I have looked at a few source files for your current software. I have noticed that some checks for return codes are missing.

Would you like to add more error handling for return values from functions like the following?

• fprintf ⇒ main_version
• pthread_mutex_init ⇒ thrqueue_new
• strdup ⇒ proxyspec_parse

Hi Daniel,

Thanks for working on a very useful ssl tool.

When compiling sslsplit with the newer openssl library, I am having problems with some sites e.g. gmail (mail.google.com), where the login process suddenly stops and just hangs there.

• Login gmail fine through sslsplit: openssl 0.9.8k-7ubuntu8.13 ( Ubuntu 10.04.1 LTS 64bit )
• Cannot login to gmail through sslsplit: openssl 1.0.1-4ubuntu5.2 ( Ubuntu 12.04 LTS 64bit )

Is there something I can do to help debug the above problem ?

Kind regards,
Jane

Apple has not published Yosemite sources yet. When they do, add the 10.10 headers and build against them on Yosemite.

https://opensource.apple.com/

When using sslsplit with OpenSSL 1.0.0a, it sometimes drops connections to some servers with the following errors:

sslsplit: Error from bufferevent: 0:- 336142611:275:serverhello tlsext:20:SSL routines:146:SSL3_GET_SERVER_HELLO
sslsplit: Additional SSL error: 336691357:157:tls invalid ecpointformat list:20:SSL routines:280:SSL_CHECK_SERVERHELLO_TLSEXT

Comment by @exvance moved from #10 to new issue:

I don't know if my issue is the same as this one. It doesn't seem to matter whether or not I use the -j option.

sslsplit -D -l connections.log -k ca.key -c ca.crt ssl 0.0.0.0 8443

Generated RSA key for leaf certs.
SSLsplit (built 2013-11-29)
Copyright (c) 2009-2013, Daniel Roethlisberger [email protected]
http://www.roe.ch/SSLsplit
Features: -DDISABLE_SSLV2_SESSION_CACHE -DHAVE_NETFILTER
NAT engines: netfilter*
netfilter: !IP_TRANSPARENT SOL_IPV6 !IPV6_ORIGINAL_DST
compiled against OpenSSL 1.0.1e 11 Feb 2013 (1000105f)
rtlinked against OpenSSL 1.0.1c 10 May 2012 (1000103f)
TLS Server Name Indication (SNI) supported
OpenSSL is not thread-safe
Using direct access workaround when loading certs
SSL/TLS algorithm availability: RSA DSA !ECDSA DH !ECDH !EC
OpenSSL option availability: SSL_OP_NO_COMPRESSION SSL_OP_NO_TICKET SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION SSL_OP_TLS_ROLLBACK_BUG
compiled against libevent 2.0.19-stable
rtlinked against libevent 2.0.19-stable
1 CPU cores detected
proxyspecs:

[0.0.0.0]:8443 ssl plain netfilter Loaded CA: '/C=US/ST=aa/L=aa/O=aa/OU=ssl/CN=aaaaa.com/emailAddress=aaaa' Using libevent backend 'epoll' Event base supports: edge yes, O(1) yes, anyfd no Inserted events: 0x888e48 [fd 7] Read Persist 0x887a34 [fd 8] Read Persist 0x888d38 [fd 6] Read Persist 0x889a30 [fd 3] Signal Persist 0x889b50 [fd 1] Signal Persist 0x889be0 [fd 2] Signal Persist 0x889c70 [fd 13] Signal Persist Failed to start thread manager

But then if I go back to version 0.4.6-1 it starts fine....but then I get the segmentation fault when I try to connect to port 8443 with telnet.

Hello,

when I try to run sslsplit (having libssl-dev and libevent-dev installed,generating self-signed certificates and using port forwarding before this) I get the following error:

Inserted events:
  0x9a01148 [fd 7] Read Persist
  0x9a0291c [fd 8] Read Persist
  0x9a01038 [fd 6] Read Persist
  0x9a02968 [fd 3] Signal Persist
  0x9a02ad0 [fd 1] Signal Persist
  0x9a02bb0 [fd 2] Signal Persist
  0x9a02c90 [fd 13] Signal Persist
Failed to start thread manager
Segmentation fault

I'm using:

./sslsplit -D -l connections.log -j /tmp/sslsplit/ -S logdir/ -k ca.key -c ca.crt ssl 0.0.0.0 9000

on the command line.

Could this be a resurfacing of previously reported bug (issue #9)?

Thank you

Mac OS X includes pf since 10.7 and has removed ipfw as of 10.9. However, Apple does not seem to install the headers needed to access the pf ioctl interfaces, such as pfvar.h. Without these headers, SSLsplit cannot access the NAT mappings created by pf and therefore cannot support pf on Mac OS X.

It may be possible to manually take the appropriate headers from the XNU source code at:

• http://www.opensource.apple.com/tarballs/xnu/
• https://github.com/opensource-apple/xnu

However, this has not been tested and is only for the brave. There currently seems to be no good solution for the problem.

I got a "Failed to open '$Filepath': No such file or directory" on log.c line 274 when running sslsplit even with sudo permissions. Anyone similare problems? OS: Fedora Core 19

Using -t fails under many circumstances, such as with encrypted keys in daemon mode, when chroot() is used, or when the user we drop privs to lacks the permissions to read the file.

-t should be rewritten to load the certificates into a list of cert_t before detaching from TTY; that list would need to be added to the certificate cache after detaching.

Control SSL_OP_SINGLE_ECDH_USE and possibly other SSL de-optimizations by a "prefer speed to security" command line option or build time knob.

SSLsplit 0.4.5 with the following command line:

sslsplit -k CA.key -c CA.pem -P https 127.0.0.1 443 sni 443

returns:

Error from bind(): Permission denied
Failed to initialize proxy.

SSLsplit seems to drop privileges before binding to the ports. This seems to be a regression introduced somewhere during the fixes for multithreading.

Possible workarounds include:

• using a port > 1024 for listening and adjusting the iptables rules accordingly
• adding "-u root" to the command line.

Reported by Ian Grispan.

Restructure and rewrite the documentation (README.md, first part of manual page and website) in order to be more clear on what SSLsplit achieves, and what not. Answer FAQ's like whether the client needs to trust the fake CA or not, what the effect of removing HPKP/HSTS headers is, and similar frequently asked questions.

