Here are some helpful links that have information about TLS inspection with relayd in case you haven't already seen them:
https://www.openbsd.org/papers/relayd-asiabsdcon2013.pdf https://www.openbsd.org/papers/relayd-slides-asiabsdcon2013.pdf https://reykfloeter.com/posts/relayd-ssl-interception https://man.openbsd.org/relayd.conf.5 Since you didn't say what IoT devices you're using, I'll mention that this won't work if you can't configure them somehow. You need them to point to/proxy through your router or trust your CA certificate. If your router could inspect TLS packets without doing that, TLS would be broken or the device would have a security issue. I don't think many commercial IoT devices will let you do this kind of inspection. If you're using devices that are open source or that allow you to access the OS, another option is to monitor them or inspect what they're doing on the devices or in the source code instead. The downside is that you can't monitor all of them in one place, but it might be your only option. Tim On Wed, Apr 15, 2020 at 2:31 PM Cornelius Jubjub <cornelius.jub...@gmx.com> wrote: > > Hello all, > > First off, I hope everyone is staying happy, healthy and sane in these > difficult times. > > I've been working on a little side project involving some IoT devices > and I'm in the need of a HTTPS MITM proxy so I can do some traffic > analysis. I'm running OpenBSD 6.6 as my firewall at home doing NAT and > providing some other network plumbing (great term btw!). I have been > exploring relayd to do this intercept on the firewall. Currently I have > this config for a tls proxy: > > log connection > > http protocol httpfilter { > return error > pass > match url log > > tls ca key "/etc/ssl/private/ca.key" password "stinkbutt" > tls ca cert "/etc/ssl/ca.crt" > } > > relay tlsmitm { > listen on 127.0.0.1 port 8443 tls > protocol httpfilter > forward with tls to destination > } > > EOF > > The issues I'm having are two fold, first off I can't, for the life of > me get anything to appear in the log (/var/log/daemon) except for the > usual daemon start and stops. Secondly, I'd really like to dump all of > the traffic al la tcpdump but I don't really see a place to do so (no > unencrypted data passes through an interface AFAIK). > > I'm hoping someone might be able to steer me in the right direction > and maybe let me know if I'm using the wrong tool for the job. > > Thank you, > > CJ >
