f13b51312281dc230aea2676c4a1d Mon Sep 17 00:00:00 2001 From: PsychoMario Date: Tue, 9 Dec 2014 19:47:10 +0000 Subject: [PATCH 03/10] fix mutual exclusivity, sprintf->asprintf --- main.c | 2 +- pxyconn.c | 13 ++++++------- 2 files changed, 7 insertions(+), 8 deletions(-) diff --git a/main.c b/main.c index e8aa164..799f487 100644 --- a/main.c +++ b/main.c @@ -562,7 +562,7 @@ main(int argc, char *argv[]) argv0); exit(EXIT_FAILURE); } - if (opts->certgendir && opts->key)) { + if (opts->certgendir && opts->key) { fprintf(stderr, "%s: -K and -X are mutually exclusive.\n", argv0); exit(EXIT_FAILURE); diff --git a/pxyconn.c b/pxyconn.c index 8c643d5..0180b94 100644 --- a/pxyconn.c +++ b/pxyconn.c @@ -704,25 +704,24 @@ pxy_srcsslctx_create(pxy_conn_ctx_t *ctx, X509 *crt, STACK_OF(X509) *chain, if (ctx->opts->certgendir) { unsigned char origfpr[SSL_X509_FPRSZ], newfpr[SSL_X509_FPRSZ]; - char origfprstr[SSL_X509_FPRSZ*2], newfprstr[SSL_X509_FPRSZ*2]; ssl_x509_fingerprint_sha1(ctx->origcrt, origfpr); ssl_x509_fingerprint_sha1(crt, newfpr); - sprintf(origfprstr,"%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x" + char *origfprstr, *newfprstr; + asprintf(&origfprstr,"%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x" "%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x", origfpr[0], origfpr[1], origfpr[2], origfpr[3], origfpr[4], origfpr[5], origfpr[6], origfpr[7], origfpr[8], origfpr[9], origfpr[10], origfpr[11], origfpr[12], origfpr[13], origfpr[14], origfpr[15], origfpr[16], origfpr[17], origfpr[18], origfpr[19]); - sprintf(newfprstr,"%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x" + asprintf(&newfprstr,"%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x" "%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x", newfpr[0], newfpr[1], newfpr[2], newfpr[3], newfpr[4], newfpr[5], newfpr[6], newfpr[7], newfpr[8], newfpr[9], newfpr[10], newfpr[11], newfpr[12], newfpr[13], newfpr[14], newfpr[15], newfpr[16], newfpr[17], newfpr[18], newfpr[19]); - char *keyfn = malloc(strlen(ctx->opts->certgendir)+1+SSL_X509_FPRSZ*4+1+4); - char *crtfn = malloc(strlen(ctx->opts->certgendir)+1+SSL_X509_FPRSZ*4+1+4); - sprintf(keyfn, "%s/%s-%s.key", ctx->opts->certgendir, origfprstr, newfprstr); - sprintf(crtfn, "%s/%s-%s.crt", ctx->opts->certgendir, origfprstr, newfprstr); + char *keyfn, *crtfn; + asprintf(&keyfn, "%s/%s-%s.key", ctx->opts->certgendir, origfprstr, newfprstr); + asprintf(&crtfn, "%s/%s-%s.crt", ctx->opts->certgendir, origfprstr, newfprstr); FILE *keyfd, *crtfd; keyfd = fopen(keyfn, "w"); crtfd = fopen(crtfn, "w"); From 13dce0aa351dcb3f5717631d4c41dfbf647541c0 Mon Sep 17 00:00:00 2001 From: PsychoMario Date: Tue, 9 Dec 2014 20:02:25 +0000 Subject: [PATCH 04/10] moved write to pxy_srccert_create, -X to -w, opts_free use --- main.c | 8 +++---- opts.c | 3 +++ pxyconn.c | 66 +++++++++++++++++++++++++++--------------------------- sslsplit.1 | 8 +++---- 4 files changed, 44 insertions(+), 41 deletions(-) diff --git a/main.c b/main.c index 799f487..d6d28ba 100644 --- a/main.c +++ b/main.c @@ -112,7 +112,7 @@ main_usage(void) " -k pemfile use CA key (and cert) from pemfile to sign forged certs\n" " -C pemfile use CA chain from pemfile (intermediate and root CA certs)\n" " -K pemfile use key from pemfile for leaf certs (default: generate)\n" -" -X gendir write generated key/cert pairs to gendir\n" +" -w gendir write generated key/cert pairs to gendir\n" " -t certdir use cert+chain+key PEM files from certdir to target all sites\n" " matching the common names (non-matching: generate if CA)\n" " -O deny all OCSP requests on all proxyspecs\n" @@ -276,7 +276,7 @@ main(int argc, char *argv[]) } while ((ch = getopt(argc, argv, OPT_g OPT_G OPT_Z OPT_i - "k:c:C:K:t:OPs:r:R:e:Eu:m:j:p:l:L:S:F:dDVhX:")) != -1) { + "k:c:C:K:t:OPs:r:R:e:Eu:m:j:p:l:L:S:F:dDVhw:")) != -1) { switch (ch) { case 'c': if (opts->cacrt) @@ -520,7 +520,7 @@ main(int argc, char *argv[]) opts->contentlog_isdir = 0; opts->contentlog_isspec = 1; break; - case 'X': + case 'w': if (opts->certgendir) free(opts->certgendir); opts->certgendir = strdup(optarg); @@ -563,7 +563,7 @@ main(int argc, char *argv[]) exit(EXIT_FAILURE); } if (opts->certgendir && opts->key) { - fprintf(stderr, "%s: -K and -X are mutually exclusive.\n", + fprintf(stderr, "%s: -K and -w are mutually exclusive.\n", argv0); exit(EXIT_FAILURE); } diff --git a/opts.c b/opts.c index 0189af8..e21cc54 100644 --- a/opts.c +++ b/opts.c @@ -105,6 +105,9 @@ opts_free(opts_t *opts) if (opts->contentlog) { free(opts->contentlog); } + if (opts->certgendir) { + free(opts->certgendir); + } memset(opts, 0, sizeof(opts_t)); free(opts); } diff --git a/pxyconn.c b/pxyconn.c index 0180b94..6b4eae7 100644 --- a/pxyconn.c +++ b/pxyconn.c @@ -702,39 +702,6 @@ pxy_srcsslctx_create(pxy_conn_ctx_t *ctx, X509 *crt, STACK_OF(X509) *chain, SSL_CTX_add_extra_chain_cert(sslctx, c); } - if (ctx->opts->certgendir) { - unsigned char origfpr[SSL_X509_FPRSZ], newfpr[SSL_X509_FPRSZ]; - ssl_x509_fingerprint_sha1(ctx->origcrt, origfpr); - ssl_x509_fingerprint_sha1(crt, newfpr); - char *origfprstr, *newfprstr; - asprintf(&origfprstr,"%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x" - "%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x", - origfpr[0], origfpr[1], origfpr[2], origfpr[3], origfpr[4], - origfpr[5], origfpr[6], origfpr[7], origfpr[8], origfpr[9], - origfpr[10], origfpr[11], origfpr[12], origfpr[13], origfpr[14], - origfpr[15], origfpr[16], origfpr[17], origfpr[18], origfpr[19]); - asprintf(&newfprstr,"%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x" - "%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x", - newfpr[0], newfpr[1], newfpr[2], newfpr[3], newfpr[4], - newfpr[5], newfpr[6], newfpr[7], newfpr[8], newfpr[9], - newfpr[10], newfpr[11], newfpr[12], newfpr[13], newfpr[14], - newfpr[15], newfpr[16], newfpr[17], newfpr[18], newfpr[19]); - char *keyfn, *crtfn; - asprintf(&keyfn, "%s/%s-%s.key", ctx->opts->certgendir, origfprstr, newfprstr); - asprintf(&crtfn, "%s/%s-%s.crt", ctx->opts->certgendir, origfprstr, newfprstr); - FILE *keyfd, *crtfd; - keyfd = fopen(keyfn, "w"); - crtfd = fopen(crtfn, "w"); - if (keyfd) { - PEM_write_PrivateKey(keyfd, key, NULL, 0, 0, NULL, NULL); - fclose(keyfd); - } - if (crtfd) { - PEM_write_X509(crtfd, crt); - fclose(crtfd); - } - } - #ifdef DEBUG_SESSION_CACHE if (OPTS_DEBUG(ctx->opts)) { int mode = SSL_CTX_get_session_cache_mode(sslctx); @@ -831,6 +798,39 @@ pxy_srccert_create(pxy_conn_ctx_t *ctx) cert_set_chain(cert, ctx->opts->chain); } + if (ctx->opts->certgendir) { + unsigned char origfpr[SSL_X509_FPRSZ], newfpr[SSL_X509_FPRSZ]; + ssl_x509_fingerprint_sha1(ctx->origcrt, origfpr); + ssl_x509_fingerprint_sha1(cert->crt, newfpr); + char *origfprstr, *newfprstr; + asprintf(&origfprstr,"%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x" + "%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x", + origfpr[0], origfpr[1], origfpr[2], origfpr[3], origfpr[4], + origfpr[5], origfpr[6], origfpr[7], origfpr[8], origfpr[9], + origfpr[10], origfpr[11], origfpr[12], origfpr[13], origfpr[14], + origfpr[15], origfpr[16], origfpr[17], origfpr[18], origfpr[19]); + asprintf(&newfprstr,"%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x" + "%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x", + newfpr[0], newfpr[1], newfpr[2], newfpr[3], newfpr[4], + newfpr[5], newfpr[6], newfpr[7], newfpr[8], newfpr[9], + newfpr[10], newfpr[11], newfpr[12], newfpr[13], newfpr[14], + newfpr[15], newfpr[16], newfpr[17], newfpr[18], newfpr[19]); + char *keyfn, *crtfn; + asprintf(&keyfn, "%s/%s-%s.key", ctx->opts->certgendir, origfprstr, newfprstr); + asprintf(&crtfn, "%s/%s-%s.crt", ctx->opts->certgendir, origfprstr, newfprstr); + FILE *keyfd, *crtfd; + keyfd = fopen(keyfn, "w"); + crtfd = fopen(crtfn, "w"); + if (keyfd) { + PEM_write_PrivateKey(keyfd, cert->key, NULL, 0, 0, NULL, NULL); + fclose(keyfd); + } + if (crtfd) { + PEM_write_X509(crtfd, cert->crt); + fclose(crtfd); + } + } + return cert; } diff --git a/sslsplit.1 b/sslsplit.1 index 278a58b..a67ed38 100644 --- a/sslsplit.1 +++ b/sslsplit.1 @@ -30,15 +30,15 @@ sslsplit \-\- transparent and scalable SSL/TLS interception .SH SYNOPSIS .na .B sslsplit -[\fB-kCKXOPZdDgGsrReumjplLSFi\fP] \fB-c\fP \fIpem\fP +[\fB-kCKwOPZdDgGsrReumjplLSFi\fP] \fB-c\fP \fIpem\fP \fIproxyspecs\fP [...] .br .B sslsplit -[\fB-kCKXOPZdDgGsrReumjplLSFi\fP] \fB-c\fP \fIpem\fP \fB-t\fP \fIdir\fP +[\fB-kCKwOPZdDgGsrReumjplLSFi\fP] \fB-c\fP \fIpem\fP \fB-t\fP \fIdir\fP \fIproxyspecs\fP [...] .br .B sslsplit -[\fB-OPZXdDgGsrReumjplLSFi\fP] \fB-t\fP \fIdir\fP +[\fB-OPZwdDgGsrReumjplLSFi\fP] \fB-t\fP \fIdir\fP \fIproxyspecs\fP [...] .br .B sslsplit -E @@ -185,7 +185,7 @@ no matching certificate in the provided certificate directory. Use private key from \fIpemfile\fP for certificates forged on-the-fly. If \fB-K\fP is not given, SSLsplit will generate a random 1024-bit RSA key. .TP -.B \-X \fIgendir\fP +.B \-w \fIgendir\fP Write generated keys and certificates to individual files in \fIgendir\fP. .TP .B \-l \fIlogfile\fP From a7e2d99b39fd6e597345caf6a41baad9f948a4c7 Mon Sep 17 00:00:00 2001 From: PsychoMario Date: Tue, 9 Dec 2014 21:13:04 +0000 Subject: [PATCH 05/10] added logging of fingerprints, uppercased names --- pxyconn.c | 60 +++++++++++++++++++++++++++++++++++++++++++++---------- 1 file changed, 50 insertions(+), 10 deletions(-) diff --git a/pxyconn.c b/pxyconn.c index 6b4eae7..5d1a85f 100644 --- a/pxyconn.c +++ b/pxyconn.c @@ -357,6 +357,23 @@ pxy_log_connect_nonhttp(pxy_conn_ctx_t *ctx) } #endif /* HAVE_LOCAL_PROCINFO */ + unsigned char origfpr[SSL_X509_FPRSZ], newfpr[SSL_X509_FPRSZ]; + ssl_x509_fingerprint_sha1(ctx->origcrt, origfpr); + ssl_x509_fingerprint_sha1(SSL_get_certificate(ctx->src.ssl), newfpr); + char *origfprstr, *newfprstr; + asprintf(&origfprstr," %02X%02X%02X%02X%02X%02X%02X%02X%02X%02X" + "%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X", + origfpr[0], origfpr[1], origfpr[2], origfpr[3], origfpr[4], + origfpr[5], origfpr[6], origfpr[7], origfpr[8], origfpr[9], + origfpr[10], origfpr[11], origfpr[12], origfpr[13], origfpr[14], + origfpr[15], origfpr[16], origfpr[17], origfpr[18], origfpr[19]); + asprintf(&newfprstr," %02X%02X%02X%02X%02X%02X%02X%02X%02X%02X" + "%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X", + newfpr[0], newfpr[1], newfpr[2], newfpr[3], newfpr[4], + newfpr[5], newfpr[6], newfpr[7], newfpr[8], newfpr[9], + newfpr[10], newfpr[11], newfpr[12], newfpr[13], newfpr[14], + newfpr[15], newfpr[16], newfpr[17], newfpr[18], newfpr[19]); + if (!ctx->spec->ssl || ctx->passthrough) { rv = asprintf(&msg, "%s %s %s" #ifdef HAVE_LOCAL_PROCINFO @@ -377,7 +394,7 @@ pxy_log_connect_nonhttp(pxy_conn_ctx_t *ctx) #ifdef HAVE_LOCAL_PROCINFO " %s" #endif /* HAVE_LOCAL_PROCINFO */ - "\n", + "%s%s\n", STRORDASH(ctx->src_str), STRORDASH(ctx->dst_str), STRORDASH(ctx->sni), @@ -389,7 +406,9 @@ pxy_log_connect_nonhttp(pxy_conn_ctx_t *ctx) #ifdef HAVE_LOCAL_PROCINFO , lpi #endif /* HAVE_LOCAL_PROCINFO */ - ); + , + ctx->opts->certgendir ? origfprstr : "", + ctx->opts->certgendir ? newfprstr : ""); } if ((rv < 0) || !msg) { ctx->enomem = 1; @@ -446,12 +465,29 @@ pxy_log_connect_http(pxy_conn_ctx_t *ctx) } #endif /* HAVE_LOCAL_PROCINFO */ + unsigned char origfpr[SSL_X509_FPRSZ], newfpr[SSL_X509_FPRSZ]; + ssl_x509_fingerprint_sha1(ctx->origcrt, origfpr); + ssl_x509_fingerprint_sha1(SSL_get_certificate(ctx->src.ssl), newfpr); + char *origfprstr, *newfprstr; + asprintf(&origfprstr," %02X%02X%02X%02X%02X%02X%02X%02X%02X%02X" + "%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X", + origfpr[0], origfpr[1], origfpr[2], origfpr[3], origfpr[4], + origfpr[5], origfpr[6], origfpr[7], origfpr[8], origfpr[9], + origfpr[10], origfpr[11], origfpr[12], origfpr[13], origfpr[14], + origfpr[15], origfpr[16], origfpr[17], origfpr[18], origfpr[19]); + asprintf(&newfprstr," %02X%02X%02X%02X%02X%02X%02X%02X%02X%02X" + "%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X", + newfpr[0], newfpr[1], newfpr[2], newfpr[3], newfpr[4], + newfpr[5], newfpr[6], newfpr[7], newfpr[8], newfpr[9], + newfpr[10], newfpr[11], newfpr[12], newfpr[13], newfpr[14], + newfpr[15], newfpr[16], newfpr[17], newfpr[18], newfpr[19]); + if (!ctx->spec->ssl) { rv = asprintf(&msg, "http %s %s %s %s %s %s %s" #ifdef HAVE_LOCAL_PROCINFO " %s" #endif /* HAVE_LOCAL_PROCINFO */ - "%s\n", + "%s%s%s\n", STRORDASH(ctx->src_str), STRORDASH(ctx->dst_str), STRORDASH(ctx->http_host), @@ -462,7 +498,9 @@ pxy_log_connect_http(pxy_conn_ctx_t *ctx) #ifdef HAVE_LOCAL_PROCINFO lpi, #endif /* HAVE_LOCAL_PROCINFO */ - ctx->ocsp_denied ? " ocsp:denied" : ""); + ctx->ocsp_denied ? " ocsp:denied" : "", + ctx->opts->certgendir ? origfprstr : "", + ctx->opts->certgendir ? newfprstr : ""); } else { rv = asprintf(&msg, "https %s %s %s %s %s %s %s " "sni:%s names:%s " @@ -470,7 +508,7 @@ pxy_log_connect_http(pxy_conn_ctx_t *ctx) #ifdef HAVE_LOCAL_PROCINFO " %s" #endif /* HAVE_LOCAL_PROCINFO */ - "%s\n", + "%s%s%s\n", STRORDASH(ctx->src_str), STRORDASH(ctx->dst_str), STRORDASH(ctx->http_host), @@ -487,7 +525,9 @@ pxy_log_connect_http(pxy_conn_ctx_t *ctx) #ifdef HAVE_LOCAL_PROCINFO lpi, #endif /* HAVE_LOCAL_PROCINFO */ - ctx->ocsp_denied ? " ocsp:denied" : ""); + ctx->ocsp_denied ? " ocsp:denied" : "", + ctx->opts->certgendir ? origfprstr : "", + ctx->opts->certgendir ? newfprstr : ""); } if ((rv < 0 ) || !msg) { ctx->enomem = 1; @@ -803,14 +843,14 @@ pxy_srccert_create(pxy_conn_ctx_t *ctx) ssl_x509_fingerprint_sha1(ctx->origcrt, origfpr); ssl_x509_fingerprint_sha1(cert->crt, newfpr); char *origfprstr, *newfprstr; - asprintf(&origfprstr,"%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x" - "%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x", + asprintf(&origfprstr,"%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X" + "%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X", origfpr[0], origfpr[1], origfpr[2], origfpr[3], origfpr[4], origfpr[5], origfpr[6], origfpr[7], origfpr[8], origfpr[9], origfpr[10], origfpr[11], origfpr[12], origfpr[13], origfpr[14], origfpr[15], origfpr[16], origfpr[17], origfpr[18], origfpr[19]); - asprintf(&newfprstr,"%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x" - "%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x", + asprintf(&newfprstr,"%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X" + "%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X", newfpr[0], newfpr[1], newfpr[2], newfpr[3], newfpr[4], newfpr[5], newfpr[6], newfpr[7], newfpr[8], newfpr[9], newfpr[10], newfpr[11], newfpr[12], newfpr[13], newfpr[14], From 4f310a877a4aa5c4c21e8367ada86848d6a5b9f0 Mon Sep 17 00:00:00 