What protocols can sslsplit support?

Hi,
I've downloaded this tool recently and I am trying to decrypt some HTTPS pages which are passed through a proxy. My question is the following: can I sniff the traffic and decrypt it (i have the private key) and send it unencrypted through another interface for monitoring purposes?

To support STARTTLS for various protocols, WebSockets, HTTP/2 etc, the proxy core will need to be refactored to more cleanly allow for other protocols than HTTP/1.

Separate pxyconn into the following three layers:

• pxyconn: SSL unpacking / buffer shuffling, different buffering modes, connection handling
• proto, protohttp1 etc: extensible protocol parsing, using a driver design; one driver handles passthrough (with and without logging), another one HTTP/1.x, other drivers will later handle HTTP/2, WebSockets and non-HTTP protocols; driver proto parsers return watermark condition for the framework to know when to call again and into which state
• pxyhttp: a set of HTTP request/response callbacks called by both the HTTP/1.x and HTTP/2 handlers; this is where HTTP header mangling, HTTP logging, OCSP handling, later perhaps ICAP etc will live

Tasks:

• Split out HTTP/1.x protocol handling into separate functions with clean API
• Split out passthrough mode into separate functions with same structure as HTTP/1.x handling
• Move protocol-level state into separate context structs, replace flags with current proto indicator
• Write extensible protocol driver framework, a HTTP/1.x protocol driver and a passthrough driver; make protocol-internal state opaque to the framework and the proxy core
• Move OCSP responding and other similar functionality currently living somewhere in pxyconn.c to the respective new locations

Using a fresh build of 7839de3 on 32-bit Arch, this happens:

$ sudo iptables-save
# Generated by iptables-save v1.4.20 on Sat Jan  4 18:51:01 2014
*nat
:PREROUTING ACCEPT [389:57605]
:INPUT ACCEPT [334:21574]
:OUTPUT ACCEPT [1121:67319]
:POSTROUTING ACCEPT [1327:83441]
-A PREROUTING -i vboxnet0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8080
$ sslsplit -D -c ~/.mitmproxy/mitmproxy-ca.pem -S logs ssl 0.0.0.0 8080 netfilter
Generated RSA key for leaf certs.
SSLsplit 0.4.7-11-g7839de3 (built 2014-01-04)
Copyright (c) 2009-2013, Daniel Roethlisberger <[email protected]>
http://www.roe.ch/SSLsplit
Features: -DDISABLE_SSLV2_SESSION_CACHE -DHAVE_NETFILTER
NAT engines: netfilter* tproxy
netfilter:  IP_TRANSPARENT SOL_IPV6 !IPV6_ORIGINAL_DST
compiled against OpenSSL 1.0.1e 11 Feb 2013 (1000105f)
rtlinked against OpenSSL 1.0.1e 11 Feb 2013 (1000105f)
TLS Server Name Indication (SNI) supported
OpenSSL is thread-safe with THREADID
Using direct access workaround when loading certs
SSL/TLS algorithm availability: RSA DSA ECDSA DH ECDH EC
OpenSSL option availability: SSL_OP_NO_COMPRESSION SSL_OP_NO_TICKET SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION SSL_OP_TLS_ROLLBACK_BUG
compiled against libevent 2.0.21-stable
rtlinked against libevent 2.0.21-stable
2 CPU cores detected
proxyspecs:
- [0.0.0.0]:8080 ssl plain netfilter
Loaded CA: '/CN=mitmproxy/O=mitmproxy'
Using libevent backend 'epoll'
Event base supports: edge yes, O(1) yes, anyfd no
Inserted events:
  0x999ff68 [fd 6] Read Persist
  0x99a00d4 [fd 7] Read Persist
  0x999fe58 [fd 5] Read Persist
  0x999ffb8 [fd 3] Signal Persist
  0x999f5b0 [fd 1] Signal Persist
  0x99a02c8 [fd 2] Signal Persist
  0x99a03a8 [fd 13] Signal Persist
Initialized 4 connection handling threads
Started 4 connection handling threads
Starting main event loop.
SNI peek: [n/a] [complete]
Segmentation fault (core dumped)

Between the third and second last lines, I entered https://www.google.com in IE8 running in a Windows XP VM, thus causing a connection. Going by wireshark, the segfault is in whatever happens between receiving a Client Hello and sending anything back whatsoever.

Running with GDB attached, same output from sslsplit, and once in gdb:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb6b38b40 (LWP 23983)]
0xb7bdafd6 in __strlen_sse2_bsf () from /usr/lib/libc.so.6
(gdb) bt
#0  0xb7bdafd6 in __strlen_sse2_bsf () from /usr/lib/libc.so.6
#1  0x080554ab in cachedsess_mkkey (addr=addr@entry=0x807a110, addrlen=128, sni=0x0) at cachedsess.c:211
#2  0x08055f3e in pxy_dstssl_create (ctx=0x807a0a8) at pxyconn.c:839
#3  pxy_conn_connect (ctx=ctx@entry=0x807a0a8) at pxyconn.c:1635
#4  0x080566bb in pxy_fd_readcb (fd=40, what=2, arg=0x807a0a8) at pxyconn.c:1783
#5  0xb7d33314 in event_base_loop () from /usr/lib/libevent-2.0.so.5
#6  0xb7d340c3 in event_base_dispatch () from /usr/lib/libevent-2.0.so.5
#7  0x08053bfc in pxy_thrmgr_thr (arg=0x8073fe8) at pxythrmgr.c:86
#8  0xb7d0ff10 in start_thread () from /usr/lib/libpthread.so.0
#9  0xb7c44dfe in clone () from /usr/lib/libc.so.6
(gdb) info threads
  Id   Target Id         Frame 
  7    Thread 0xb4dffb40 (LWP 23986) "sslsplit" 0xb7fdd424 in __kernel_vsyscall ()
  6    Thread 0xb57ffb40 (LWP 23985) "sslsplit" 0xb7fdd424 in __kernel_vsyscall ()
  5    Thread 0xb61ffb40 (LWP 23984) "sslsplit" 0xb7fdd424 in __kernel_vsyscall ()
* 4    Thread 0xb6b38b40 (LWP 23983) "sslsplit" 0xb7bdafd6 in __strlen_sse2_bsf () from /usr/lib/libc.so.6
  3    Thread 0xb7339b40 (LWP 23982) "sslsplit" 0xb7fdd424 in __kernel_vsyscall ()
  2    Thread 0xb7b3ab40 (LWP 23981) "sslsplit" 0xb7fdd424 in __kernel_vsyscall ()
  1    Thread 0xb7b3b700 (LWP 23977) "sslsplit" 0xb7fdd424 in __kernel_vsyscall ()

With sni 443 instead of netfilter there's no segfault but not much usefulness either since my target doesn't support SNI.

