Improve CA cert/key config code and docs

Make -c and -k functional twins by also loading DH params in -c and by fixing certificate loading in -k. Improve the documentation for both switches and simplify the SYNOPSIS in sslsplit(1).
12 years ago · 7aca81a7b7
parent c5335afc3b
commit 7aca81a7b7
2 changed files with 48 additions and 38 deletions
--- a/main.c
+++ b/main.c
@ -98,8 +98,8 @@ main_usage(void)

 	fprintf(stderr,
 "Usage: %s [options...] [proxyspecs...]\n"
-"  -k pemfile  use CA key from pemfile to sign forged certs\n"
-"  -c pemfile  use CA cert from pemfile to sign forged certs\n"
+"  -c pemfile  use CA cert (and key) from pemfile to sign forged certs\n"
+"  -k pemfile  use CA key (and cert) from pemfile to sign forged certs\n"
 "  -C pemfile  use CA chain from pemfile (intermediate and root CA certs)\n"
 "  -K pemfile  use key from pemfile for leaf certs (default: generate)\n"
 "  -t certdir  use cert+chain+key PEM files from certdir to target all sites\n"
@ -226,13 +226,13 @@ main(int argc, char *argv[])
 	while ((ch = getopt(argc, argv, OPT_g OPT_G OPT_Z
 	                    "k:c:C:K:t:OPs:e:Eu:j:p:l:L:S:dDVh")) != -1) {
 		switch (ch) {
-			case 'k':
-				if (opts->cakey)
-					EVP_PKEY_free(opts->cakey);
-				opts->cakey = ssl_key_load(optarg);
-				if (!opts->cakey) {
+			case 'c':
+				if (opts->cacrt)
+					X509_free(opts->cacrt);
+				opts->cacrt = ssl_x509_load(optarg);
+				if (!opts->cacrt) {
 					fprintf(stderr, "%s: error loading CA "
-					                "key from '%s':\n",
+					                "cert from '%s':\n",
 					                argv0, optarg);
 					if (errno) {
 						fprintf(stderr, "%s\n",
@ -242,8 +242,10 @@ main(int argc, char *argv[])
 					}
 					exit(EXIT_FAILURE);
 				}
-				if (!opts->cacrt) {
-					opts->cacrt = ssl_x509_load(optarg);
+				ssl_x509_refcount_inc(opts->cacrt);
+				sk_X509_insert(opts->chain, opts->cacrt, 0);
+				if (!opts->cakey) {
+					opts->cakey = ssl_key_load(optarg);
 				}
 #ifndef OPENSSL_NO_DH
 				if (!opts->dh) {
@ -251,13 +253,13 @@ main(int argc, char *argv[])
 				}
 #endif /* !OPENSSL_NO_DH */
 				break;
-			case 'c':
-				if (opts->cacrt)
-					X509_free(opts->cacrt);
-				opts->cacrt = ssl_x509_load(optarg);
-				if (!opts->cacrt) {
+			case 'k':
+				if (opts->cakey)
+					EVP_PKEY_free(opts->cakey);
+				opts->cakey = ssl_key_load(optarg);
+				if (!opts->cakey) {
 					fprintf(stderr, "%s: error loading CA "
-					                "cert from '%s':\n",
+					                "key from '%s':\n",
 					                argv0, optarg);
 					if (errno) {
 						fprintf(stderr, "%s\n",
@ -267,11 +269,20 @@ main(int argc, char *argv[])
 					}
 					exit(EXIT_FAILURE);
 				}
-				if (!opts->cakey) {
-					opts->cakey = ssl_key_load(optarg);
+				if (!opts->cacrt) {
+					opts->cacrt = ssl_x509_load(optarg);
+					if (opts->cacrt) {
+						ssl_x509_refcount_inc(
+						               opts->cacrt);
+						sk_X509_insert(opts->chain,
+						               opts->cacrt, 0);
+					}
 				}
-				ssl_x509_refcount_inc(opts->cacrt);
-				sk_X509_insert(opts->chain, opts->cacrt, 0);
+#ifndef OPENSSL_NO_DH
+				if (!opts->dh) {
+					opts->dh = ssl_dh_load(optarg);
+				}
+#endif /* !OPENSSL_NO_DH */
 				break;
 			case 'C':
 				if (ssl_x509chain_load(NULL, &opts->chain,
--- a/sslsplit.1
+++ b/sslsplit.1
@ -30,22 +30,16 @@ sslsplit \-\- transparent and scalable SSL/TLS interception
 .SH SYNOPSIS
 .na
 .B sslsplit
-[\fB-OPZdDgGseujplLS\fP]
-\fB-k\fP \fIpem\fP \fB-c\fP \fIpem\fP [\fB-C\fP \fIpem\fP] \
-[\fB-K\fP \fIpem\fP]
-\fIspecs\fP
+[\fB-kCKOPZdDgGseujplLS\fP] \fB-c\fP \fIpem\fP
+\fIproxyspecs\fP [...]
