2013/11/28 Stuart Henderson <[email protected]>:
> On 2013/11/28 15:52, Stuart Henderson wrote:
>> -- -- --
>> SSLsplit is a tool for man-in-the-middle attacks against SSL/TLS
>> encrypted network connections. Connections are transparently intercepted
>> through a firewall/network address translation engine and redirected to
>> SSLsplit.
>>
>> SSLsplit terminates SSL/TLS and initiates a new SSL/TLS connection to
>> the original destination address, while logging all data transmitted.
>> SSLsplit is intended to be useful for network forensics and penetration
>> testing.
>>
>> SSLsplit supports plain TCP, plain SSL, HTTP and HTTPS connections over
>> both IPv4 and IPv6. For SSL and HTTPS connections, SSLsplit generates
>> and signs forged X509v3 certificates on-the-fly, based on the original
>> server certificate subject DN and subjectAltName extension. SSLsplit
>> fully supports Server Name Indication (SNI) and is able to work with
>> RSA, DSA and ECDSA keys and DHE and ECDHE cipher suites. SSLsplit can
>> also use existing certificates of which the private key is available,
>> instead of generating forged ones. SSLsplit supports NULL-prefix CN
>> certificates and can deny OCSP requests in a generic way. SSLsplit
>> removes HPKP response headers in order to prevent public key pinning.
>> -- -- --
>>
>> OK to import?
>>
>
>
> PS pretend that .todo is not present :)
What .todo? ;)
Two nits:
1) "network" probably will be more appropriate than "www" in
CATEGORIES, no?
2) 3 tests fail on i386 (see below), is this known and okay? If not, I
could take a look into them.
Otherwise, looks okay.
--
WBR,
Vadim Zhukov
===> Regression tests for sslsplit-0.4.7
cc -c -D_GNU_SOURCE -isystem/usr/include -isystem/usr/local/include
-DDISABLE_SSLV2_SESSION_CACHE -DHAVE_PF -DHAVE_IPFW -D"BNAME=\"sslsplit\""
-D"PNAME=\"SSLsplit\"" -D"VERSION=\"0.4.7\"" -D"BUILD_DATE=\"2013-11-28\""
-D"FEATURES=\"-DDISABLE_SSLV2_SESSION_CACHE -DHAVE_PF -DHAVE_IPFW\""
-isystem/usr/local/include -O2 -pipe -pthread -pthread -std=c99 -Wall -Wextra
-pedantic -D_FORTIFY_SOURCE=2 -pthread -o util.t.o \
-x c util.t.c
cc -c -D_GNU_SOURCE -isystem/usr/include -isystem/usr/local/include
-DDISABLE_SSLV2_SESSION_CACHE -DHAVE_PF -DHAVE_IPFW -D"BNAME=\"sslsplit\""
-D"PNAME=\"SSLsplit\"" -D"VERSION=\"0.4.7\"" -D"BUILD_DATE=\"2013-11-28\""
-D"FEATURES=\"-DDISABLE_SSLV2_SESSION_CACHE -DHAVE_PF -DHAVE_IPFW\""
-isystem/usr/local/include -O2 -pipe -pthread -pthread -std=c99 -Wall -Wextra
-pedantic -D_FORTIFY_SOURCE=2 -pthread -o url.t.o \
-x c url.t.c
cc -c -D_GNU_SOURCE -isystem/usr/include -isystem/usr/local/include
-DDISABLE_SSLV2_SESSION_CACHE -DHAVE_PF -DHAVE_IPFW -D"BNAME=\"sslsplit\""
-D"PNAME=\"SSLsplit\"" -D"VERSION=\"0.4.7\"" -D"BUILD_DATE=\"2013-11-28\""
-D"FEATURES=\"-DDISABLE_SSLV2_SESSION_CACHE -DHAVE_PF -DHAVE_IPFW\""
-isystem/usr/local/include -O2 -pipe -pthread -pthread -std=c99 -Wall -Wextra
-pedantic -D_FORTIFY_SOURCE=2 -pthread -o main.t.o \
-x c main.t.c
cc -c -D_GNU_SOURCE -isystem/usr/include -isystem/usr/local/include