2001 From: PsychoMario Date: Tue, 9 Dec 2014 21:43:05 +0000 Subject: [PATCH 06/10] implemented -W to write original certs --- main.c | 12 +++++++++++- opts.h | 1 + pxyconn.c | 9 +++++++++ sslsplit.1 | 3 +++ 4 files changed, 24 insertions(+), 1 deletion(-) diff --git a/main.c b/main.c index d6d28ba..037d7fd 100644 --- a/main.c +++ b/main.c @@ -113,6 +113,7 @@ main_usage(void) " -C pemfile use CA chain from pemfile (intermediate and root CA certs)\n" " -K pemfile use key from pemfile for leaf certs (default: generate)\n" " -w gendir write generated key/cert pairs to gendir\n" +" -W gendir same as -w but also write the original cert\n" " -t certdir use cert+chain+key PEM files from certdir to target all sites\n" " matching the common names (non-matching: generate if CA)\n" " -O deny all OCSP requests on all proxyspecs\n" @@ -276,7 +277,7 @@ main(int argc, char *argv[]) } while ((ch = getopt(argc, argv, OPT_g OPT_G OPT_Z OPT_i - "k:c:C:K:t:OPs:r:R:e:Eu:m:j:p:l:L:S:F:dDVhw:")) != -1) { + "k:c:C:K:t:OPs:r:R:e:Eu:m:j:p:l:L:S:F:dDVhW:w:")) != -1) { switch (ch) { case 'c': if (opts->cacrt) @@ -520,7 +521,16 @@ main(int argc, char *argv[]) opts->contentlog_isdir = 0; opts->contentlog_isspec = 1; break; + case 'W': + opts->writeorig = 1; + if (opts->certgendir) + free(opts->certgendir); + opts->certgendir = strdup(optarg); + if (!opts->certgendir) + oom_die(argv0); + break; case 'w': + opts->writeorig = 0; if (opts->certgendir) free(opts->certgendir); opts->certgendir = strdup(optarg); diff --git a/opts.h b/opts.h index 6098b83..cfcd415 100644 --- a/opts.h +++ b/opts.h @@ -101,6 +101,7 @@ typedef struct opts { #endif /* !OPENSSL_NO_ECDH */ proxyspec_t *spec; char *certgendir; + unsigned int writeorig: 1; } opts_t; opts_t *opts_new(void) MALLOC; diff --git a/pxyconn.c b/pxyconn.c index 5d1a85f..2819332 100644 --- a/pxyconn.c +++ b/pxyconn.c @@ -869,6 +869,15 @@ pxy_srccert_create(pxy_conn_ctx_t *ctx) PEM_write_X509(crtfd, cert->crt); fclose(crtfd); } + if (ctx->opts->writeorig) { + char *origfn; + asprintf(&origfn, "%s/%s.crt", ctx->opts->certgendir, origfprstr); + FILE *origfd = fopen(origfn, "w"); + if (origfd) { + PEM_write_X509(origfd, ctx->origcrt); + fclose(origfd); + } + } } return cert; diff --git a/sslsplit.1 b/sslsplit.1 index a67ed38..fc73cce 100644 --- a/sslsplit.1 +++ b/sslsplit.1 @@ -188,6 +188,9 @@ If \fB-K\fP is not given, SSLsplit will generate a random 1024-bit RSA key. .B \-w \fIgendir\fP Write generated keys and certificates to individual files in \fIgendir\fP. .TP +.B \-W \fIgendir\fP +Same as -w, but also write original certificates +.TP .B \-l \fIlogfile\fP Log connections to \fIlogfile\fP in a single line per connection format, including addresses and ports and some HTTP and SSL information, if available. From 5d7c52cde14540264f6b7df9429539ab3a27db74 Mon Sep 17 00:00:00 2001 From: PsychoMario Date: Tue, 9 Dec 2014 21:43:49 +0000 Subject: [PATCH 07/10] fix manpage --- sslsplit.1 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/sslsplit.1 b/sslsplit.1 index fc73cce..e698952 100644 --- a/sslsplit.1 +++ b/sslsplit.1 @@ -30,15 +30,15 @@ sslsplit \-\- transparent and scalable SSL/TLS interception .SH SYNOPSIS .na .B sslsplit -[\fB-kCKwOPZdDgGsrReumjplLSFi\fP] \fB-c\fP \fIpem\fP +[\fB-kCKwWOPZdDgGsrReumjplLSFi\fP] \fB-c\fP \fIpem\fP \fIproxyspecs\fP [...] .br .B sslsplit -[\fB-kCKwOPZdDgGsrReumjplLSFi\fP] \fB-c\fP \fIpem\fP \fB-t\fP \fIdir\fP +[\fB-kCKwWOPZdDgGsrReumjplLSFi\fP] \fB-c\fP \fIpem\fP \fB-t\fP \fIdir\fP \fIproxyspecs\fP [...] .br .B sslsplit -[\fB-OPZwdDgGsrReumjplLSFi\fP] \fB-t\fP \fIdir\fP +[\fB-OPZwWdDgGsrReumjplLSFi\fP] \fB-t\fP \fIdir\fP \fIproxyspecs\fP [...] .br .B sslsplit -E From 1736564b3212cffd3b12d7bca4cd78ba20ad1666 Mon Sep 17 00:00:00 2001 From: PsychoMario Date: Tue, 9 Dec 2014 23:26:00 +0000 Subject: [PATCH 08/10] error handling --- pxyconn.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/pxyconn.c b/pxyconn.c index 2819332..e498696 100644 --- a/pxyconn.c +++ b/pxyconn.c @@ -864,10 +864,16 @@ pxy_srccert_create(pxy_conn_ctx_t *ctx) if (keyfd) { PEM_write_PrivateKey(keyfd, cert->key, NULL, 0, 0, NULL, NULL); fclose(keyfd); + } else { + log_err_printf("Failed to open '%s' for writing: %s\n", + keyfn, strerror(errno)); } if (crtfd) { PEM_write_X509(crtfd, cert->crt); fclose(crtfd); + } else { + log_err_printf("Failed to open '%s' for writing: %s\n", + keyfn, strerror(errno)); } if (ctx->opts->writeorig) { char *origfn; @@ -876,6 +882,9 @@ pxy_srccert_create(pxy_conn_ctx_t *ctx) if (origfd) { PEM_write_X509(origfd, ctx->origcrt); fclose(origfd); + } else { + log_err_printf("Failed to open '%s' for writing: %s\n", + keyfn, strerror(errno)); } } } From a83cd68605fbafd9848c3eadf6f002f87f40da26 Mon Sep 17 00:00:00 2001 From: PsychoMario Date: Thu, 11 Dec 2014 13:57:50 +0000 Subject: [PATCH 09/10] stored fpr as char* in ctx --- pxyconn.c | 92 ++++++++++++++++++------------------------------------- 1 file changed, 30 insertions(+), 62 deletions(-) diff --git a/pxyconn.c b/pxyconn.c index e498696..ae2f0b9 100644 --- a/pxyconn.c +++ b/pxyconn.c @@ -167,6 +167,8 @@ typedef struct pxy_conn_ctx { socklen_t addrlen; int af; X509 *origcrt; + char *origfpr[SSL_X509_FPRSZ*2+1]; + char *newfpr[SSL_X509_FPRSZ*2+1]; /* references to event base and configuration */ struct event_base *evbase; @@ -357,23 +359,6 @@ pxy_log_connect_nonhttp(pxy_conn_ctx_t *ctx) } #endif /* HAVE_LOCAL_PROCINFO */ - unsigned char origfpr[SSL_X509_FPRSZ], newfpr[SSL_X509_FPRSZ]; - ssl_x509_fingerprint_sha1(ctx->origcrt, origfpr); - ssl_x509_fingerprint_sha1(SSL_get_certificate(ctx->src.ssl), newfpr); - char *origfprstr, *newfprstr; - asprintf(&origfprstr," %02X%02X%02X%02X%02X%02X%02X%02X%02X%02X" - "%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X", - origfpr[0], origfpr[1], origfpr[2], origfpr[3], origfpr[4], - origfpr[5], origfpr[6], origfpr[7], origfpr[8], origfpr[9], - origfpr[10], origfpr[11], origfpr[12], origfpr[13], origfpr[14], - origfpr[15], origfpr[16], origfpr[17], origfpr[18], origfpr[19]); - asprintf(&newfprstr," %02X%02X%02X%02X%02X%02X%02X%02X%02X%02X" - "%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X", - newfpr[0], newfpr[1], newfpr[2], newfpr[3], newfpr[4], - newfpr[5], newfpr[6], newfpr[7], newfpr[8], newfpr[9], - newfpr[10], newfpr[11], newfpr[12], newfpr[13], newfpr[14], - newfpr[15], newfpr[16], newfpr[17], newfpr[18], newfpr[19]); - if (!ctx->spec->ssl || ctx->passthrough) { rv = asprintf(&msg, "%s %s %s" #ifdef HAVE_LOCAL_PROCINFO @@ -394,7 +379,7 @@ pxy_log_connect_nonhttp(pxy_conn_ctx_t *ctx) #ifdef HAVE_LOCAL_PROCINFO " %s" #endif /* HAVE_LOCAL_PROCINFO */ - "%s%s\n", + " %s %s\n", STRORDASH(ctx->src_str), STRORDASH(ctx->dst_str), STRORDASH(ctx->sni), @@ -407,8 +392,8 @@ pxy_log_connect_nonhttp(pxy_conn_ctx_t *ctx) , lpi #endif /* HAVE_LOCAL_PROCINFO */ , - ctx->opts->certgendir ? origfprstr : "", - ctx->opts->certgendir ? newfprstr : ""); + *ctx->origfpr, + *ctx->newfpr); } if ((rv < 0) || !msg) { ctx->enomem = 1; @@ -465,29 +450,12 @@ pxy_log_connect_http(pxy_conn_ctx_t *ctx) } #endif /* HAVE_LOCAL_PROCINFO */ - unsigned char origfpr[SSL_X509_FPRSZ], newfpr[SSL_X509_FPRSZ]; - ssl_x509_fingerprint_sha1(ctx->origcrt, origfpr); - ssl_x509_fingerprint_sha1(SSL_get_certificate(ctx->src.ssl), newfpr); - char *origfprstr, *newfprstr; - asprintf(&origfprstr," %02X%02X%02X%02X%02X%02X%02X%02X%02X%02X" - "%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X", - origfpr[0], origfpr[1], origfpr[2], origfpr[3], origfpr[4], - origfpr[5], origfpr[6], origfpr[7], origfpr[8], origfpr[9], - origfpr[10], origfpr[11], origfpr[12], origfpr[13], origfpr[14], - origfpr[15], origfpr[16], origfpr[17], origfpr[18], origfpr[19]); - asprintf(&newfprstr," %02X%02X%02X%02X%02X%02X%02X%02X%02X%02X" - "%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X", - newfpr[0], newfpr[1], newfpr[2], newfpr[3], newfpr[4], - newfpr[5], newfpr[6], newfpr[7], newfpr[8], newfpr[9], - newfpr[10], newfpr[11], newfpr[12], newfpr[13], newfpr[14], - newfpr[15], newfpr[16], newfpr[17], newfpr[18], newfpr[19]); - if (!ctx->spec->ssl) { rv = asprintf(&msg, "http %s %s %s %s %s %s %s" #ifdef HAVE_LOCAL_PROCINFO " %s" #endif /* HAVE_LOCAL_PROCINFO */ - "%s%s%s\n", + "%s %s %s\n", STRORDASH(ctx->src_str), STRORDASH(ctx->dst_str), STRORDASH(ctx->http_host), @@ -499,8 +467,8 @@ pxy_log_connect_http(pxy_conn_ctx_t *ctx) lpi, #endif /* HAVE_LOCAL_PROCINFO */ ctx->ocsp_denied ? " ocsp:denied" : "", - ctx->opts->certgendir ? origfprstr : "", - ctx->opts->certgendir ? newfprstr : ""); + *ctx->origfpr, + *ctx->newfpr); } else { rv = asprintf(&msg, "https %s %s %s %s %s %s %s " "sni:%s names:%s " @@ -508,7 +476,7 @@ pxy_log_connect_http(pxy_conn_ctx_t *ctx) #ifdef HAVE_LOCAL_PROCINFO " %s" #endif /* HAVE_LOCAL_PROCINFO */ - "%s%s%s\n", + "%s %s %s\n", STRORDASH(ctx->src_str), STRORDASH(ctx->dst_str), STRORDASH(ctx->http_host), @@ -526,8 +494,8 @@ pxy_log_connect_http(pxy_conn_ctx_t *ctx) lpi, #endif /* HAVE_LOCAL_PROCINFO */ ctx->ocsp_denied ? " ocsp:denied" : "", - ctx->opts->certgendir ? origfprstr : "", - ctx->opts->certgendir ? newfprstr : ""); + *ctx->origfpr, + *ctx->newfpr); } if ((rv < 0 ) || !msg) { ctx->enomem = 1; @@ -838,26 +806,26 @@ pxy_srccert_create(pxy_conn_ctx_t *ctx) cert_set_chain(cert, ctx->opts->chain); } + unsigned char origfpr[SSL_X509_FPRSZ], newfpr[SSL_X509_FPRSZ]; + ssl_x509_fingerprint_sha1(ctx->origcrt, origfpr); + ssl_x509_fingerprint_sha1(cert->crt, newfpr); + asprintf(ctx->origfpr,"%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X" + "%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X", + origfpr[0], origfpr[1], origfpr[2], origfpr[3], origfpr[4], + origfpr[5], origfpr[6], origfpr[7], origfpr[8], origfpr[9], + origfpr[10], origfpr[11], origfpr[12], origfpr[13], origfpr[14], + origfpr[15], origfpr[16], origfpr[17], origfpr[18], origfpr[19]); + asprintf(ctx->newfpr,"%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X" + "%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X", + newfpr[0], newfpr[1], newfpr[2], newfpr[3], newfpr[4], + newfpr[5], newfpr[6], newfpr[7], newfpr[8], newfpr[9], + newfpr[10], newfpr[11], newfpr[12], newfpr[13], newfpr[14], + newfpr[15], newfpr[16], newfpr[17], newfpr[18], newfpr[19]); + if (ctx->opts->certgendir) { - unsigned char origfpr[SSL_X509_FPRSZ], newfpr[SSL_X509_FPRSZ]; - ssl_x509_fingerprint_sha1(ctx->origcrt, origfpr); - ssl_x509_fingerprint_sha1(cert->crt, newfpr); - char *origfprstr, *newfprstr; - asprintf(&origfprstr,"%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X" - "%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X", - origfpr[0], origfpr[1], origfpr[2], origfpr[3], origfpr[4], - origfpr[5], origfpr[6], origfpr[7], origfpr[8], origfpr[9], - origfpr[10], origfpr[11], origfpr[12], origfpr[13], origfpr[14], - origfpr[15], origfpr[16], origfpr[17], origfpr[18], origfpr[19]); - asprintf(&newfprstr,"%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X" - "%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X", - newfpr[0], newfpr[1], newfpr[2], newfpr[3], newfpr[4], - newfpr[5], newfpr[6], newfpr[7], newfpr[8], newfpr[9], - newfpr[10], newfpr[11], newfpr[12], newfpr[13], newfpr[14], - newfpr[15], newfpr[16], newfpr[17], newfpr[18], newfpr[19]); char *keyfn, *crtfn; - asprintf(&keyfn, "%s/%s-%s.key", ctx->opts->certgendir, origfprstr, newfprstr); - asprintf(&crtfn, "%s/%s-%s.crt", ctx->opts->certgendir, origfprstr, newfprstr); + asprintf(&keyfn, "%s/%s-%s.key", ctx->opts->certgendir, *ctx->origfpr, *ctx->newfpr); + asprintf(&crtfn, "%s/%s-%s.crt", ctx->opts->certgendir, *ctx->origfpr, *ctx->newfpr); FILE *keyfd, *crtfd; keyfd = fopen(keyfn, "w"); crtfd = fopen(crtfn, "w"); @@ -877,7 +845,7 @@ pxy_srccert_create(pxy_conn_ctx_t *ctx) } if (ctx->opts->writeorig) { char *origfn; - asprintf(&origfn, "%s/%s.crt", ctx->opts->certgendir, origfprstr); + asprintf(&origfn, "%s/%s.crt", ctx->opts->certgendir, *ctx->origfpr); FILE *origfd = fopen(origfn, "w"); if (origfd) { PEM_write_X509(origfd, ctx->origcrt); From 3aff928dafcfabb180d353dfa225b122601299b0 Mon Sep 17 00:00:00 2001 From: PsychoMario Date: Fri, 12 Dec 2014 17:28:06 +0000 Subject: [PATCH 10/10] moved key output to main.c, caught some bugs --- main.c | 24 ++++++++++++++++++++++++ pxyconn.c | 17 ++++------------- 2 files changed, 28 insertions(+), 13 deletions(-) diff --git a/main.c b/main.c index e8b9217..cf2a043 100644 --- a/main.c +++ b/main.c @@ -770,6 +770,30 @@ main(int argc, char *argv[]) } } + if (opts->certgendir) { + unsigned char *keyfpr = malloc(SSL_KEY_IDSZ); + if(ssl_key_identifier_sha1(opts->key, keyfpr)) { + fprintf(stderr, "%s: error generating RSA fingerprint\n", argv0); + exit(EXIT_FAILURE); + } + char *keyfn; + asprintf(&keyfn, "%s/%02X%02X%02X%02X%02X%02X%02X%02X%02X" + "%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X.key", + opts->certgendir, + keyfpr[0], keyfpr[1], keyfpr[2], keyfpr[3], keyfpr[4], + keyfpr[5], keyfpr[6], keyfpr[7], keyfpr[8], keyfpr[9], + keyfpr[10], keyfpr[11], keyfpr[12], keyfpr[13], keyfpr[14], + keyfpr[15], keyfpr[16], keyfpr[17], keyfpr[18], keyfpr[19]); + FILE *keyfd = fopen(keyfn,"w"); + if (!keyfd) { + log_err_printf("Failed to open '%s' for writing: %s\n", + keyfn, strerror(errno)); + } else { + PEM_write_PrivateKey(keyfd, opts->key, NULL, 0, 0, NULL, NULL); + fclose(keyfd); + } + } + /* usage checks after defaults */ if (opts->dropgroup && !opts->dropuser) { fprintf(stderr, "%s: -m depends on -u.\n", argv0); diff --git a/pxyconn.c b/pxyconn.c index ae2f0b9..91e5c7f 100644 --- a/pxyconn.c +++ b/pxyconn.c @@ -823,25 +823,16 @@ pxy_srccert_create(pxy_conn_ctx_t *ctx) newfpr[15], newfpr[16], newfpr[17], newfpr[18], newfpr[19]); if (ctx->opts->certgendir) { - char *keyfn, *crtfn; - asprintf(&keyfn, "%s/%s-%s.key", ctx->opts->certgendir, *ctx->origfpr, *ctx->newfpr); + char *crtfn; asprintf(&crtfn, "%s/%s-%s.crt", ctx->opts->certgendir, *ctx->origfpr, *ctx->newfpr); - FILE *keyfd, *crtfd; - keyfd = fopen(keyfn, "w"); + FILE *crtfd; crtfd = fopen(crtfn, "w"); - if (keyfd) { - PEM_write_PrivateKey(keyfd, cert->key, NULL, 0, 0, NULL, NULL); - fclose(keyfd); - } else { - log_err_printf("Failed to open '%s' for writing: %s\n", - keyfn, strerror(errno)); - } if (crtfd) { PEM_write_X509(crtfd, cert->crt); fclose(crtfd); } else { log_err_printf("Failed to open '%s' for writing: %s\n", - keyfn, strerror(errno)); + crtfn, strerror(errno)); } if (ctx->opts->writeorig) { char *origfn; @@ -852,7 +843,7 @@ pxy_srccert_create(pxy_conn_ctx_t *ctx) fclose(origfd); } else { log_err_printf("Failed to open '%s' for writing: %s\n", - keyfn, strerror(errno)); + origfn, strerror(errno)); } } }