When trying to run on my mips32 router I get this. Any idea what i am doing wrong ?

./sslsplit -D -k ca.key -c ca.crt ssl 0.0.0.0 8543                                                                 
Generated RSA key for leaf certs.
SSLsplit 0.4.7 (built 2014-01-04)
Copyright (c) 2009-2013, Daniel Roethlisberger <[email protected]>
http://www.roe.ch/SSLsplit
Features: -DDISABLE_SSLV2_SESSION_CACHE -DHAVE_NETFILTER
NAT engines: netfilter* tproxy
netfilter:  IP_TRANSPARENT !SOL_IPV6 !IPV6_ORIGINAL_DST
compiled against OpenSSL 1.0.1e 11 Feb 2013 (1000105f)
rtlinked against OpenSSL 1.0.1e 11 Feb 2013 (1000105f)
TLS Server Name Indication (SNI) supported
OpenSSL is thread-safe with THREADID
Using direct access workaround when loading certs
SSL/TLS algorithm availability: RSA DSA ECDSA DH ECDH EC
OpenSSL option availability: SSL_OP_NO_COMPRESSION SSL_OP_NO_TICKET SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION SSL_OP_TLS_ROLLBACK_BUG
compiled against libevent 2.0.21-stable
rtlinked against libevent 2.0.21-stable
1 CPU cores detected
proxyspecs:
- [0.0.0.0]:8543 ssl plain netfilter
Loaded CA: '/C=US/ST=Some-State/O=test'
Using libevent backend 'poll'
Event base supports: edge no, O(1) no, anyfd yes
./sslsplit: failed to init log facility.

Is it possible to add a logging option that saves traffic in a format readable by Wireshark? This would make dissecting binary protocols over SSL much easier to analyse.

Logging to syslog seems to be broken in daemon mode in latest master.

Add per-proxyspec options facility to control content mangling features such as OCSP denial, HTTP header removal, HTTP downgrade to 1.0, STARTTLS removal (#57) or similar features. Possibly also extend this to TLS related options such as pass-through mode.

Hello,

i´ve tried several Options:
sudo sslsplit -D -l connections.log -j /tmp/sslsplit/ -S logdir/ -k ca.key -c ca.crt ssl 0.0.0.0 8443 tcp 0.0.0.0 8080 and also the minimized Version:
sudo sslsplit -D -k ca.key -c ca.crt -P https 0.0.0.0 8443

After Setting up my iptables, and try to connect to a SSL Site i read These Messages:

"kali@ip-X-X-X-X:~$ sudo sslsplit -D -k ca.key -c ca.crt -P https 0.0.0.0 8443
Generated RSA key for leaf certs.
SSLsplit 0.4.6 (built 2013-06-06)
Copyright (c) 2009-2013, Daniel Roethlisberger [email protected]
http://www.roe.ch/SSLsplit
Features: -DDISABLE_SSLV2_SESSION_CACHE -DHAVE_NETFILTER
NAT engines: netfilter* tproxy
netfilter: IP_TRANSPARENT SOL_IPV6 !IPV6_ORIGINAL_DST
compiled against OpenSSL 1.0.1e 11 Feb 2013 (1000105f)
rtlinked against OpenSSL 1.0.1e 11 Feb 2013 (1000105f)
TLS Server Name Indication (SNI) supported
OpenSSL is thread-safe with THREADID
Using direct access workaround when loading certs
SSL/TLS algorithm availability: RSA DSA ECDSA DH ECDH EC
OpenSSL option availability: SSL_OP_NO_COMPRESSION SSL_OP_NO_TICKET SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION SSL_OP_TLS_ROLLBACK_BUG
compiled against libevent 2.0.19-stable
rtlinked against libevent 2.0.19-stable
1 CPU cores detected
proxyspecs:

• [0.0.0.0]:8443 ssl http netfilter
  Loaded CA: '/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd'
  Using libevent backend 'epoll'
  Event base supports: edge yes, O(1) yes, anyfd no
  Started 2 connection handling threads
  Inserted events:
  0x1a63ba0 [fd 6] Read Persist
  0x1a690e0 [fd 17] Read Persist
  0x1a639d8 [fd 5] Read Persist
  0x1a691b0 [fd 3] Signal Persist
  0x1a69480 [fd 1] Signal Persist
  0x1a695f0 [fd 2] Signal Persist
  0x1a69760 [fd 13] Signal Persist
  Starting main event loop.
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  SNI peek: [n/a] [complete]
  Connecting to [X.X.X.X]:8443
  Error 24 on listener: Too many open files
  Main event loop stopped."

My IPTables:
kali@ip-X-X-X-X:~$ sudo iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
REDIRECT tcp -- anywhere anywhere tcp dpt:http redir ports 8080
REDIRECT tcp -- anywhere anywhere tcp dpt:https redir ports 8443

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source Destination

net.ipv4.ip_forward = 1

Version:
Amazon EC2 Kali (1.0.6), and virtual installed on local Virtualbox from 1.0.6 CD Image

Thanks in advance

sslsplit -D -l connections.log -j /tmp/sslsplit/ -S logdir/ -P -t ./certs/ ssl 0.0.0.0 9443 tcp 0.0.0.0 9080

...
Failed to load cert and key from PEM file './certs/'

certs directory exists and have a single PEM file inside (foobar.pem):

-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIb0sfVok+83ECAggA
MBQGCCqGSIb3DQMHBAiR0r6JINsSZgSCBMiEauatBQlxvspUMgYYL/EMznz3dXm3
Q...
-----END ENCRYPTED PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIDbzCCAlegAwIBAgIJANHqAxI0u/R9MA0GCSqGSIb3DQEBBQUAME4xCzAJBgNV
BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMREwDwYDVQQKDAhGYWNlYm9vazEX
MBUGA1UEAwwOKi5mYWNlYm9vay5jb20wHhcNMTQwMTI5MTAxNjE2WhcNMTkwMTI5...
-----END CERTIFICATE-----

I believe that the problem resides inside the sys.c/sys_dir_eachfile function which incorrectly traverses through directory structure.

