sslsplit | Transparent SSL/TLS interception | TLS library

 by   droe C Version: 0.5.5 License: BSD-2-Clause

kandi X-RAY | sslsplit Summary

kandi X-RAY | sslsplit Summary

sslsplit is a C library typically used in Security, TLS applications. sslsplit has no bugs, it has no vulnerabilities, it has a Permissive License and it has medium support. You can download it from GitHub.

SSLsplit is a tool for man-in-the-middle attacks against SSL/TLS encrypted network connections. It is intended to be useful for network forensics, application security analysis and penetration testing. SSLsplit is designed to transparently terminate connections that are redirected to it using a network address translation engine. SSLsplit then terminates SSL/TLS and initiates a new SSL/TLS connection to the original destination address, while logging all data transmitted. Besides NAT based operation, SSLsplit also supports static destinations and using the server name indicated by SNI as upstream destination. SSLsplit is purely a transparent proxy and cannot act as a HTTP or SOCKS proxy configured in a browser. SSLsplit supports plain TCP, plain SSL, HTTP and HTTPS connections over both IPv4 and IPv6. It also has the ability to dynamically upgrade plain TCP to SSL in order to generically support SMTP STARTTLS and similar upgrade mechanisms. SSLsplit fully supports Server Name Indication (SNI) and is able to work with RSA, DSA and ECDSA keys and DHE and ECDHE cipher suites. Depending on the version of OpenSSL built against, SSLsplit supports SSL 3.0, TLS 1.0, TLS 1.1 and TLS 1.2, and optionally SSL 2.0 as well. For SSL and HTTPS connections, SSLsplit generates and signs forged X509v3 certificates on-the-fly, mimicking the original server certificate's subject DN, subjectAltName extension and other characteristics. SSLsplit has the ability to use existing certificates of which the private key is available, instead of generating forged ones. SSLsplit supports NULL-prefix CN certificates but otherwise does not implement exploits against specific certificate verification vulnerabilities in SSL/TLS stacks. SSLsplit implements a number of defences against mechanisms which would normally prevent MitM attacks or make them more difficult. SSLsplit can deny OCSP requests in a generic way. For HTTP and HTTPS connections, SSLsplit mangles headers to prevent server-instructed public key pinning (HPKP), avoid strict transport security restrictions (HSTS), avoid Certificate Transparency enforcement (Expect-CT) and prevent switching to QUIC/SPDY, HTTP/2 or WebSockets (Upgrade, Alternate Protocols). HTTP compression, encodings and keep-alive are disabled to make the logs more readable. Logging options include traditional SSLsplit connect and content log files as well as PCAP files and mirroring decrypted traffic to a network interface. Additionally, certificates, master secrets and local process information can be logged. See the manual page sslsplit(1) for details on using SSLsplit and setting up the various NAT engines.
Support
    Quality
      Security
        License
          Reuse

            kandi-support Support

              sslsplit has a medium active ecosystem.
              It has 1611 star(s) with 326 fork(s). There are 101 watchers for this library.
              OutlinedDot
              It had no major release in the last 6 months.
              There are 66 open issues and 173 have been closed. On average issues are closed in 60 days. There are 8 open pull requests and 0 closed requests.
              It has a neutral sentiment in the developer community.
              The latest version of sslsplit is 0.5.5

            kandi-Quality Quality

              sslsplit has 0 bugs and 0 code smells.

            kandi-Security Security

              sslsplit has no vulnerabilities reported, and its dependent libraries have no vulnerabilities reported.
              sslsplit code analysis shows 0 unresolved vulnerabilities.
              There are 0 security hotspots that need review.

            kandi-License License

              sslsplit is licensed under the BSD-2-Clause License. This license is Permissive.
              Permissive licenses have the least restrictions, and you can use them in most projects.

            kandi-Reuse Reuse

              sslsplit releases are not available. You will need to build from source code and install.
              Installation instructions, examples and code snippets are available.
              It has 273 lines of code, 24 functions and 3 files.
              It has high code complexity. Code complexity directly impacts maintainability of the code.

            Top functions reviewed by kandi - BETA

            kandi's functional review helps you automatically verify the functionalities of the libraries and avoid rework.
            Currently covering the most popular Java, JavaScript and Python libraries. See a Sample of sslsplit
            Get all kandi verified functions for this library.

            sslsplit Key Features

            No Key Features are available at this moment for sslsplit.

            sslsplit Examples and Code Snippets

            No Code Snippets are available at this moment for sslsplit.

            Community Discussions

            QUESTION

            PF header net/pfvar.h on OSX missing
            Asked 2019-Aug-09 at 23:04

            PF (packet filter) is a kernel-level firewall, included in BSD-like kernels (Darwin kernel is basically BSD), and BSD man pages provide detailed documentation about these headers, letting control PF programmatically. PF is included in OSX kernel, even though it's disabled by default.

            I know it's possible to control PF in OSX someway, because applications like Murus exist, providing user-friendly GUI for this low-level "king of firewalls", and this API is not not manual /etc/pf.conf parsing, as I suspected first.

            Any way to add these headers and control PF from my OSX applications?

            MacOS Sierra 10.12.6

            Xcode 9.2 (9C40b)

            UPDATE Some information I found, a bit out-of-date though

            ...

            ANSWER

            Answered 2019-Aug-09 at 23:04

            the you are looking for is at the link below (for MacOS Mojave and Catalina) - Older versions are also available.

            https://opensource.apple.com/source/xnu/xnu-4903.221.2/bsd/net/pfvar.h.auto.html

            Here is for the MacOS Sierra:

            https://opensource.apple.com/source/xnu/xnu-3789.70.16/bsd/net/pfvar.h.auto.html

            If you need a full working application example, I ported pfctl from BSD to MacOS and compiled it using all the MacOS kernel headers and system libraries. I can upload the full working source-code tree on GitHub for you. Currently I am using it on Catalina, and I can control anything on the PF subsystem. You can then learn from it and use the routines on your app. The code, functions and parameters are simple to understand and can easily meet your needs.

            Source https://stackoverflow.com/questions/56625607

            QUESTION

            unfamiliar function declaration in c
            Asked 2018-Oct-08 at 22:56

            I was looking into SslSplit code. And I faced some unfamiliar, strange function declarations in opts.h file. Definition of those functions are quite straightforward but I could use some help about declarations. Here it is:

            opts.h:

            ...

            ANSWER

            Answered 2018-Oct-08 at 22:46

            As you pointed out yourself, NONNULL and MALLOC are just macros. Their replacement starts with __attribute__ which is a compiler extension keyword, used to define attributes in a function.

            The __VA_ARGS__ is the replacement for the variable number of arguments in a macro (declared with the ...). So this declaration:

            Source https://stackoverflow.com/questions/52710838

            QUESTION

            How to upgrade to python 3.6.4 on macos?
            Asked 2018-Jan-15 at 21:03

            I'm trying to use python 3.6.4:

            ...

            ANSWER

            Answered 2018-Jan-15 at 17:14

            To update python run brew update in the Terminal (this will update Homebrew) Then brew upgrade python3 At the end you can run brew cleanup python3 to remove the older version

            Source https://stackoverflow.com/questions/48267740

            Community Discussions, Code Snippets contain sources that include Stack Exchange Network

            Vulnerabilities

            No vulnerabilities reported

            Install sslsplit

            With the requirements above available, run:. Dependencies are autoconfigured using pkg-config. If dependencies are not picked up and fixing PKG_CONFIG_PATH does not help, you can specify their respective locations manually by setting OPENSSL_BASE, LIBEVENT_BASE, LIBPCAP_BASE, LIBNET_BASE and/or CHECK_BASE to the respective prefixes. You can override the default install prefix (/usr/local) by setting PREFIX. For more build options and build-time defaults see GNUmakefile and defaults.h.

            Support

            See the manual pages sslsplit(1) and sslsplit.conf(5) for user documentation. See NEWS.md for release notes listing significant changes between releases and SECURITY.md for information on security vulnerability disclosure.
            Find more information at:

            Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items

            Find more libraries
            CLONE
          • HTTPS

            https://github.com/droe/sslsplit.git

          • CLI

            gh repo clone droe/sslsplit

          • sshUrl

            git@github.com:droe/sslsplit.git

          • Stay Updated

            Subscribe to our newsletter for trending solutions and developer bootcamps

            Agree to Sign up and Terms & Conditions

            Share this Page

            share link

            Explore Related Topics

            Consider Popular TLS Libraries

            mkcert

            by FiloSottile

            v2rayN

            by 2dust

            acme.sh

            by acmesh-official

            nginxconfig.io

            by digitalocean

            v2ray

            by 233boy

            Try Top Libraries by droe

            xnumon

            by droeC

            acefile

            by droePython

            hopper-scripts

            by droePython

            fiked

            by droeC