@ -30,22 +30,16 @@ sslsplit \-\- transparent and scalable SSL/TLS interception
.SH SYNOPSIS
.na
.B sslsplit
[\fB -OPZdDgGseujplLS\fP ]
\fB -k\fP \fI pem\fP \fB -c\fP \fI pem\fP [\fB -C\fP \fI pem\fP ] \
[\fB -K\fP \fI pem\fP ]
\fI specs\fP
[\fB -kCKOPZdDgGseujplLS\fP ] \fB -c\fP \fI pem\fP
\fI proxyspecs\fP [...]
.br
.B sslsplit
[\fB -OPZdDgGseujplLS\fP ]
\fB -t\fP \fI dir\fP
\fI specs\fP
[\fB -kCKOPZdDgGseujplLS\fP ] \fB -c\fP \fI pem\fP \fB -t\fP \fI dir\fP
\fI proxyspecs\fP [...]
.br
.B sslsplit
[\fB -OPZdDgGseujplLS\fP ]
\fB -t\fP \fI dir\fP
\fB -k\fP \fI pem\fP \fB -c\fP \fI pem\fP [\fB -C\fP \fI pem\fP ] \
[\fB -K\fP \fI pem\fP ]
\fI specs\fP
[\fB -OPZdDgGseujplLS\fP ] \fB -t\fP \fI dir\fP
\fI proxyspecs\fP [...]
.br
.B sslsplit -E
.br
@ -86,6 +80,8 @@ SSLsplit does not implement the actual traffic redirection.
Use CA certificate from \fI pemfile\fP to sign certificates forged on-the-fly.
If \fI pemfile\fP also contains the matching CA private key, it is also loaded,
otherwise it must be provided with \fB -k\fP .
If \fI pemfile\fP also contains Diffie-Hellman group parameters, they are also
loaded, otherwise they can be provided with \fB -g\fP .
If \fB -t\fP is also given, SSLsplit will only forge a certificate if there is
no matching certificate in the provided certificate directory.
.TP
@ -104,7 +100,7 @@ Run in debug mode, log lots of debugging information to standard error. This
also forces foreground mode and cannot be used with \fB -d\fP .
.TP
.B \- e \fI engine\fP
Use \fI engine\fP as the default NAT engine for \fI specs\fP without
Use \fI engine\fP as the default NAT engine for \fI proxy specs\fP without
explicit NAT engine, static destination address or SNI mode.
\fI engine\fP can be any of the NAT engines supported by the system, as
returned by \fB -E\fP .
@ -151,6 +147,8 @@ If \fB-j\fP is not given, SSLsplit will automatically change root directory to
Use CA private key from \fI pemfile\fP to sign certificates forged on-the-fly.
If \fI pemfile\fP also contains the matching CA certificate, it is also loaded,
otherwise it must be provided with \fB -c\fP .
If \fI pemfile\fP also contains Diffie-Hellman group parameters, they are also
loaded, otherwise they can be provided with \fB -g\fP .
If \fB -t\fP is also given, SSLsplit will only forge a certificate if there is
no matching certificate in the provided certificate directory.
.TP
@ -168,9 +166,10 @@ parsable log format with transmitted data, prepended with headers identifying
the connection and the data length of each logged segment.
.TP
.B \- O
Deny all Online Certificate Status Protocol (OCSP) requests on all proxy
\fI specs\fP and for all OCSP servers with an OCSP response of \fB tryLater\fP ,
causing OCSP clients to temporarily accept even revoked certificates.
Deny all Online Certificate Status Protocol (OCSP) requests on all
\fI proxyspecs\fP and for all OCSP servers with an OCSP response of
\fB tryLater\fP , causing OCSP clients to temporarily accept even revoked
certificates.
HTTP requests are being treated as OCSP requests if the method is \fB GET\fP
and the URI contains a syntactically valid OCSPRequest ASN.1 structure
parsable by OpenSSL, or if the method is \fB POST\fP and the \fB Content-Type\fP
@ -241,7 +240,7 @@ limiting factor is CPU, not network bandwidth.
The \fB -Z\fP option is only available if SSLsplit was built against a version
of OpenSSL which supports disabling compression.
.SH "PROXY SPECIFICATIONS"
Proxy specifications (\fI specs\fP ) consist of the connection type, listen
Proxy specifications (\fI proxy specs\fP ) consist of the connection type, listen
address and static forward address or address resolution mechanism (NAT engine,
SNI DNS lookup):
.LP
@ -278,7 +277,7 @@ is used, connections are forwarded to the given server address and port.
\fB sni\fP \fI port\fP
Use the Server Name Indication (SNI) hostname sent by the client in the
ClientHello SSL/TLS message to determine the IP address of the server to
connect to. This only works for \fB ssl\fP and \fB https\fP \fI specs\fP and
connect to. This only works for \fB ssl\fP and \fB https\fP \fI proxy specs\fP and
needs a port or service name as an argument.
This is the only way to redirect traffic transparently using NAT rules and run
\fB sslsplit\fP on a different system than the NAT engine.