Archives/SSLproxy
2
0
Fork 0
mirror of https://github.com/sonertari/SSLproxy synced 2024-11-06 09:20:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

Verify upstream certificates, see https://insights.sei.cmu.edu/cert/2015/03/the-risks-of-ssl-inspection.html

Browse Source
This commit is contained in:
Soner Tari 2018-01-17 03:54:16 +03:00
parent 3ae89131dc
commit a2b14097dd
2 changed files with 9 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
README.md
View File

@ -97,11 +97,12 @@ usage. Accordingly, connections are closed if they remain idle for a certain
period of time. The default timeout is 120 seconds, which can be changed in a
configuration file.
In order to maximize the chances that a connection can be successfully split,
SSLproxy does not verify upstream server certificates. Instead, all
certificates including self-signed are accepted and if the expected hostname
signaled in SNI is missing from the server certificate, it will be added to
dynamically forged certificates.
SSLproxy always verifies upstream certificates. This is in contrast to
SSLsplit, because in order to maximize the chances that a connection can be
successfully split, SSLsplit accepts all certificates including self-signed
ones. See [The Risks of SSL
Inspection](https://insights.sei.cmu.edu/cert/2015/03/the-risks-of-ssl-inspectio
n.html) for the details of this difference.
SSLproxy does not automagically redirect any network traffic. To actually
implement a proxy, you also need to redirect the traffic to the system

5
pxyconn.c
View File

@ -1286,7 +1286,8 @@ pxy_dstssl_create(pxy_conn_ctx_t *ctx)
pxy_sslctx_setoptions(sslctx, ctx);
SSL_CTX_set_verify(sslctx, SSL_VERIFY_NONE, NULL);
SSL_CTX_set_verify(sslctx, SSL_VERIFY_PEER, NULL);
SSL_CTX_set_default_verify_paths(sslctx);
ssl = SSL_new(sslctx);
SSL_CTX_free(sslctx); /* SSL_new() increments refcount */
@ -2688,7 +2689,7 @@ pxy_connected_enable(struct bufferevent *bev, pxy_conn_ctx_t *ctx)
log_dbg_level_printf(LOG_DBG_MODE_FINER, "pxy_connected_enable: evutil_closesocket srv_dst->bev, fd=%d\n", bufferevent_getfd(srv_dst->bev));
#endif /* DEBUG_PROXY */
// @attention Since both eventcb and writecb for srv_dst are enabled, either eventcb or writecb may get a NULL srv_dst bev, causing a crash with signal 10.
// So, from this point on, we should check if srv_dst in NULL or not.
// So, from this point on, we should check if srv_dst is NULL or not.
bufferevent_free_and_close_fd(srv_dst->bev, ctx);
srv_dst->bev = NULL;
srv_dst->closed = 1;