When using -j explicitly or implicitly by running as root, proxyspecs using sni seem to fail to resolve hostnames within the chroot on some systems (e.g. Mac OS X). One possible fix is be to remove implicit chroot() and add a warning to the -j documentation that name resolution might not work within a chroot.

Hi,

i try to use sslsplit to passthrough ssl connections like a transparent proxy without intercepting. For that i use the following syntax but i'm always getting a segmentation fault. When providing -k and -c it works - but with intercepting ssl. is there a way to use sslsplit to just passthrough all connections?

Thank you!

sslsplit -S /tmp/ https 0.0.0.0 443 sni 443 -D -t /etc/mypki/targets/ -P

Generated RSA key for leaf certs.
SSLsplit 0.4.5-9-g7114487 (built 2013-05-25)
Copyright (c) 2009-2012, Daniel Roethlisberger [email protected]
http://www.roe.ch/SSLsplit
Features: -DDISABLE_SSLV2_SESSION_CACHE -DHAVE_NETFILTER
NAT engines: netfilter* tproxy
netfilter: IP_TRANSPARENT SOL_IPV6 !IPV6_ORIGINAL_DST
compiled against OpenSSL 1.0.1e 11 Feb 2013 (1000105f)
rtlinked against OpenSSL 1.0.1e 11 Feb 2013 (1000105f)
TLS Server Name Indication (SNI) supported
OpenSSL is thread-safe with THREADID
Using direct access workaround when loading certs
SSL/TLS algorithm availability: RSA DSA ECDSA DH ECDH EC
OpenSSL option availability: SSL_OP_NO_COMPRESSION SSL_OP_NO_TICKET SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION SSL_OP_TLS_ROLLBACK_BUG
compiled against libevent 2.0.19-stable
rtlinked against libevent 2.0.19-stable
2 CPU cores detected
proxyspecs:

• [0.0.0.0]:443 ssl http sni 443

No CA loaded.
Using libevent backend 'epoll'
Event base supports: edge yes, O(1) yes, anyfd no
Started 4 connection handling threads
Inserted events:
0x1b07500 [fd 6] Read Persist
0x1b0b510 [fd 27] Read Persist
0x1b07338 [fd 5] Read Persist
0x1b0b5e0 [fd 3] Signal Persist
0x1b0b8b0 [fd 1] Signal Persist
0x1b0ba20 [fd 2] Signal Persist
0x1b0bb90 [fd 13] Signal Persist
Targets for '/etc/mypki/targets/server.pem': 'www.myside.de'
Starting main event loop.
SNI peek: [n/a] [complete]
No target address; aborting connection
SNI peek: [accounts.google.com] [complete]
===> Original server certificate:
Segmentation fault

CRL denial based on targetdir cert's CDPs or by identifying CRL ASN.1 on the content level.

Running in daemon mode terminates with the following error message.

./sslsplit -d tcp 0.0.0.0 8080

./sslsplit: failed to detach from TTY: No such file or directory

I'm using "Ubuntu 14.04.1 LTS".

Hi!

When compiling on Debian, I get the following error:

pxyconn.c: In function ‘pxy_sni_resolve_cb’:
pxyconn.c:1524:23: error: dereferencing pointer to incomplete type
pxyconn.c:1524:36: error: dereferencing pointer to incomplete type
pxyconn.c:1525:19: error: dereferencing pointer to incomplete type
pxyconn.c: In function ‘pxy_fd_readcb’:
pxyconn.c:1605:19: error: storage size of ‘hints’ isn’t known
pxyconn.c:1605:19: warning: unused variable ‘hints’ [-Wunused-variable]

The problem is that getaddrinfo() is a POSIX.1g extension and is not available in pure C99. It may work if libevent has also been compiled with --std=c99 because struct evutil_addrinfo will be defined as a full structure. Otherwise, it is just an alias to struct addrinfo which is not defined in netdb.h but still exists as an incomplete type in event2/utils.h.

You can either compile with --std=gnu99 or with -D_POSIX_C_SOURCE=200112L. With the later option, there are additional errors later. Moreover, compiling with --std=gnu99 almost silents out any warnings. I don't know if such a standard is portable outside of gcc.

I'm running BackTrack 5 R3 and trying to compile it.
I'm having an error about libevent. I tried updating it and currently libevent is in the newest version (apt-get).

When trying to compile SSLSplit I get the following error:

root@bt:~/sslsplit# make
GNUmakefile:175: *** dependency 'libevent 2.x' not found; install it or point LIBEVENT_BASE to base path. Stop.

libevent is at '/usr/lib/libevent.a', and I have no idea how to set LIBEVENT_BASE appropriately. I tried this:

root@bt:/sslsplit# LIBEVENT_BASE=/usr/lib/libevent.a
root@bt:/sslsplit# make
GNUmakefile:175: *** dependency 'libevent 2.x' not found; install it or point LIBEVENT_BASE to base path. Stop.

any idea what I am doing wrong?

Should add some sample script(s) for single file or fifo content log post-processing.

This is actually harder than it looks because if sslsplit drops privs or does a chroot(), we cannot re-open log files that we might not have access to anymore. The complete solution would be a two-process architecture where the parent process keeps running under root and outside of chroot(), communicating over a unix domain socket with the child, providing log file opening and other privileged services to the low-privileged process. This would have the side-effect of cleaning up the mess that is main() and all the pre-init / init functions.

Add mode to prevent browser updates. This is useful when exploiting an SSL related bug in an old browser that would go away if the browser was allowed to update itself.

Daemon mode (-d) does not seem to work properly under unspecified circumstances on OpenBSD 5.0. Might be a bug in libevent.

SSLsplit 0.4.4-17-g6106940 (built 2012-08-06)
Copyright (c) 2009-2012, Daniel Roethlisberger <[email protected]>
http://www.roe.ch/SSLsplit
Features: -DDISABLE_SSLV2_SESSION_CACHE -DHAVE_PF
NAT engines: pf*
compiled against OpenSSL 1.0.0a 1 Jun 2010 (1000001f)
rtlinked against OpenSSL 1.0.0a 1 Jun 2010 (1000001f)
TLS Server Name Indication (SNI) supported
OpenSSL is thread-safe with THREADID
SSL/TLS algorithm availability: RSA DSA ECDSA DH !ECDH EC
OpenSSL option availability: SSL_OP_NO_COMPRESSION SSL_OP_NO_TICKET SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION SSL_OP_TLS_ROLLBACK_BUG
compiled against libevent 2.0.19-stable
rtlinked against libevent 2.0.19-stable
4 CPU cores detected

Needs verification.

I get the following error when I try to read traffic from the Android App sayhey.
Error from bufferevent: 0:- 336109761:193:no shared cipher:20:SSL
I use the Kali Linux with fully updated system.
The App gets no connection.

Generated RSA key for leaf certs.
SSLsplit 0.4.8-10-g85b177f (built 2014-09-02)
Copyright (c) 2009-2014, Daniel Roethlisberger <[email protected]>
http://www.roe.ch/SSLsplit
Features: -DDISABLE_SSLV2_SESSION_CACHE -DHAVE_NETFILTER
NAT engines: netfilter* tproxy
netfilter:  IP_TRANSPARENT SOL_IPV6 !IPV6_ORIGINAL_DST
compiled against OpenSSL 1.0.1e 11 Feb 2013 (1000105f)
rtlinked against OpenSSL 1.0.1e 11 Feb 2013 (1000105f)
TLS Server Name Indication (SNI) supported
OpenSSL is thread-safe with THREADID
Using SSL_MODE_RELEASE_BUFFERS
Using direct access workaround when loading certs
SSL/TLS algorithm availability: RSA DSA ECDSA DH ECDH EC
OpenSSL option availability: SSL_OP_NO_COMPRESSION SSL_OP_NO_TICKET SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION SSL_OP_TLS_ROLLBACK_BUG
compiled against libevent 2.0.19-stable
rtlinked against libevent 2.0.21-stable
4 CPU cores detected
proxyspecs:
- [0.0.0.0]:1025 tcp plain netfilter
- [0.0.0.0]:1050 ssl plain netfilter
- [0.0.0.0]:8443 ssl http netfilter
- [0.0.0.0]:8080 tcp http netfilter
Loaded CA: '/C=PortSwigger/ST=PortSwigger/L=PortSwigger/O=PortSwigger/OU=PortSwigger CA/CN=PortSwigger CA'
Using libevent backend 'epoll'
Event base supports: edge yes, O(1) yes, anyfd no
Inserted events:
  0x1056460 [fd 8] Read Persist
  0x1055fb0 [fd 9] Read Persist
  0x1057540 [fd 10] Read Persist
  0x1059190 [fd 11] Read Persist
  0x1059250 [fd 12] Read Persist
  0x1056298 [fd 7] Read Persist
  0x10592e0 [fd 3] Signal Persist
  0x1059520 [fd 1] Signal Persist
  0x1059650 [fd 2] Signal Persist
  0x1059780 [fd 13] Signal Persist
Initialized 8 connection handling threads
Started 8 connection handling threads
Starting main event loop.
SNI peek: [n/a] [complete]
Connecting to [85.88.17.243]:1235
SNI peek: [n/a] [complete]
Connecting to [85.88.17.243]:1235
===> Original server certificate:
Subject DN: /CN=foo.ssms.de
Common Names: foo.ssms.de
Fingerprint: 60:de:90:74:97:78:79:30:7b:5b:fb:c3:0d:36:d5:35:6f:04:bb:ab
Certificate cache: MISS
===> Forged server certificate:
Subject DN: /CN=foo.ssms.de
Common Names: foo.ssms.de
Fingerprint: 67:20:4e:97:d5:a6:14:40:30:7b:20:86:bc:5a:4f:7d:a3:aa:26:f9
ssl [192.168.3.131]:37806 [85.88.17.243]:1235 sni:- crt:foo.ssms.de origcrt:foo.ssms.de
Error from bufferevent: 0:- 336109761:193:no shared cipher:20:SSL routines:138:SSL3_GET_CLIENT_HELLO
SSL_free() in state 00002112 = SSL_ST_ACCEPT|0112 = 3RCH_C (SSLv3 read client hello C) [accept socket]
SSL_free() in state 00000003 = 0003 = SSLOK  (SSL negotiation finished successfully) [connect socket]
===> Original server certificate:
Subject DN: /CN=foo.ssms.de
Common Names: foo.ssms.de
Fingerprint: 60:de:90:74:97:78:79:30:7b:5b:fb:c3:0d:36:d5:35:6f:04:bb:ab
Certificate cache: HIT
===> Forged server certificate:
Subject DN: /CN=foo.ssms.de
Common Names: foo.ssms.de
Fingerprint: 67:20:4e:97:d5:a6:14:40:30:7b:20:86:bc:5a:4f:7d:a3:aa:26:f9
ssl [192.168.3.131]:37807 [85.88.17.243]:1235 sni:- crt:foo.ssms.de origcrt:foo.ssms.de
Error from bufferevent: 0:- 336109761:193:no shared cipher:20:SSL routines:138:SSL3_GET_CLIENT_HELLO
SSL_free() in state 00002112 = SSL_ST_ACCEPT|0112 = 3RCH_C (SSLv3 read client hello C) [accept socket]
SSL_free() in state 00000003 = 0003 = SSLOK  (SSL negotiation finished successfully) [connect socket]
SNI peek: [n/a] [complete]
Connecting to [74.125.230.101]:443
...

I suggest to reuse a higher level build system than your current make file so that powerful checks for software features will become easier.

• CMake
• Autotools

Dump information helpful for low-level SSL/TLS compat debugging in debug mode, such as:

• cipher suites offered, cipher suite selected
• DH/ECDH parameters offered and selected
• TLS extensions sent and received

Remove all code for supporting SSL 2.0 left in SSLsplit.

SSLsplit currently logs both CN and all subjectAltName attributes of type DNS. It should filter out duplicates and simply log all names the certificate is valid for, preserving order (CN first).

Loading AJAX-heavy sites through SSLsplit can cause browsers to stall completely, seemingly loading forever without any progress. I suspect this has to do with the fact that SSLsplit downgrades Connection: keep-alive to Connection: close and removes other headers related to performance-improving HTTP features such as chunking. SSLsplit does that in order to get nice and clean, uncompressed and unencoded, straightforward loggable and tweakable HTTP requests and responses. However, this puts a lot of strain on browsers, servers and SSLsplit itself since it causes the browser to send lots of requests at the same time. This definitely needs more investigation.

As a workaround, using ssl proxyspecs instead of https disables all the HTTP header munging and generally gives better performance, at the cost of reduced features (e.g. no OCSP denial, less readable logs).

SSLsplit should probably implement more of the HTTP features like chunking, pipelining etc, but this would require a major rewrite of the https connection handling code.

Hi,

I get the following error when I try to compile on mac os x.

Please help...

base64.t.c:73: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘attribute’ before ‘START_TEST’
base64.t.c:86: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘attribute’ before ‘START_TEST’
base64.t.c:99: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘attribute’ before ‘START_TEST’
base64.t.c:112: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘attribute’ before ‘START_TEST’
base64.t.c:125: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘attribute’ before ‘START_TEST’
base64.t.c:138: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘attribute’ before ‘START_TEST’
base64.t.c:151: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘attribute’ before ‘START_TEST’
base64.t.c:164: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘attribute’ before ‘START_TEST’
base64.t.c:177: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘attribute’ before ‘START_TEST’
base64.t.c:190: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘attribute’ before ‘START_TEST’
base64.t.c:203: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘attribute’ before ‘START_TEST’
base64.t.c:213: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘attribute’ before ‘START_TEST’
base64.t.c:223: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘attribute’ before ‘START_TEST’
base64.t.c:233: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘attribute’ before ‘START_TEST’
base64.t.c:243: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘attribute’ before ‘START_TEST’
base64.t.c:253: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘attribute’ before ‘START_TEST’
base64.t.c:263: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘attribute’ before ‘START_TEST’
base64.t.c:273: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘attribute’ before ‘START_TEST’
base64.t.c:283: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘attribute’ before ‘START_TEST’
base64.t.c:293: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘attribute’ before ‘START_TEST’
base64.t.c:303: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘attribute’ before ‘START_TEST’
base64.t.c:316: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘attribute’ before ‘Suite’

Please alias -? to -h, I can never remember which to use with which apps.

Handle renegotiations and client certificate authentication more gracefully.

Optionally add ephemeral RSA key to SSL_CTX to allow export cipher suites, controlled by a command line switch, and probably disabled unless specifically enabled by a build knob WANT_EPHEMERAL_RSA or some such.

http://www.openssl.org/docs/ssl/SSL_CTX_set_tmp_rsa_callback.html

Sslsplit installed just fine and also starts without any issue.
When I hit enter on the client browser it goes:
....
....
Connecting to [192.168.1.10]:8080
Connecting to [192.168.1.10]:8080
Error 24 on listener: Too many open files
Main event loop stopped.
Error from bufferevent: 104:Connection reset by peer 0:0:-:0:-:0:-
Segmentation fault (core dumped)

The "connecting to IP" line repeats several times.

sslsplit -V:
SSLsplit 0.4.8-10-g85b177f (built 2014-10-01)
Copyright (c) 2009-2014, Daniel Roethlisberger [email protected]
http://www.roe.ch/SSLsplit
Features: -DDISABLE_SSLV2_SESSION_CACHE -DHAVE_NETFILTER
NAT engines: netfilter* tproxy
netfilter: IP_TRANSPARENT SOL_IPV6 !IPV6_ORIGINAL_DST
compiled against OpenSSL 1.0.1f 6 Jan 2014 (1000106f)
rtlinked against OpenSSL 1.0.1f 6 Jan 2014 (1000106f)
TLS Server Name Indication (SNI) supported
OpenSSL is thread-safe with THREADID
Using SSL_MODE_RELEASE_BUFFERS
SSL/TLS algorithm availability: RSA DSA ECDSA DH ECDH EC
OpenSSL option availability: SSL_OP_NO_COMPRESSION SSL_OP_NO_TICKET SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION SSL_OP_TLS_ROLLBACK_BUG
compiled against libevent 2.0.21-stable
rtlinked against libevent 2.0.21-stable
2 CPU cores detected

Not sure what I'm doing wrong here.

Thx.

Implement an extendable approach to broken certificate verification implementations and implement some of the more interesting ones.

Implement some flexible and configurable (or even scriptable) way to make modifications to requests and/or responses and possibly allow regex based inclusion/exclusion of certain requests by header matching (client fingerprinting).

Hi droe,

your tool is awesome, but it doesn't work in vmware/virtualbox. The guest-sys is the latest Backtrack5R3-Version and the network is bridged. Here are the Error-Messages:

The netfilter NAT engine only suports IPv4 state lookups
Connection not found in NAT state table, aborting connection

I start SSLSplit with folowing settings:

slsplit -D -O -P -k fakeCA/private/cakey.pem -c fakeCA/fakeca_public.pem -l log/https.log -S tmp/ https 192.168.0.254 4433

and

iptables -t nat -A PREROUTING -p tcp --destination-port 443 -j REDIRECT --to-ports 4433

With the same settings on the host-sys, SSLSplit is fine. What's wrong?

greetz

Add an optional feature to allow SSLsplit to strip the STARTTLS flag in EHLO responses.
For a start, connection type smtp and command line flag controlling STARTTLS stripping; later SSLsplit probably needs per-proxyspec options controlling such features.

https://www.eff.org/deeplinks/2014/11/starttls-downgrade-attacks

Depends on #40.

While parsing the log there are often requests like this:

2014-04-10 15:46:59 UTC [192.168.3.132]:50126 -> [2.16.170.224]:80 (460):
GET /configurations/pep/pipeline/pipeline0.html HTTP/1.1
Host: configuration.apple.com
Connection: Keep-Alive

GET /configurations/pep/pipeline/pipeline1.html HTTP/1.1
Host: configuration.apple.com
Connection: Keep-Alive

GET /configurations/pep/pipeline/pipeline2.html HTTP/1.1
Host: configuration.apple.com
Connection: Keep-Alive

GET /configurations/pep/pipeline/pipeline3.html HTTP/1.1
Host: configuration.apple.com
Connection: Keep-Alive

The responses aren't compound like this and have seperate metadata.

Also a request counter for assigning a requests to its response whould be great.

The only solution for this I see is to compound also the responses with this connection counter.

sslsplit starts up, detects a few packets and crashes immediately.
The nat engine being used is pf, on OSX Mavericks.
These changes were made to sslsplit in order to get it running on Mavericks. I'm also attaching a git diff below.

diff --git a/nat.c b/nat.c
index b92adb8..d4cffbb 100644
--- a/nat.c
+++ b/nat.c
@@ -131,17 +131,17 @@ nat_pf_lookup_cb(struct sockaddr *dst_addr, socklen_t *dst_addrlen,
                struct sockaddr_in *src_sai = (struct sockaddr_in *)src_addr;
                struct sockaddr_in *our_sai = (struct sockaddr_in *)&our_addr;
                nl.saddr.v4.s_addr = src_sai->sin_addr.s_addr;
-               nl.sport = src_sai->sin_port;
+               nl.sxport.port = src_sai->sin_port;
                nl.daddr.v4.s_addr = our_sai->sin_addr.s_addr;
-               nl.dport = our_sai->sin_port;
+               nl.dxport.port = our_sai->sin_port;
        }
        if (nl.af == AF_INET6) {
                struct sockaddr_in6 *src_sai = (struct sockaddr_in6 *)src_addr;
                struct sockaddr_in6 *our_sai = (struct sockaddr_in6 *)&our_addr;
                memcpy(&nl.saddr.v6.s6_addr, &src_sai->sin6_addr.s6_addr, 16);
-               nl.sport = src_sai->sin6_port;
+               nl.sxport.port = src_sai->sin6_port;
                memcpy(&nl.daddr.v6.s6_addr, &our_sai->sin6_addr.s6_addr, 16);
-               nl.dport = our_sai->sin6_port;
+               nl.dxport.port = our_sai->sin6_port;
        }
        nl.proto = IPPROTO_TCP;
        nl.direction = PF_OUT;
@@ -154,7 +154,7 @@ nat_pf_lookup_cb(struct sockaddr *dst_addr, socklen_t *dst_addrlen,
                return -1;
        }

-       if ((nl.dport == nl.rdport) &&
+       if ((nl.dxport.port == nl.rdxport.port) &&
            ((nl.af == AF_INET && nl.daddr.v4.s_addr == nl.rdaddr.v4.s_addr) ||
             (nl.af == AF_INET6 &&
              !memcmp(nl.daddr.v6.s6_addr, nl.rdaddr.v6.s6_addr, 16)))) {
@@ -167,7 +167,7 @@ nat_pf_lookup_cb(struct sockaddr *dst_addr, socklen_t *dst_addrlen,
                struct sockaddr_in *dst_sai = (struct sockaddr_in *)dst_addr;
                memset(dst_sai, 0, sizeof(struct sockaddr_in));
                dst_sai->sin_addr.s_addr = nl.rdaddr.v4.s_addr;
-               dst_sai->sin_port = nl.rdport;
+               dst_sai->sin_port = nl.rdxport.port;
                dst_sai->sin_family = nl.af;
                *dst_addrlen = sizeof(struct sockaddr_in);
        }
@@ -175,7 +175,7 @@ nat_pf_lookup_cb(struct sockaddr *dst_addr, socklen_t *dst_addrlen,
                struct sockaddr_in6 *dst_sai = (struct sockaddr_in6 *)dst_addr;
                memset(dst_sai, 0, sizeof(struct sockaddr_in6));
                memcpy(dst_sai->sin6_addr.s6_addr, nl.rdaddr.v6.s6_addr, 16);
-               dst_sai->sin6_port = nl.rdport;
+               dst_sai->sin6_port = nl.rdxport.port;
                dst_sai->sin6_family = nl.af;
                *dst_addrlen = sizeof(struct sockaddr_in6);
        }

Below is the output for the command sslsplit -V

./sslsplit -V
SSLsplit 0.4.7-16-ga0bf21b-dirty (built 2014-01-08)
Copyright (c) 2009-2014, Daniel Roethlisberger <[email protected]>
http://www.roe.ch/SSLsplit
Features: -DDISABLE_SSLV2_SESSION_CACHE -DHAVE_PF -DHAVE_IPFW -DHAVE_IPFW
NAT engines: pf* ipfw
compiled against OpenSSL 1.0.1e 11 Feb 2013 (1000105f)
rtlinked against OpenSSL 1.0.1e 11 Feb 2013 (1000105f)
TLS Server Name Indication (SNI) supported
OpenSSL is thread-safe with THREADID
Using direct access workaround when loading certs
SSL/TLS algorithm availability: RSA DSA ECDSA DH ECDH EC
OpenSSL option availability: SSL_OP_NO_COMPRESSION SSL_OP_NO_TICKET SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION SSL_OP_TLS_ROLLBACK_BUG
compiled against libevent 2.0.21-stable
rtlinked against libevent 2.0.21-stable
4 CPU cores detected

The response to a uname -a

Darwin DDVMACAMITCHO 13.0.1 Darwin Kernel Version 13.0.1: Thu Sep 19 19:30:57 PDT 2013; root:xnu-2422.50.20~2/RELEASE_X86_64 x86_64

Please find attached some Debug information.

Current executable set to './sslsplit' (x86_64).
(lldb) r -D -l connections.log -j /tmp/sslsplit -S logdir/ -k ./ca.key -c ./ca.crt https 0.0.0.0 8081 ssl 0.0.0.0 8080 pf
Process 41327 launched: './sslsplit' (x86_64)
Generated RSA key for leaf certs.
SSLsplit 0.4.7-16-ga0bf21b-dirty (built 2014-01-08)
Copyright (c) 2009-2014, Daniel Roethlisberger <[email protected]>
http://www.roe.ch/SSLsplit
Features: -DDISABLE_SSLV2_SESSION_CACHE -DHAVE_PF -DHAVE_IPFW -DHAVE_IPFW
NAT engines: pf* ipfw
compiled against OpenSSL 1.0.1e 11 Feb 2013 (1000105f)
rtlinked against OpenSSL 1.0.1e 11 Feb 2013 (1000105f)
TLS Server Name Indication (SNI) supported
OpenSSL is thread-safe with THREADID
Using direct access workaround when loading certs
SSL/TLS algorithm availability: RSA DSA ECDSA DH ECDH EC
OpenSSL option availability: SSL_OP_NO_COMPRESSION SSL_OP_NO_TICKET SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION SSL_OP_TLS_ROLLBACK_BUG
compiled against libevent 2.0.21-stable
rtlinked against libevent 2.0.21-stable
4 CPU cores detected
proxyspecs:
- [0.0.0.0]:8080 ssl plain pf
- [0.0.0.0]:8081 ssl http pf
Loaded CA: '/C=IN/ST=HR/L=Gur/O=Dir/OU=SE/CN=JVD/[email protected]'
NAT engine preinit 'pf'
Using libevent backend 'kqueue'
Event base supports: edge yes, O(1) yes, anyfd yes
NAT engine init 'pf'
Inserted events:
  0x100401278 [fd 18] Read Persist
  0x100401890 [fd 20] Read Persist
  0x1004019a0 [fd 21] Read Persist
  0x100401a70 [fd 3] Signal Persist
  0x100401c50 [fd 1] Signal Persist
  0x100401d20 [fd 2] Signal Persist
  0x100401df0 [fd 13] Signal Persist
Initialized 8 connection handling threads
Started 8 connection handling threads
Starting main event loop.
SNI peek: [login.yahoo.com] [complete]
Connecting to [106.10.162.30]:443
===> Original server certificate:
Subject DN: /C=US/ST=CA/L=Sunnyvale/O=Yahoo! Inc./CN=login.yahoo.com
Common Names: login.yahoo.com/mail.yahoo.com/*.mail.yahoo.com/mail.yahoo-inc.com/login.yahoo.com/fb.member.yahoo.com
Fingerprint: e9:c0:09:f9:4e:f5:e9:92:e2:fa:56:5d:13:f5:a2:56:76:da:6e:7b
Certificate cache: MISS
===> Forged server certificate:
Subject DN: /C=US/ST=CA/L=Sunnyvale/O=Yahoo! Inc./CN=login.yahoo.com
Common Names: login.yahoo.com/mail.yahoo.com/*.mail.yahoo.com/mail.yahoo-inc.com/login.yahoo.com/fb.member.yahoo.com
Fingerprint: 04:bc:a0:67:92:33:30:7d:75:18:d2:da:58:f8:ef:c2:2d:c5:db:0c
Unknown bufferevent 0x80
Certificate cache: KEEP (SNI match or target mode)
src buffer event connected: ignoring event
https [192.168.2.2]:57526 [106.10.162.30]:443 login.yahoo.com GET / 200 - sni:login.yahoo.com crt:login.yahoo.com/mail.yahoo.com/*.mail.yahoo.com/mail.yahoo-inc.com/login.yahoo.com/fb.member.yahoo.com origcrt:login.yahoo.com/mail.yahoo.com/*.mail.yahoo.com/mail.yahoo-inc.com/login.yahoo.com/fb.member.yahoo.com
Process 41327 stopped
* thread #2: tid = 0x13ed1d, 0x0000000100102e44 libcrypto.1.0.0.dylib`sk_pop_free + 21, stop reason = EXC_BAD_ACCESS (code=1, address=0x2)
    frame #0: 0x0000000100102e44 libcrypto.1.0.0.dylib`sk_pop_free + 21
libcrypto.1.0.0.dylib`sk_pop_free + 21:
-> 0x100102e44:  movl   (%r15), %eax
   0x100102e47:  testl  %eax, %eax
   0x100102e49:  jle    0x100102e67               ; sk_pop_free + 56
   0x100102e4b:  xorl   %ebx, %ebx
(lldb) thread backtrace
* thread #2: tid = 0x13ed1d, 0x0000000100102e44 libcrypto.1.0.0.dylib`sk_pop_free + 21, stop reason = EXC_BAD_ACCESS (code=1, address=0x2)
    frame #0: 0x0000000100102e44 libcrypto.1.0.0.dylib`sk_pop_free + 21
    frame #1: 0x0000000100053616 libssl.1.0.0.dylib`SSL_free + 505
    frame #2: 0x00000001000120d5 sslsplit`pxy_ssl_shutdown_cb(fd=59, what=0, arg=0x00000001003304e0) + 517 at pxysslshut.c:151
    frame #3: 0x0000000100011e35 sslsplit`pxy_ssl_shutdown(evbase=0x000000010031ba40, ssl=0x0000000100329b40, fd=59) + 117 at pxysslshut.c:176
    frame #4: 0x000000010000c9ad sslsplit`bufferevent_free_and_close_fd(bev=0x000000010032a030, ctx=0x0000000100329330) + 157 at pxyconn.c:875
    frame #5: 0x000000010000f13f sslsplit`pxy_bev_eventcb(bev=0x000000010032a030, events=16, arg=0x0000000100329330) + 3279 at pxyconn.c:1613
    frame #6: 0x0000000100218eeb libevent-2.0.5.dylib`bufferevent_run_deferred_callbacks_locked(_=<unavailable>, arg=0x000000010032a030) + 267 at bufferevent.c:160
    frame #7: 0x00000001002104b1 libevent-2.0.5.dylib`event_base_loop [inlined] event_process_deferred_callbacks + 100 at event.c:1391
    frame #8: 0x000000010021044d libevent-2.0.5.dylib`event_base_loop [inlined] event_process_active(base=<unavailable>) + 731 at event.c:1432
    frame #9: 0x0000000100210172 libevent-2.0.5.dylib`event_base_loop(base=0x000000010031ba40, flags=<unavailable>) + 1762 at event.c:1621
    frame #10: 0x0000000100012679 sslsplit`pxy_thrmgr_thr(arg=0x000000010031b9f0) + 153 at pxythrmgr.c:86
    frame #11: 0x00007fff8c40a899 libsystem_pthread.dylib`_pthread_body + 138
    frame #12: 0x00007fff8c40a72a libsystem_pthread.dylib`_pthread_start + 137
    frame #13: 0x00007fff8c40efc9 libsystem_pthread.dylib`thread_start + 13
(lldb)