@ -3,7 +3,7 @@
. \" https://github.com/sonertari/SSLproxy
. \"
. \" Copyright (c) 2009-2018, Daniel Roethlisberger <daniel@roe.ch>.
. \" Copyright (c) 2017-201 8 , Soner Tari <sonertari@gmail.com>.
. \" Copyright (c) 2017-201 9 , Soner Tari <sonertari@gmail.com>.
. \" All rights reserved.
. \"
. \" The modifications for SSLproxy are licensed under the same terms as
@ -29,7 +29,7 @@
. \" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
. \" POSSIBILITY OF SUCH DAMAGE.
. \"
.TH "sslproxy" "1" "0 9 Dec 2018" "v0.5.9 " "SSLproxy"
.TH "sslproxy" "1" "0 6 Mar 2019" "v0.5.10 " "SSLproxy"
.SH NAME
sslproxy \- \- transparent SSL/TLS proxy for decrypting and diverting network
traffic to other programs for deep SSL inspection
@ -124,6 +124,29 @@ because in order to maximize the chances that a connection can be successfully
split, SSLsplit accepts all certificates by default, including self-signed
ones.
.LP
If enabled the UserAuth option requires network users to log in to the system
to use SSLproxy (this feature is currently available on OpenBSD only). When
users are logged in, they should be recorded on the users table in an SQLite3
database. The users table is created using the following SQL statement:
.LP
CREATE TABLE USERS(
IP CHAR(45) PRIMARY KEY NOT NULL,
USER CHAR(31) NOT NULL,
ETHER CHAR(17) NOT NULL,
ATIME INT NOT NULL,
DESC CHAR(50)
);
.LP
When SSLproxy accepts a connection, it obtains the ethernet address of the
client IP address from the arp cache of the system, then compares it with
the value in the users table. If the ethernet addresses do not match, the
connection is redirected to the login page. SSLproxy also compares the atime
value in the users table with the current system time. If the difference is
larger than the configured value of the user timeout option, then the
connection is redirected to the login page. The atime of the IP address in the
users table is updated with the system time while the connection is being
terminated.
.LP
Logging options include traditional SSLproxy connect and content log files as
well as PCAP files and mirroring decrypted traffic to a network interface.
Additionally, certificates, master secrets and local process information can be