TLS Interposer

OpenSSL library interposer to get software to use more secure TLS protocol variants.

Functionality

Disables SSLv2 and SSLv3 (broken), enables everything else (starting at OpenSSL 1.0.1 up to TLS 1.2)
Enables ECDHE algorithms for forward secrecy
Disables all weak algorithms; by default including RC4 as a last resort compatibility mode

LD_PRELOAD: Used by ld.so, should be set to /full/path/to/tlsinterposer.so
TLS_INTERPOSER_CIPHERS: The ciphers to use, defaults to Qualys SSLlabs recommendations
TLS_INTERPOSER_OPTIONS: Comma-separated list of options
- debug: Be verbose, by default on stderr
- logfile: Log to /var/log/tlsinterposer.log; fall back to stderr
- libssl=: Full name of libssl.so.X.Y.Z, if not autodetected correctly
- -comp: Disable compression
- -ccert: Prevent the server from asking for client certificates
- +sorder: Force server cipher order, aka tls_preempt_cipherlist (Postfix) or SSLHonorCipherOrder (Apache httpd)
- -rc4: Changes the default ciphers from Qualys recommendations with to without RC4 (has no effect on TLS_INTERPOSER_CIPHERS)
- -tlsv1: Disable TLSv1, leaving TLSv1.1 and TLSv1.2, if supported
- +sslv3: Reenable SSLv3 (advised against)
- +sslv2: Reenable SSLv2 (strongly advised against)

Download, make, make install.

Start the process with LD_PRELOAD environment variable set to /path/to/libtlsinterposer.so . For example,

env LD_PRELOAD=/usr/local/lib/libtlsinterposer.so apache2ctl start

enables Apache 2.2 to use the modern ciphers.

More information and documentation is available at https://netfuture.ch/tools/tls-interposer/

Name		Name	Last commit message	Last commit date
Latest commit History 70 Commits
tests		tests
.gitignore		.gitignore
CHANGES.txt		CHANGES.txt
LICENSE.txt		LICENSE.txt
Makefile		Makefile
README.md		README.md
TLS Interposer Logo.png		TLS Interposer Logo.png
tlsinterposer.c		tlsinterposer.c