sslsplit icon indicating copy to clipboard operation
sslsplit copied to clipboard

HTTPS failing because ClientHello cannot be parsed

Open mincymathew opened this issue 5 years ago • 2 comments

[root@c240-wzp2322007 ~]# curl -v -x -x 172.29.148.11:10025 --key /root/ca.key -cert --tlsv1.2 /root/ca.crt https://172.22.254.126

  • About to connect() to proxy 172.29.148.11 port 8443 (#0)
  • Trying 172.29.148.11...
  • Connected to 172.29.148.11 (172.29.148.11) port 8443 (#0)
  • Establish HTTP proxy tunnel to 172.22.254.126:443

CONNECT 172.22.254.126:443 HTTP/1.1 Host: 172.22.254.126:443 User-Agent: curl/7.29.0 Proxy-Connection: Keep-Alive

  • Recv failure: Connection reset by peer
  • Received HTTP code 0 from proxy after CONNECT
  • Connection #0 to host 172.29.148.11 left intact curl: (56) Recv failure: Connection reset by peer

sslsplit -D -l connections.log -j /tmp/sslsplit/ -S /tmp/sslsplit/ -P -k /home/mimathew/MyClient1.key -c /home/mimathew/MyClient1.pem autossl 172.29.148.11 10025 https 172.29.148.11 8443 173.36.240.184 443 http 172.29.148.11 8080 173.36.240.184 80 TCP disconnected to [172.29.148.11]:10025 TCP disconnected from [172.29.148.11]:40139 Checking for a client hello parsing buffer of sz 120 candidate at offset 0 : 43 : 4f : 4e : 4e TCP disconnected to [172.29.148.11]:10025 TCP disconnected from [172.29.148.11]:40137 : 45 : 43 : 54 : 20 TCP disconnected to [172.29.148.11]:10025 : 31 : 37 : 32 : 2e TCP disconnected to [172.29.148.11]:10025 TCP disconnected from [172.29.148.11]:40133 : 32 : 32 : 2e : 32 : 35 TCP disconnected to [172.29.148.11]:10025 TCP disconnected from [172.29.148.11]:40131 : 34
TCP disconnected from [172.29.148.11]:40135 : 2e : 31 : 32 : 36 : 3a : 34 : 34 : 33 : 20 : 48 : 54 : 54 : 50 : 2f : 31 : 2e
TCP disconnected to [172.29.148.11]:10025 TCP disconnected to [172.29.148.11]:10025 : 31 : 0d : 0a TCP disconnected from [172.29.148.11]:40129 TCP disconnected to [172.29.148.11]:10025 TCP disconnected from [172.29.148.11]:40125 : 48 : 6f TCP disconnected from [172.29.148.11]:40127 : 73 : 74 : 3a : 20 : 31 : 37 : 32 : 2e : 32 : 32 : 2e : 32 : 35 : 34 : 2e : 31 : 32 : 36 : 3a : 34 : 34 : 33 : 0d : 0a : 55 : 73 : 65 : 72 : 2d : 41 : 67 : 65 : 6e : 74 : 3a : 20 : 63 : 75 : 72 : 6c : 2f : 37 : 2e : 32 : 39 : 2e : 30 : 0d : 0a : 50 : 72 : 6f : 78 : 79 : 2d : 43 : 6f : 6e : 6e : 65 : 63 : 74 : 69 : 6f : 6e : 3a : 20 : 4b : 65 : 65 : 70 : 2d : 41 : 6c : 69 : 76 : 65 : 0d : 0a : 0d : 0a ===> No match: rv 1, *clienthello NULL Peek found no ClientHello Received privsep req type 00 sz 1 on srvsock 15 Received privsep req type 00 sz 1 on srvsock 13 Child pid 175217 exited with status 0

Sslsplit fails to find ClientHello. This goes on in a loop and SSLSplit finally exits.

mincymathew avatar Feb 05 '21 20:02 mincymathew

When I give a fwdaddr, then the issue of packet looping goes away. How can this work for SSL requests coming for multiple unknown destination servers? Perhaps, I am configuring something wrong.

mincymathew avatar Feb 08 '21 20:02 mincymathew

I see that you have a proxyspec like autossl 172.29.148.11 10025 in your sslsplit command line, but then you also use the same IP:port pair 172.29.148.11:10025 as the proxy in your curl command line. That's not how you are supposed to redirect traffic to sslsplit. You should redirect traffic using a packet filtering rule, such as the following on OpenBSD/pf:

pass in log quick on $int_if proto tcp from $int_net to !$int_if port submission divert-to lo port 8466

Note that the above rule does not redirect the traffic destined to $int_if. But in your setup you do redirect it, and in fact, that's why you get an infinite redirection, I think. I have never used autossl with http/s, and the above pf rule is for smtp, but they should be similar. You can find sample packet filter rules on the sslsplit man page.

sonertari avatar Feb 14 '21 21:02 sonertari