 .br
 .B sslsplit
-[\fB-OPZdDgGseujplLS\fP]
-\fB-t\fP \fIdir\fP
-\fIspecs\fP
+[\fB-kCKOPZdDgGseujplLS\fP] \fB-c\fP \fIpem\fP \fB-t\fP \fIdir\fP
+\fIproxyspecs\fP [...]
 .br
 .B sslsplit
-[\fB-OPZdDgGseujplLS\fP]
-\fB-t\fP \fIdir\fP
-\fB-k\fP \fIpem\fP \fB-c\fP \fIpem\fP [\fB-C\fP \fIpem\fP] \
-[\fB-K\fP \fIpem\fP]
-\fIspecs\fP
+[\fB-OPZdDgGseujplLS\fP] \fB-t\fP \fIdir\fP
+\fIproxyspecs\fP [...]
 .br
 .B sslsplit -E
 .br
@ -86,6 +80,8 @@ SSLsplit does not implement the actual traffic redirection.
 Use CA certificate from \fIpemfile\fP to sign certificates forged on-the-fly.
 If \fIpemfile\fP also contains the matching CA private key, it is also loaded,
 otherwise it must be provided with \fB-k\fP.
+If \fIpemfile\fP also contains Diffie-Hellman group parameters, they are also
+loaded, otherwise they can be provided with \fB-g\fP.
 If \fB-t\fP is also given, SSLsplit will only forge a certificate if there is
 no matching certificate in the provided certificate directory.
 .TP
@ -104,7 +100,7 @@ Run in debug mode, log lots of debugging information to standard error.  This
 also forces foreground mode and cannot be used with \fB-d\fP.
 .TP
 .B \-e \fIengine\fP
-Use \fIengine\fP as the default NAT engine for \fIspecs\fP without
+Use \fIengine\fP as the default NAT engine for \fIproxyspecs\fP without
 explicit NAT engine, static destination address or SNI mode.
 \fIengine\fP can be any of the NAT engines supported by the system, as
 returned by \fB-E\fP.
@ -151,6 +147,8 @@ If \fB-j\fP is not given, SSLsplit will automatically change root directory to
 Use CA private key from \fIpemfile\fP to sign certificates forged on-the-fly.
 If \fIpemfile\fP also contains the matching CA certificate, it is also loaded,
 otherwise it must be provided with \fB-c\fP.
+If \fIpemfile\fP also contains Diffie-Hellman group parameters, they are also
+loaded, otherwise they can be provided with \fB-g\fP.
 If \fB-t\fP is also given, SSLsplit will only forge a certificate if there is
 no matching certificate in the provided certificate directory.
 .TP
@ -168,9 +166,10 @@ parsable log format with transmitted data, prepended with headers identifying
 the connection and the data length of each logged segment.
 .TP
 .B \-O
-Deny all Online Certificate Status Protocol (OCSP) requests on all proxy
-\fIspecs\fP and for all OCSP servers with an OCSP response of \fBtryLater\fP,
-causing OCSP clients to temporarily accept even revoked certificates.
+Deny all Online Certificate Status Protocol (OCSP) requests on all
+\fIproxyspecs\fP and for all OCSP servers with an OCSP response of
+\fBtryLater\fP, causing OCSP clients to temporarily accept even revoked
+certificates.
 HTTP requests are being treated as OCSP requests if the method is \fBGET\fP
 and the URI contains a syntactically valid OCSPRequest ASN.1 structure
 parsable by OpenSSL, or if the method is \fBPOST\fP and the \fBContent-Type\fP
@ -241,7 +240,7 @@ limiting factor is CPU, not network bandwidth.
 The \fB-Z\fP option is only available if SSLsplit was built against a version
 of OpenSSL which supports disabling compression.
 .SH "PROXY SPECIFICATIONS"
-Proxy specifications (\fIspecs\fP) consist of the connection type, listen
+Proxy specifications (\fIproxyspecs\fP) consist of the connection type, listen
 address and static forward address or address resolution mechanism (NAT engine,
 SNI DNS lookup):
 .LP
@ -278,7 +277,7 @@ is used, connections are forwarded to the given server address and port.
 \fBsni\fP \fIport\fP
 Use the Server Name Indication (SNI) hostname sent by the client in the
 ClientHello SSL/TLS message to determine the IP address of the server to
-connect to.  This only works for \fBssl\fP and \fBhttps\fP \fIspecs\fP and
+connect to.  This only works for \fBssl\fP and \fBhttps\fP \fIproxyspecs\fP and
 needs a port or service name as an argument.
 This is the only way to redirect traffic transparently using NAT rules and run
 \fBsslsplit\fP on a different system than the NAT engine.