-DDISABLE_SSLV2_SESSION_CACHE -DHAVE_PF -DHAVE_IPFW -D"BNAME=\"sslsplit\""
-D"PNAME=\"SSLsplit\"" -D"VERSION=\"0.4.7\"" -D"BUILD_DATE=\"2013-11-28\""
-D"FEATURES=\"-DDISABLE_SSLV2_SESSION_CACHE -DHAVE_PF -DHAVE_IPFW\""
-isystem/usr/local/include -O2 -pipe -pthread -pthread -std=c99 -Wall -Wextra
-pedantic -D_FORTIFY_SOURCE=2 -pthread -o cachedsess.t.o \
-x c cachedsess.t.c
cc -c -D_GNU_SOURCE -isystem/usr/include -isystem/usr/local/include
-DDISABLE_SSLV2_SESSION_CACHE -DHAVE_PF -DHAVE_IPFW -D"BNAME=\"sslsplit\""
-D"PNAME=\"SSLsplit\"" -D"VERSION=\"0.4.7\"" -D"BUILD_DATE=\"2013-11-28\""
-D"FEATURES=\"-DDISABLE_SSLV2_SESSION_CACHE -DHAVE_PF -DHAVE_IPFW\""
-isystem/usr/local/include -O2 -pipe -pthread -pthread -std=c99 -Wall -Wextra
-pedantic -D_FORTIFY_SOURCE=2 -pthread -o cachemgr.t.o \
-x c cachemgr.t.c
cc -c -D_GNU_SOURCE -isystem/usr/include -isystem/usr/local/include
-DDISABLE_SSLV2_SESSION_CACHE -DHAVE_PF -DHAVE_IPFW -D"BNAME=\"sslsplit\""
-D"PNAME=\"SSLsplit\"" -D"VERSION=\"0.4.7\"" -D"BUILD_DATE=\"2013-11-28\""
-D"FEATURES=\"-DDISABLE_SSLV2_SESSION_CACHE -DHAVE_PF -DHAVE_IPFW\""
-isystem/usr/local/include -O2 -pipe -pthread -pthread -std=c99 -Wall -Wextra
-pedantic -D_FORTIFY_SOURCE=2 -pthread -o cachetgcrt.t.o \
-x c cachetgcrt.t.c
cc -c -D_GNU_SOURCE -isystem/usr/include -isystem/usr/local/include
-DDISABLE_SSLV2_SESSION_CACHE -DHAVE_PF -DHAVE_IPFW -D"BNAME=\"sslsplit\""
-D"PNAME=\"SSLsplit\"" -D"VERSION=\"0.4.7\"" -D"BUILD_DATE=\"2013-11-28\""
-D"FEATURES=\"-DDISABLE_SSLV2_SESSION_CACHE -DHAVE_PF -DHAVE_IPFW\""
-isystem/usr/local/include -O2 -pipe -pthread -pthread -std=c99 -Wall -Wextra
-pedantic -D_FORTIFY_SOURCE=2 -pthread -o ssl.t.o \
-x c ssl.t.c
cc -c -D_GNU_SOURCE -isystem/usr/include -isystem/usr/local/include
-DDISABLE_SSLV2_SESSION_CACHE -DHAVE_PF -DHAVE_IPFW -D"BNAME=\"sslsplit\""
-D"PNAME=\"SSLsplit\"" -D"VERSION=\"0.4.7\"" -D"BUILD_DATE=\"2013-11-28\""
-D"FEATURES=\"-DDISABLE_SSLV2_SESSION_CACHE -DHAVE_PF -DHAVE_IPFW\""
-isystem/usr/local/include -O2 -pipe -pthread -pthread -std=c99 -Wall -Wextra
-pedantic -D_FORTIFY_SOURCE=2 -pthread -o opts.t.o \
-x c opts.t.c
cc -c -D_GNU_SOURCE -isystem/usr/include -isystem/usr/local/include
-DDISABLE_SSLV2_SESSION_CACHE -DHAVE_PF -DHAVE_IPFW -D"BNAME=\"sslsplit\""
-D"PNAME=\"SSLsplit\"" -D"VERSION=\"0.4.7\"" -D"BUILD_DATE=\"2013-11-28\""
-D"FEATURES=\"-DDISABLE_SSLV2_SESSION_CACHE -DHAVE_PF -DHAVE_IPFW\""
-isystem/usr/local/include -O2 -pipe -pthread -pthread -std=c99 -Wall -Wextra
-pedantic -D_FORTIFY_SOURCE=2 -pthread -o cachefkcrt.t.o \
-x c cachefkcrt.t.c
cc -c -D_GNU_SOURCE -isystem/usr/include -isystem/usr/local/include
-DDISABLE_SSLV2_SESSION_CACHE -DHAVE_PF -DHAVE_IPFW -D"BNAME=\"sslsplit\""
-D"PNAME=\"SSLsplit\"" -D"VERSION=\"0.4.7\"" -D"BUILD_DATE=\"2013-11-28\""
-D"FEATURES=\"-DDISABLE_SSLV2_SESSION_CACHE -DHAVE_PF -DHAVE_IPFW\""
-isystem/usr/local/include -O2 -pipe -pthread -pthread -std=c99 -Wall -Wextra
-pedantic -D_FORTIFY_SOURCE=2 -pthread -o cert.t.o \
-x c cert.t.c
cc -c -D_GNU_SOURCE -isystem/usr/include -isystem/usr/local/include
