-
Notifications
You must be signed in to change notification settings - Fork 327
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Certificate error: loading src server certificate failed #248
Comments
Thanks for your detailed report. But a request first: Can you try the same with the I couldn't reproduce the error you have reported using exactly the same commands you have provided (I have copy-pasted from your files). But I only have Kali 2018.1 (not Kali 2019.1), which may explain the different results I have obtained. Kali 2018.1 comes with sslsplit 0.5.0, which does not cause the error you report. So I have compiled the latest develop branch of sslsplit (0.5.4-21-g67b767a), which does not cause that error either, with or without the Please review the debug output below, but pay special attention to the debug line reporting that the client-side is using TLS 1.3: Currently, sslsplit does not support TLS 1.3, hence my request above to disable TLS 1.3. (Unfortunately, there is currently no way of disabling TLS 1.3 only, such as using a
|
Btw, another difference to watch out is that I have used the same IP address 172.16.205.136 for all connections. You use separate IP addresses for the server and sslsplit. Note that the OP of #246 reported that the issue was about routing. |
@jsommer1738 Can you please try the latest commit I have just pushed to the develop branch? I think I have found an issue which may be related with what you have reported (but I cannot say I was able to reproduce the error you have reported). 8c7e5b6 solves the |
@sonertari I've same issue, I tried latest development branch as you suggested and I still see the issue. Linux kali 4.18.0-kali3-amd64 #1 SMP Debian 4.18.20-2kali2 (2018-11-30) x86_64 GNU/Linux |
@sonertari attaching trace file just in case if it can help debug the issue. |
@etrashcan Thanks for the log files. My current theories are (but I cannot test them as I cannot reproduce the issue here):
Can you test my theories for me please? Btw, enabling DEBUG_CERTIFICATE in GNUmakefile may provide further info, not sure DEBUG_PROXY and DEBUG_SESSION_CACHE would help but wouldn't hurt. (I wish I had access to a Kali 2019.1 to do it myself. Perhaps in a few weeks.) |
@sonertari I've disabled TLS1.3 in client chrome browser, generated new certs and rebuilt the binary with debug flags. |
@etrashcan Thanks for the files and testing my theories. Unfortunately, I couldn't come up with an explanation even with the new information you have provided. I think I really need a Kali 2019.1 to reproduce the issue myself. |
@sonertari , I tried using the -r tls12 flag and it did not resolve the issue. I did see that on the openssl client and on the client facing side of sslsplit that TLS v1.2 was being used, i.e. the flag was honored. Regarding the routing topic in #246 I'm really don't this particular issue is a routing issue. Honestly, I'm not sure how #246 could have been anything different than what we're seeing in this issue. Maybe for #246 they switched something about the client configuration and falsely attributed it to routing? The reason I'm convinced this issue is not routing is that I can watch the network traffic with Wireshark and I see that all parties are talking correctly until the sslsplit upstream link (openssl server facing) send an Encrypted Alert. You can see this in frame 9 of the attached server_side.pcapgn file. These captures, were taken with the -r tls12 flag set on the openssl client. I had to zip the files due to a restriction GitHub imposes. |
Thanks for reporting back. I agree with your comments. I hope to work on this issue as soon as I can setup a Kali 2019.1 test system. |
Btw, I have tried (and failed) to reproduce this issue on the following platforms: OpenBSD 6.4, Linux Mint 19 Tara, Kali 2018.1, and Ubuntu 18.10. If you (anyone) have access to such systems, we can test if this issue happens only on Kali 2019.1. |
I'll see what I can do. |
I was able to reproduce this issue on Kali 2019.1a, and I think I have fixed it on the new The issue was that OpenSSL 1.1.1b does not accept 1024 bit RSA keys anymore, giving an error like |
@sonertari I just tried it out and it's working. SSLsplit 0.5.4-23-g8ac2134 (built 2019-03-26) |
Great, thanks for reporting back. |
It turns out that this issue is not related to OpenSSL, but Debian! Please read the explanation of Debian Security Level Update here. So, as explained there, you can fix this issue by changing the last section in
So I should modify the |
I think it is a better idea to set the security level of SSL ctx of connections to 1, instead of increasing the default RSA key size. So, I have reverted my last commit, and now I call |
Merged rsa-key-size to develop. We can add a LeafKeyRSABits option in the future too. |
Hi, i met the same problem again, and my Kali version is 2019.2 in VmwareWorkstation, but the version of sslspilt is below: |
Can you try the develop branch and report back? |
@sonertari - I think in order to maximize interoperability in default configuration, we need to bump the default leaf key size to 2k in addition to setting the security level to 1 on our end. We do not necessarily need to make the bits configurable; users who want to use a small leaf key for extra performance can already do so by using the |
Done. |
I've made the comments and manual page reflect the current situation regarding leaf key sizes. Also I lowered the security level to 0 in order to not impose any restrictions on our end (maximum interop by default). We may want to make the security level to use configurable, but the default should be 0. Closing this issue - if this does not fix the issue for anyone using the latest |
This is very similar to #246. I'm running Kali 2019.1 with SSLsplit 0.5.4 and see the "loading src server certificate failed" error.. I tested the same commands using SSLsplit 0.5.2 and everything works fine.
Below are the commands that I used to set up the server, client and SSLsplit. The failing output from the server, client and SSLsplit are attached.
Server
The default options were used for the openssl req command.
SSLsplit
The default options were used for the openssl req command.
Connections
Initial connection directly to server to prove the server/client works fine:
openssl s_client -connect 192.168.128.129:9999
Follow up connection via SSLsplit:
openssl s_client -connect 192.168.128.134:8888
openssl-client-trace.txt
openssl-server-trace.txt
sslsplit-trace.txt
The text was updated successfully, but these errors were encountered: