SSLProxy with nginx #58
Comments
|
SSLproxy forges the server certificate using the CA cert supplied, which in your case is in a structured proxyspec in your config file. This is how it decrypts the traffic. If you install that same CA cert into your browser, then it will not complain about it. Having said that, I think your understanding of how SSLproxy is supposed to be used is not correct (i.e. that's not how SSLproxy works). Because you're trying to use nginx as a listening program, but I don't think you have modified its source code to support the mode of operation requried by SSLproxy, have you? Please read the README and review the Mode of Operation diagram again. |
|
Alright thank you for your quick response sonertari! really appreciate it |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
uname
13~22.04.1-Ubuntu
SSLProxy version
SSLproxy v0.9.4 (built 2023-09-28)
NAT redirection rule
-A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443
Current Listener and port:
Nginx : 443/80
Description:
I'm trying to decrypt https traffic with SSLProxy. Nginx handles the reverse proxy and I'm not sure why SSLProxy is forging certificate even though I supplied a privatekey and a certkey from Let's encrypt. I'm planning on running IPS using suricata in the future and will probably tweak more our setup to listen first in suricata and then pass it to nginx that's why the divert method is required.
miguel@logarchiveipds:/opt/SSLproxy/src/testfolder$ sudo ../sslproxy -f testsslproxy.conf -D4
SSLproxy v0.9.4 (built 2023-09-28)
Copyright (c) 2017-2022, Soner Tari sonertari@gmail.com
https://github.com/sonertari/SSLproxy
Copyright (c) 2009-2019, Daniel Roethlisberger daniel@roe.ch
https://www.roe.ch/SSLsplit
Build info: V:GIT
Features: -DHAVE_NETFILTER
NAT engines: netfilter* tproxy
netfilter: IP_TRANSPARENT IP6T_SO_ORIGINAL_DST
Local process info support: no
compiled against OpenSSL 3.0.2 15 Mar 2022 (30000020)
rtlinked against OpenSSL 3.0.2 15 Mar 2022 (30000020)
OpenSSL has support for TLS extensions
TLS Server Name Indication (SNI) supported
OpenSSL is thread-safe with THREADID
OpenSSL has engine support
Using SSL_MODE_RELEASE_BUFFERS
SSL/TLS protocol availability: tls10 tls11 tls12 tls13
SSL/TLS algorithm availability: !SHA0 RSA DSA ECDSA DH ECDH EC
OpenSSL option availability: SSL_OP_NO_COMPRESSION SSL_OP_NO_TICKET SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION SSL_OP_TLS_ROLLBACK_BUG
compiled against libevent 2.1.12-stable
rtlinked against libevent 2.1.12-stable
compiled against libnet 1.1.6
rtlinked against libnet 1.1.6
compiled against libpcap n/a
rtlinked against libpcap 1.10.1 (with TPACKET_V3)
compiled against sqlite 3.37.2
rtlinked against sqlite 3.37.2
2 CPU cores detected
Generated 2048 bit RSA key for leaf certs.
Global conn opts: negotiate>=tls10<=tls13|ALL:-aNULL|TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|no user_auth_url|300|8192
proxyspecs:
divert addr= [127.0.0.1]:443
return addr= [127.0.0.1]:0
opts= conn opts: negotiate>=tls10<=tls13|ALL:-aNULL|TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256|no ecdhcurve|no leafcrlurl|remove_http_referer|no user_auth_url|300|8192
divert||
No Global CA loaded.
Loaded ProxySpec CA: '/CN=testwebserver123.civicom.us'
SSL/TLS leaf certificates taken from:
Privsep fastpath disabled
Created self-pipe [r=3,w=4]
Created chld-pipe [r=5,w=6]
Created socketpair 0 [p=7,c=8]
Created socketpair 1 [p=9,c=10]
Created socketpair 2 [p=11,c=12]
Created socketpair 3 [p=13,c=14]
Created socketpair 4 [p=15,c=16]
Created socketpair 5 [p=17,c=18]
Privsep parent pid 10079
Privsep child pid 10080
Using libevent backend 'epoll'
Event base supports: edge yes, O(1) yes, anyfd no
Received privsep req type 03 sz 9 on srvsock 7
Dropped privs to user nobody group - chroot -
Received privsep req type 00 sz 1 on srvsock 9
Received privsep req type 00 sz 1 on srvsock 11
Received privsep req type 00 sz 1 on srvsock 13
Received privsep req type 00 sz 1 on srvsock 15
Received privsep req type 00 sz 1 on srvsock 17
Inserted events:
0x55a1bc1fe7e8 [fd 4] Read Persist Internal
0x55a1bc1fe9c0 [fd 6] Read Persist Internal
0x55a1bc2cbfe8 [fd 7] Read Persist
0x55a1bc2c9e30 [sig 1] Signal Persist
0x55a1bc2958f0 [sig 2] Signal Persist
0x55a1bc2cae80 [sig 3] Signal Persist
0x55a1bc2b71b0 [sig 10] Signal Persist
0x55a1bc2b5260 [sig 13] Signal Persist
0x55a1bc2caf60 [sig 15] Signal Persist
0x55a1bc2b6ce0 [fd -1] Persist Timeout=1697216753.361278
Active events:
Initialized 4 connection handling threads
Started 4 connection handling threads
Starting main event loop.
SNI peek: [testwebserver123.civicom.us] [complete], fd=25
Connecting to [10.43.3.229]:443
===> Original server certificate:
Subject DN: /CN=testwebserver123.civicom.us
Common Names: testwebserver123.civicom.us/testwebserver123.civicom.us
Fingerprint: B1:65:09:C7:94:48:85:8D:30:444B:65:04:74:B7:93:B1:C0:28:33
Certificate cache: MISS
===> Forged server certificate:
Subject DN: /CN=testwebserver123.civicom.us
Common Names: testwebserver123.civicom.us/testwebserver123.civicom.us
Fingerprint: 60:50:C3:41:97:A0:52:E3:8A:D99A:A2:7B:02:AF:42:CD:84:6D:63
HTTPS connected to [10.43.3.229]:443 TLSv1.3 TLS_AES_256_GCM_SHA384
CLIENT_RANDOM BC663A80759D20C30F87C1D290A8C267BB3FF6EB172D5460482696D04CC5DD51 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Certificate cache: KEEP (SNI match or target mode)
Certificate cache: KEEP (SNI match or target mode)
Client-side BEV_EVENT_ERROR
Error from bufferevent: 0:- 167773206:1046:sslv3 alert certificate unknown:20:SSL routines:0:-
Additional SSL error: 1:1:-:0:-:0:-
SSL_free() in state 0000002e = 002e = SSLERR (error) [accept socket]
HTTPS disconnected to [10.43.3.229]:443, fd=25
HTTPS disconnected from [18.139.143.7]:58372, fd=25
SSL_free() in state 00000001 = 0001 = SSLOK (SSL negotiation finished successfully) [connect socket]
SNI peek: [testwebserver123.civicom.us] [complete], fd=25
Connecting to [10.43.3.229]:443
Attempt reuse dst SSL session
===> Original server certificate:
Subject DN: /CN=testwebserver123.civicom.us
Common Names: testwebserver123.civicom.us/testwebserver123.civicom.us
Fingerprint: B1:65:09:C7:94:48:85:8D:30:444B:65:04:74:B7:93:B1:C0:28:33
Certificate cache: HIT
===> Forged server certificate:
Subject DN: /CN=testwebserver123.civicom.us
Common Names: testwebserver123.civicom.us/testwebserver123.civicom.us
Fingerprint: 60:50:C3:41:97:A0:52:E3:8A:D99A:A2:7B:02:AF:42:CD:84:6D:63
HTTPS connected to [10.43.3.229]:443 TLSv1.3 TLS_AES_256_GCM_SHA384
CLIENT_RANDOM 327F7951B9C617397152C3D101A016C75288C72862B862A8230BA9610DE92F59 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Certificate cache: KEEP (SNI match or target mode)
Certificate cache: KEEP (SNI match or target mode)
Client-side BEV_EVENT_ERROR
Error from bufferevent: 0:- 167773206:1046:sslv3 alert certificate unknown:20:SSL routines:0:-
Additional SSL error: 1:1:-:0:-:0:-
SSL_free() in state 0000002e = 002e = SSLERR (error) [accept socket]
HTTPS disconnected to [10.43.3.229]:443, fd=25
HTTPS disconnected from [18.139.143.7]:58373, fd=25
SSL_free() in state 00000001 = 0001 = SSLOK (SSL negotiation finished successfully) [connect socket]
Using the command 'echo | openssl s_client -servername testwebserver123.civicom.us -connect testwebserver123.civicom.us:443' to check for the certificate that currently being used
My web certificate before SSLProxy:
Certificate chain
0 s:/CN=testwebserver123.civicom.us
i:/C=US/O=Let's Encrypt/CN=R3
1 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIFAzCCA+ugAwIBAgISA2UdVOOuaaNTxDxyhjKONN1dMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMzA5MjgxOTIxNDdaFw0yMzEyMjcxOTIxNDZaMCYxJDAiBgNVBAMT
G3Rlc3R3ZWJzZXJ2ZXIxMjMuY2l2aWNvbS51czCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBALcz3k0drEqDfjNMOsZGeTu8M29r+R4r/nLvu+X1g3aXAVjk
Od1OX48JZM9B4jcn1ZMPP20cs/xjiEPk1KGDQbMApxiiSAsNSM238mOUIVs6+NyS
vaPsTU6MbDjyD6+OkZdAIpBAebdsnXuYI37eQcRhj1Y2fr8/4oB5wTUAt3j+SX22
CE21mYmsrmasCg+y6CEd60pcB9QSCruOUW7YagOgrjEv1wYO+dzCIypM3I1dzJOI
YcNglcEjNeObuShxKcaAf+ntDI6AzcjcKWabmVeWKAxtSWQaS9y/zDv4aUYcVnjN
F/47YaQnkCjihXlUbO5wsYEAzjema2M1BaDS2cECAwEAAaOCAh0wggIZMA4GA1Ud
DwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0T
AQH/BAIwADAdBgNVHQ4EFgQUMGdta11rD3Got/mpvmTHgSTviFUwHwYDVR0jBBgw
FoAUFC6zF7dYVsuuUAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUF
BzABhhVodHRwOi8vcjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9y
