|
|
@ -35,8 +35,7 @@ back from the program. Upon receiving the packets back, SSLproxy re-encrypts
|
|
|
|
and sends them to their original destination. The return traffic follows the
|
|
|
|
and sends them to their original destination. The return traffic follows the
|
|
|
|
same path back to the client in reverse order.
|
|
|
|
same path back to the client in reverse order.
|
|
|
|
|
|
|
|
|
|
|
|
![Mode of Operation
|
|
|
|
![Mode of Operation Diagram](https://drive.google.com/uc?id=1N_Yy5nMPDSvY8YaNFd4sHvipyLWq5zDy)
|
|
|
|
Diagram](https://drive.google.com/uc?id=1N_Yy5nMPDSvY8YaNFd4sHvipyLWq5zDy)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
This is similar in principle to [divert
|
|
|
|
This is similar in principle to [divert
|
|
|
|
sockets](https://man.openbsd.org/divert.4), where the packet filter diverts the
|
|
|
|
sockets](https://man.openbsd.org/divert.4), where the packet filter diverts the
|
|
|
@ -53,14 +52,17 @@ For example, given the following proxy specification:
|
|
|
|
|
|
|
|
|
|
|
|
https 127.0.0.1 8443 up:8080
|
|
|
|
https 127.0.0.1 8443 up:8080
|
|
|
|
|
|
|
|
|
|
|
|
SSLproxy listens for HTTPS connections on 127.0.0.1:8443. Upon receiving a
|
|
|
|
- SSLproxy listens for HTTPS connections on 127.0.0.1:8443.
|
|
|
|
connection from the Client, it decrypts and diverts the packets to a Program
|
|
|
|
- Upon receiving a connection from the Client, it decrypts and diverts the
|
|
|
|
listening on 127.0.0.1:8080. After processing the packets, the Program gives
|
|
|
|
packets to a Program listening on 127.0.0.1:8080. The default return address
|
|
|
|
them back to SSLproxy listening on a dynamically assigned address, which the
|
|
|
|
is 127.0.0.1, which can be configured by the `ua` option.
|
|
|
|
Program obtains from the SSLproxy line in the first packet in the connection.
|
|
|
|
- After processing the packets, the Program gives them back to SSLproxy
|
|
|
|
Then SSLproxy re-encrypts and sends the packets to the Server. The response
|
|
|
|
listening on a dynamically assigned address, which the Program obtains from
|
|
|
|
from the Server follows the same path to the Client in reverse
|
|
|
|
the SSLproxy line in the first packet in the connection.
|
|
|
|
order.
|
|
|
|
- Then SSLproxy re-encrypts and sends the packets to the Server.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The response from the Server follows the same path back to the Client in
|
|
|
|
|
|
|
|
reverse order.
|
|
|
|
|
|
|
|
|
|
|
|
#### SSLproxy line
|
|
|
|
#### SSLproxy line
|
|
|
|
|
|
|
|
|
|
|
@ -69,16 +71,17 @@ following:
|
|
|
|
|
|
|
|
|
|
|
|
SSLproxy: [127.0.0.1]:34649,[192.168.3.24]:47286,[192.168.111.130]:443,s
|
|
|
|
SSLproxy: [127.0.0.1]:34649,[192.168.3.24]:47286,[192.168.111.130]:443,s
|
|
|
|
|
|
|
|
|
|
|
|
The first IP:port pair is a dynamically assigned address that SSLproxy expects
|
|
|
|
- The first IP:port pair is a dynamically assigned address that SSLproxy
|
|
|
|
the program send the packets back to it. The second and third IP:port pairs
|
|
|
|
expects the program send the packets back to it.
|
|
|
|
are the actual source and destination addresses of the connection
|
|
|
|
- The second and third IP:port pairs are the actual source and destination
|
|
|
|
respectively. Since the program receives the packets from SSLproxy, it cannot
|
|
|
|
addresses of the connection respectively. Since the program receives the
|
|
|
|
determine the source and destination addresses of the packets by itself, hence
|
|
|
|
packets from SSLproxy, it cannot determine the source and destination
|
|
|
|
must rely on the information in this SSLproxy line. The last letter is either
|
|
|
|
addresses of the packets by itself, e.g by asking the NAT engine, hence must
|
|
|
|
s or p, for SSL/TLS encrypted or plain traffic respectively. This information
|
|
|
|
rely on the information in the SSLproxy line.
|
|
|
|
is also important for the program, because it cannot reliably determine if the
|
|
|
|
- The last letter is either s or p, for SSL/TLS encrypted or plain traffic
|
|
|
|
actual network traffic it is processing was encrypted or not
|
|
|
|
respectively. This information is also important for the program, because it
|
|
|
|
before being diverted to it.
|
|
|
|
cannot reliably determine if the actual network traffic it is processing was
|
|
|
|
|
|
|
|
encrypted or not before being diverted to it.
|
|
|
|
|
|
|
|
|
|
|
|
#### Listening program
|
|
|
|
#### Listening program
|
|
|
|
|
|
|
|
|
|
|
@ -99,11 +102,12 @@ specification:
|
|
|
|
|
|
|
|
|
|
|
|
https 127.0.0.1 8443 up:8080 ua:192.168.0.1 ra:192.168.1.1
|
|
|
|
https 127.0.0.1 8443 up:8080 ua:192.168.0.1 ra:192.168.1.1
|
|
|
|
|
|
|
|
|
|
|
|
The `ua` option instructs SSLproxy to divert packets to 192.168.0.1:8080,
|
|
|
|
- The `ua` option instructs SSLproxy to divert packets to 192.168.0.1:8080,
|
|
|
|
instead of 127.0.0.1:8080 as in the previous example. Also, the `ra` option
|
|
|
|
instead of 127.0.0.1:8080 as in the previous proxyspec example.
|
|
|
|
instructs SSLproxy to listen for returned packets from the program on
|
|
|
|
- The `ra` option instructs SSLproxy to listen for returned packets from the
|
|
|
|
192.168.1.1. Accordingly, the line SSLproxy inserts into the first packet in
|
|
|
|
program on 192.168.1.1, instead of 127.0.0.1 as in the previous SSLproxy line.
|
|
|
|
the connection now becomes:
|
|
|
|
|
|
|
|
|
|
|
|
Accordingly, the SSLproxy line now becomes:
|
|
|
|
|
|
|
|
|
|
|
|
SSLproxy: [192.168.1.1]:34649,[192.168.3.24]:47286,[192.168.111.130]:443,s
|
|
|
|
SSLproxy: [192.168.1.1]:34649,[192.168.3.24]:47286,[192.168.111.130]:443,s
|
|
|
|
|
|
|
|
|
|
|
@ -172,7 +176,8 @@ the connection is terminated immediately. This is in contrast to SSLsplit,
|
|
|
|
because in order to maximize the chances that a connection can be successfully
|
|
|
|
because in order to maximize the chances that a connection can be successfully
|
|
|
|
split, SSLsplit accepts all certificates by default, including self-signed
|
|
|
|
split, SSLsplit accepts all certificates by default, including self-signed
|
|
|
|
ones. See [The Risks of SSL Inspection](https://insights.sei.cmu.edu/cert/2015/03/the-risks-of-ssl-inspection.html)
|
|
|
|
ones. See [The Risks of SSL Inspection](https://insights.sei.cmu.edu/cert/2015/03/the-risks-of-ssl-inspection.html)
|
|
|
|
for the reasons of this difference.
|
|
|
|
for the reasons of this difference. You can disable this feature by the
|
|
|
|
|
|
|
|
VerifyPeer option.
|
|
|
|
|
|
|
|
|
|
|
|
#### Client certificates
|
|
|
|
#### Client certificates
|
|
|
|
|
|
|
|
|
|
|
@ -201,7 +206,7 @@ be created using the following SQL statement:
|
|
|
|
);
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
|
|
SSLproxy does not create this users table or the database file by itself, nor
|
|
|
|
SSLproxy does not create this users table or the database file by itself, nor
|
|
|
|
does it log users in or out. So the database file and this table should
|
|
|
|
does it log users in or out. So the database file and the users table should
|
|
|
|
already exist at the location pointed to by the UserDBPath option. An external
|
|
|
|
already exist at the location pointed to by the UserDBPath option. An external
|
|
|
|
program should log users in and out on the users table. The external program
|
|
|
|
program should log users in and out on the users table. The external program
|
|
|
|
should fill out all the fields in user records, except perhaps for the DESC
|
|
|
|
should fill out all the fields in user records, except perhaps for the DESC
|
|
|
@ -244,19 +249,22 @@ listening programs.
|
|
|
|
- Connections from users in DivertUsers, if defined, are diverted to listening
|
|
|
|
- Connections from users in DivertUsers, if defined, are diverted to listening
|
|
|
|
programs.
|
|
|
|
programs.
|
|
|
|
- Connections from users in PassUsers, if defined, are simply passed through
|
|
|
|
- Connections from users in PassUsers, if defined, are simply passed through
|
|
|
|
to their original destinations.
|
|
|
|
to their original destinations. SSLproxy engages the Passthrough mode for that
|
|
|
|
- Users not listed in DivertUsers or PassUsers are blocked.
|
|
|
|
purpose.
|
|
|
|
- If no DivertUsers list is defined, only users *not* listed in PassUsers are
|
|
|
|
- if both DivertUsers and PassUsers are defined, users not listed in either of
|
|
|
|
diverted to listening programs.
|
|
|
|
the lists are blocked. SSLproxy simply terminates their connections.
|
|
|
|
|
|
|
|
- If *no* DivertUsers list is defined, only users *not* listed in PassUsers
|
|
|
|
|
|
|
|
are diverted to listening programs.
|
|
|
|
|
|
|
|
|
|
|
|
These user control lists can be defined globally or per-proxyspec.
|
|
|
|
These user control lists can be defined globally or per-proxyspec.
|
|
|
|
|
|
|
|
|
|
|
|
### Servers excluded from SSL inspection
|
|
|
|
### Excluding sites from SSL inspection
|
|
|
|
|
|
|
|
|
|
|
|
PassSite option allows certain SSL sites to be excluded from SSL inspection.
|
|
|
|
PassSite option allows certain SSL sites to be excluded from SSL inspection.
|
|
|
|
If a PassSite matches SNI or common names in the SSL certificate, the
|
|
|
|
If a PassSite matches the SNI or common names in the SSL certificate of a
|
|
|
|
connection is passed through the proxy without being diverted to the listening
|
|
|
|
connection, that connection is passed through the proxy without being diverted
|
|
|
|
program. For example, sites requiring client authentication can be added as
|
|
|
|
to the listening program. SSLproxy engages the Passthrough mode for that
|
|
|
|
|
|
|
|
purpose. For example, sites requiring client authentication can be added as
|
|
|
|
PassSite.
|
|
|
|
PassSite.
|
|
|
|
|
|
|
|
|
|
|
|
Per-site filters can be defined using client IP addresses, users, and
|
|
|
|
Per-site filters can be defined using client IP addresses, users, and
|
|
|
@ -306,7 +314,7 @@ LibreSSL.
|
|
|
|
With the requirements above available, run:
|
|
|
|
With the requirements above available, run:
|
|
|
|
|
|
|
|
|
|
|
|
make
|
|
|
|
make
|
|
|
|
make test # optional unit tests
|
|
|
|
make test # optional unit and e2e tests
|
|
|
|
make sudotest # optional unit tests requiring privileges
|
|
|
|
make sudotest # optional unit tests requiring privileges
|
|
|
|
make install # optional install
|
|
|
|
make install # optional install
|
|
|
|
|
|
|
|
|
|
|
|