-DDISABLE_SSLV2_SESSION_CACHE -DHAVE_PF -DHAVE_IPFW -D"BNAME=\"sslsplit\""
-D"PNAME=\"SSLsplit\"" -D"VERSION=\"0.4.7\"" -D"BUILD_DATE=\"2013-11-28\""
-D"FEATURES=\"-DDISABLE_SSLV2_SESSION_CACHE -DHAVE_PF -DHAVE_IPFW\""
-isystem/usr/local/include -O2 -pipe -pthread -pthread -std=c99 -Wall -Wextra
-pedantic -D_FORTIFY_SOURCE=2 -pthread -o cachessess.t.o \
-x c cachessess.t.c
cc -c -D_GNU_SOURCE -isystem/usr/include -isystem/usr/local/include
-DDISABLE_SSLV2_SESSION_CACHE -DHAVE_PF -DHAVE_IPFW -D"BNAME=\"sslsplit\""
-D"PNAME=\"SSLsplit\"" -D"VERSION=\"0.4.7\"" -D"BUILD_DATE=\"2013-11-28\""
-D"FEATURES=\"-DDISABLE_SSLV2_SESSION_CACHE -DHAVE_PF -DHAVE_IPFW\""
-isystem/usr/local/include -O2 -pipe -pthread -pthread -std=c99 -Wall -Wextra
-pedantic -D_FORTIFY_SOURCE=2 -pthread -o dynbuf.t.o \
-x c dynbuf.t.c
cc -c -D_GNU_SOURCE -isystem/usr/include -isystem/usr/local/include
-DDISABLE_SSLV2_SESSION_CACHE -DHAVE_PF -DHAVE_IPFW -D"BNAME=\"sslsplit\""
-D"PNAME=\"SSLsplit\"" -D"VERSION=\"0.4.7\"" -D"BUILD_DATE=\"2013-11-28\""
-D"FEATURES=\"-DDISABLE_SSLV2_SESSION_CACHE -DHAVE_PF -DHAVE_IPFW\""
-isystem/usr/local/include -O2 -pipe -pthread -pthread -std=c99 -Wall -Wextra
-pedantic -D_FORTIFY_SOURCE=2 -pthread -o sys.t.o \
-x c sys.t.c
cc -c -D_GNU_SOURCE -isystem/usr/include -isystem/usr/local/include
-DDISABLE_SSLV2_SESSION_CACHE -DHAVE_PF -DHAVE_IPFW -D"BNAME=\"sslsplit\""
-D"PNAME=\"SSLsplit\"" -D"VERSION=\"0.4.7\"" -D"BUILD_DATE=\"2013-11-28\""
-D"FEATURES=\"-DDISABLE_SSLV2_SESSION_CACHE -DHAVE_PF -DHAVE_IPFW\""
-isystem/usr/local/include -O2 -pipe -pthread -pthread -std=c99 -Wall -Wextra
-pedantic -D_FORTIFY_SOURCE=2 -pthread -o base64.t.o \
-x c base64.t.c
cc -c -D_GNU_SOURCE -isystem/usr/include -isystem/usr/local/include
-DDISABLE_SSLV2_SESSION_CACHE -DHAVE_PF -DHAVE_IPFW -D"BNAME=\"sslsplit\""
-D"PNAME=\"SSLsplit\"" -D"VERSION=\"0.4.7\"" -D"BUILD_DATE=\"2013-11-28\""
-D"FEATURES=\"-DDISABLE_SSLV2_SESSION_CACHE -DHAVE_PF -DHAVE_IPFW\"" -O2 -pipe
-pthread -pthread -std=c99 -Wall -Wextra -pedantic -D_FORTIFY_SOURCE=2 -o
version.o version.c
cc -L/usr/lib -L/usr/local/lib -pthread -L/usr/local/lib -o sslsplit.test
util.t.o url.t.o main.t.o cachedsess.t.o cachemgr.t.o cachetgcrt.t.o ssl.t.o
opts.t.o cachefkcrt.t.o cert.t.o cachessess.t.o dynbuf.t.o sys.t.o base64.t.o
cachemgr.o cachessess.o pxythrmgr.o ssl.o dynbuf.o logger.o proxy.o pxyconn.o
cache.o util.o url.o cachedsess.o version.o nat.o base64.o log.o cachetgcrt.o
thrqueue.o sys.o opts.o pxysslshut.o cachefkcrt.o cert.o logbuf.o -lssl
-lcrypto -levent_openssl -levent_pthreads -levent_extra -levent_core -lcheck
/usr/local/lib/libevent_core.so.1.0: warning: random() isn't random; consider
using arc4random()
/usr/local/lib/libcheck.so.2.0: warning: strcpy() is almost always misused,
please use strlcpy()
rm -f extra/pki/session.pem
gmake -C extra/pki testreqs session
gmake[1]: Entering directory
'/usr/obj/p/sslsplit-0.4.7/sslsplit-0.4.7/extra/pki'
openssl genrsa -out rsa.key 1024
Generating RSA private key, 1024 bit long modulus
.........................++++++
..........++++++
e is 65537 (0x10001)
openssl req -new -nodes -x509 -sha1 -out rsa.crt -key rsa.key \
-config x509v3ca.cnf -extensions v3_ca \
-subj '/C=CH/O=SSLsplit Root CA/CN=SSLsplit Root CA/' \
-set_serial 0 -days 3650
cat rsa.crt rsa.key >rsa.pem
mkdir -p targets
openssl genrsa -out targets/daniel.roe.ch.key 1024
Generating RSA private key, 1024 bit long modulus
.........................................++++++
..............++++++
e is 65537 (0x10001)
openssl req -new -sha1 -subj '/C=CH/CN=daniel.roe.ch/' \
-key targets/daniel.roe.ch.key \
-out targets/daniel.roe.ch.csr
openssl x509 -req -sha1 -CAcreateserial -days 365 \
-CA rsa.crt -CAkey rsa.key \
-in targets/daniel.roe.ch.csr \
-out targets/daniel.roe.ch.crt
Signature ok
subject=/C=CH/CN=daniel.roe.ch
Getting CA Private Key
cat targets/daniel.roe.ch.crt targets/daniel.roe.ch.key rsa.crt \
>targets/daniel.roe.ch.pem
rm -f targets/daniel.roe.ch.{key,csr,crt}
openssl genrsa -out targets/wildcard.roe.ch.key 1024
Generating RSA private key, 1024 bit long modulus
....++++++
..........++++++
e is 65537 (0x10001)
openssl req -new -sha1 -subj '/C=CH/CN=*.roe.ch/' \
-key targets/wildcard.roe.ch.key \
-out targets/wildcard.roe.ch.csr
openssl x509 -req -sha1 -CAcreateserial -days 365 \
-CA rsa.crt -CAkey rsa.key \
-in targets/wildcard.roe.ch.csr \
-out targets/wildcard.roe.ch.crt
Signature ok
subject=/C=CH/CN=*.roe.ch
Getting CA Private Key
cat targets/wildcard.roe.ch.crt targets/wildcard.roe.ch.key rsa.crt \
>targets/wildcard.roe.ch.pem
rm -f targets/wildcard.roe.ch.{key,csr,crt} rsa.srl
openssl genrsa -out server.key 1024
Generating RSA private key, 1024 bit long modulus
........................++++++
......................................++++++
e is 65537 (0x10001)
openssl req -new -nodes -x509 -sha1 -out server.crt -key server.key \
-config x509v3ca.cnf -extensions v3_crt \
-subj '/C=CH/O=SSLsplit Test Certificate/CN=daniel.roe.ch/' \
-set_serial 42 -days 365
cat server.crt server.key >server.pem
( \
echo 'GET /test/SSLsplit-0.4.7 HTTP/1.1'; \
echo 'Host: daniel.roe.ch'; \
echo 'Connection: close'; \
echo ) | openssl s_client -connect daniel.roe.ch:443 \
-quiet -crlf -no_ign_eof -sess_out session.pem >/dev/null 2>&1
test -r session.pem
gmake[1]: Leaving directory '/usr/obj/p/sslsplit-0.4.7/sslsplit-0.4.7/extra/pki'
./sslsplit.test
Running suite(s):
main
opts
dynbuf
cert
cachemgr
cachefkcrt
cachetgcrt
cachedsess
cachessess
ssl
sys
base64
url
util
97%: Checks: 112, Failures: 3, Errors: 0
cert.t.c:66:F:cert_refcount_inc:cert_refcount_inc_01:0: refcount mismatch
cachefkcrt.t.c:116:F:cache_fkcrt:cache_fkcrt_04:0: refcount != 0
cachetgcrt.t.c:114:F:cache_tgcrt:cache_tgcrt_04:0: refcount != 0
GNUmakefile:280: recipe for target 'test' failed
gmake: *** [test] Error 1
*** Error 2 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2711
'/usr/obj/p/sslsplit-0.4.7/.test_done')
*** Error 1 in /usr/ports/mystuff/security/sslsplit
(/usr/ports/infrastructure/mk/bsd.port.mk:2397 'test')