My5pLmxlbmNyLm9yZy8wJgYDVR0RBB8wHYIbdGVzdHdlYnNlcnZlcjEyMy5jaXZp
Y29tLnVzMBMGA1UdIAQMMAowCAYGZ4EMAQIBMIIBBAYKKwYBBAHWeQIEAgSB9QSB
8gDwAHYAejKMVNi3LbYg6jjgUh7phBZwMhOFTTvSK8E6V6NS61IAAAGK3XRkbgAA
BAMARzBFAiA2qH6/f4gnMahnhBM0HOEkoGBqKXSRyDe9QVk9dJ5RegIhANMehG7g
xv0OWkcvfeW7FTxkejL4Ig/Vp9faZX/jHearAHYAtz77JN+cTbp18jnFulj0bF38
Qs96nzXEnh0JgSXttJkAAAGK3XRkfwAABAMARzBFAiAZNC/UGe3uxQA70OPVnPxA
IggP2qfQBYTq092FsQl++gIhANPsnU53q8jvh0jBDM0eyt3QQh5ib1es0LDpDksh
3oSpMA0GCSqGSIb3DQEBCwUAA4IBAQBMrPGpFCPeWsal9FzveXBQIHosDLp5L5tL
4TAUUjaX4cG1M5Ezk9bdCq3flb9d1V1wllJ7EJrz/RImEaIYABicvBumGjiiiT7U
8thqHuxh5HlHDTGXHKTrNFwyaYIDb2lByxSYun5zq4JqvDh6rAed3RoftBGYwD2o
HEBhb7qiI3Du3hWwRThNVMy/WosHd/5vQhr/Kr+ncD7zhLkAMvYIxLDWJSg1ezK6
2Zdq+4Em3E8mu3f3R/Wy7rKlpYkOoYMh7subDlEAtbk7mJfhqxD8nN5DFiHVNNxt
vf4h4VDAmKUMWR7BBPsgoCUfU9RszJxvSZbTV8Ou6oGQtwH93yJ1
-----END CERTIFICATE-----
My web certificate after SSLProxy:
Certificate chain
0 s:/CN=testwebserver123.civicom.us
i:/CN=testwebserver123.civicom.us
1 s:/CN=testwebserver123.civicom.us
i:/C=US/O=Let's Encrypt/CN=R3
Server certificate
-----BEGIN CERTIFICATE-----
MIIDyDCCArCgAwIBAgISA2UdVOOuaaNTxDxyhjLvRFAIMA0GCSqGSIb3DQEBCwUA
MCYxJDAiBgNVBAMTG3Rlc3R3ZWJzZXJ2ZXIxMjMuY2l2aWNvbS51czAeFw0yMzEw
MTIxNjQ1MjVaFw0yNDEwMTExNjQ1MjVaMCYxJDAiBgNVBAMTG3Rlc3R3ZWJzZXJ2
ZXIxMjMuY2l2aWNvbS51czCCASAwDQYJKoZIhvcNAQEBBQADggENADCCAQgCggEB
ALUtPRRqsqg90AnHvvbexNw0PW/JeRTnsUBCKJJOvdQAWC+LgYxvOsBmavF4/Dho
tVrRhichPHZJuI2pbKUXXoNntplK521wJ/WqiiqyvhL6UHjtMQWTR7jN2N6Oaxj+
yH5BgGtTp3orB/OsR3wXLryQ0YxbIzjpEpTT4bvy6JA6IylJsW8fzmm3ALodm9PT
sB+IuKn05r5QXEVY4nsnzn0g4if8bAsSms7cGLm1M5MA54uop8jI2EdZVLXlO75B
cgPnqkx76iC0Cafw691gmFOEjuP6m0SWH/ASUTx5a9OuLaOgw81yuh6jSQfjOyan
HVXBDG/+bYUgui9NHiyvaF8CAQOjgfEwge4wHQYDVR0OBBYEFO/a94/lENT/JNlr
pqe2KPhdpdfsMGsGA1UdIwRkMGKAFDBnbWtdaw9xqLf5qb5kx4Ek74hVoTakNDAy
MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3MgRW5jcnlwdDELMAkGA1UEAxMC
UjOCEgNlHVTjrmmjU8Q8coYyjjTdXTAMBgNVHRMBAf8EAjAAMAsGA1UdDwQEAwIF
oDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwJgYDVR0RBB8wHYIbdGVz
dHdlYnNlcnZlcjEyMy5jaXZpY29tLnVzMA0GCSqGSIb3DQEBCwUAA4IBAQAnZ2W0
w3U+c6HM+s+h402e+G1fhLaqcC7TobnLa9emCzDxcl0S7GrhouWu6uEmsQRFJMru
+iX8DXSbA4XO21MkP/BN1+iil15bNFXQ0G9dRpc/4oPIlRD8RBA8BolUynmzla0E
nTF4nTAir6VC+srq7D9Yhd0+yHEeIjqMcrvJ4LiEBHXlxZ56DgjQ10KSFuGLRUaF
UzN+sdii/8xDA/c5qLdNg5Ynsc3GwhX9hiPrFg9OZErKxwNJPqS3URP8ZHI22SeO
MM+22EZfpLfNFoz931IoiypiHbybE+lnbajRrwbC1aPvGQrfH2jxkDu3pjdn506k
xSknjGEpz/gz4cwF
-----END CERTIFICATE-----
This is the error message in browser
The text was updated successfully, but these errors were encountered: