SSLproxy icon indicating copy to clipboard operation
SSLproxy copied to clipboard

Published 20 hours ago verified publisher icon sonertari

Environment: sslproxy deployed on a web server I can access the web normally using an HTTP proxy, but not using HTTPS. Can you take a look at the traffic logs I intercepted? Is there a redirection issue? thank you

Open love200103223 opened this issue 1 year ago • 7 comments

[root@iZuf62gz7wcz2kez5kk495Z ~]# sslproxy -k /root/ssl/httpd.key -c /root/ssl/httpd.crt https 0.0.0.0 10443 up:443 -X q.pcap -D4

SSLproxy v0.9.4 (built 2023-04-20)

Copyright (c) 2017-2022, Soner Tari [email protected]

https://github.com/sonertari/SSLproxy

Copyright (c) 2009-2019, Daniel Roethlisberger [email protected]

https://www.roe.ch/SSLsplit

Build info: V:GIT

Features: -DHAVE_NETFILTER

NAT engines: netfilter* tproxy

netfilter: IP_TRANSPARENT IP6T_SO_ORIGINAL_DST

Local process info support: no

compiled against OpenSSL 1.0.2k 26 Jan 2017 (100020bf)

rtlinked against OpenSSL 1.0.2k-fips 26 Jan 2017 (100020bf)

OpenSSL has support for TLS extensions

TLS Server Name Indication (SNI) supported

OpenSSL is thread-safe with THREADID

OpenSSL has engine support

Using SSL_MODE_RELEASE_BUFFERS

SSL/TLS protocol availability: ssl3 tls10 tls11 tls12

SSL/TLS algorithm availability: SHA0 RSA DSA ECDSA DH ECDH EC

OpenSSL option availability: SSL_OP_NO_COMPRESSION SSL_OP_NO_TICKET SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION SSL_OP_TLS_ROLLBACK_BUG

compiled against libevent 2.1.12-stable

rtlinked against libevent 2.1.12-stable

compiled against libnet 1.1.6

rtlinked against libnet 1.1.6

compiled against libpcap n/a

rtlinked against libpcap 1.5.3

compiled against sqlite 3.7.5

rtlinked against sqlite 3.7.5

4 CPU cores detected

Generated 2048 bit RSA key for leaf certs.

Global conn opts: negotiate|ALL:-aNULL|TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|no user_auth_url|300|8192

proxyspecs:

  • listen=[0.0.0.0]:10443 ssl|http netfilter

divert addr= [127.0.0.1]:443

return addr= [127.0.0.1]:0

opts= conn opts: negotiate|ALL:-aNULL|TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|no user_auth_url|300|8192

divert||

Loaded Global CA: '/C=cn/ST=cn/O=cn/OU=cn/CN=cn'

Loaded ProxySpec CA: '/C=cn/ST=cn/O=cn/OU=cn/CN=cn'

SSL/TLS leaf certificates taken from:

  • Global generated on the fly

Privsep fastpath disabled

Created self-pipe [r=4,w=5]

Created chld-pipe [r=6,w=7]

Created socketpair 0 [p=8,c=9]

Created socketpair 1 [p=10,c=11]

Created socketpair 2 [p=12,c=13]

Created socketpair 3 [p=14,c=15]

Created socketpair 4 [p=16,c=17]

Created socketpair 5 [p=18,c=19]

Privsep parent pid 2578

Privsep child pid 2579

Using libevent backend 'epoll'

Event base supports: edge yes, O(1) yes, anyfd no

Received privsep req type 03 sz 9 on srvsock 8

Dropped privs to user nobody group - chroot -

Received privsep req type 00 sz 1 on srvsock 10

Received privsep req type 00 sz 1 on srvsock 12

Received privsep req type 00 sz 1 on srvsock 14

Inserted events:

0xfeae88 [fd 5] Read Persist Internal

0xfeb060 [fd 7] Read Persist Internal

0xfea1b8 [fd 8] Read Persist

0xfebb20 [sig 1] Signal Persist

0xfebc50 [sig 2] Signal Persist

0xfeb9f0 [sig 3] Signal Persist

0xfebeb0 [sig 10] Signal Persist

0xfebd80 [sig 13] Signal Persist

0xfeb290 [sig 15] Signal Persist

0xfec000 [fd -1] Persist Timeout=1682239211.430419

Active events:

Initialized 8 connection handling threads

Received privsep req type 00 sz 1 on srvsock 18

Started 8 connection handling threads

Starting main event loop.

SNI peek: [n/a] [complete], fd=43

Connecting to [172.16.0.167]:10443

SNI peek: [n/a] [complete], fd=45

Connecting to [172.16.0.167]:10443

SNI peek: [n/a] [complete], fd=47

Connecting to [172.16.0.167]:10443

SNI peek: [n/a] [complete], fd=49

Connecting to [172.16.0.167]:10443

SNI peek: [n/a] [complete], fd=51

Connecting to [172.16.0.167]:10443

SNI peek: [n/a] [complete], fd=53

Connecting to [172.16.0.167]:10443

SNI peek: [n/a] [complete], fd=55

Connecting to [172.16.0.167]:10443

SNI peek: [n/a] [complete], fd=57

Connecting to [172.16.0.167]:10443

SNI peek: [n/a] [complete], fd=59

Connecting to [172.16.0.167]:10443

SNI peek: [n/a] [complete], fd=61

Connecting to [172.16.0.167]:10443

SNI peek: [n/a] [complete], fd=62

Connecting to [172.16.0.167]:10443

SNI peek: [n/a] [complete], fd=65

Connecting to [172.16.0.167]:10443

SNI peek: [n/a] [complete], fd=66

Connecting to [172.16.0.167]:10443

SNI peek: [n/a] [complete], fd=69

Connecting to [172.16.0.167]:10443

SNI peek: [n/a] [complete], fd=71

Connecting to [172.16.0.167]:10443

SNI peek: [n/a] [complete], fd=73

Connecting to [172.16.0.167]:10443

SNI peek: [n/a] [complete], fd=75

Connecting to [172.16.0.167]:10443

SNI peek: [n/a] [complete], fd=77

Connecting to [172.16.0.167]:10443

SNI peek: [n/a] [complete], fd=79

Connecting to [172.16.0.167]:10443

SNI peek: [n/a] [complete], fd=81

Connecting to [172.16.0.167]:10443

SNI peek: [n/a] [complete], fd=83

love200103223 avatar Apr 23 '23 08:04 love200103223

You don't mention any listening program in your report.

So I think you need two things:

  1. Redirect https traffic to port 10443, which I hope/assume you already do
  2. Run a listening program at port 443, which I think you don't

But you can run sslproxy in split mode too, in which case you don't need a listening program. So I don't know the details of your setup, but you can try the following proxyspec:

https 127.0.0.1 10443 127.0.0.1 443

Or use the IP address of your http server in place of the second 127.0.0.1 above.

Btw, perhaps you need sslsplit, not sslproxy?

sonertari avatar Apr 23 '23 12:04 sonertari

Is the error reported below due to an error in my certificate

Do you see any issues with the keys httpd.key and httpd.crt used on my command line? Should there be a file with the suffix pem?

[root@iZuf62gz7wcz2kez5kk495Z SSLproxy]# sslproxy -k /root/ssl/httpd.key -c /root/ssl/httpd.crt https 0.0.0.0 10443 0.0.0.0 443 -X q.pcap -D4 SSLproxy v0.9.4 (built 2023-04-20) Copyright (c) 2017-2022, Soner Tari [email protected] https://github.com/sonertari/SSLproxy Copyright (c) 2009-2019, Daniel Roethlisberger [email protected] https://www.roe.ch/SSLsplit Build info: V:GIT Features: -DHAVE_NETFILTER NAT engines: netfilter* tproxy netfilter: IP_TRANSPARENT IP6T_SO_ORIGINAL_DST Local process info support: no compiled against OpenSSL 1.0.2k 26 Jan 2017 (100020bf) rtlinked against OpenSSL 1.0.2k-fips 26 Jan 2017 (100020bf) OpenSSL has support for TLS extensions TLS Server Name Indication (SNI) supported OpenSSL is thread-safe with THREADID OpenSSL has engine support Using SSL_MODE_RELEASE_BUFFERS SSL/TLS protocol availability: ssl3 tls10 tls11 tls12 SSL/TLS algorithm availability: SHA0 RSA DSA ECDSA DH ECDH EC OpenSSL option availability: SSL_OP_NO_COMPRESSION SSL_OP_NO_TICKET SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION SSL_OP_TLS_ROLLBACK_BUG compiled against libevent 2.1.12-stable rtlinked against libevent 2.1.12-stable compiled against libnet 1.1.6 rtlinked against libnet 1.1.6 compiled against libpcap n/a rtlinked against libpcap 1.5.3 compiled against sqlite 3.7.5 rtlinked against sqlite 3.7.5 4 CPU cores detected Generated 2048 bit RSA key for leaf certs. Global conn opts: negotiate|ALL:-aNULL|TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|no user_auth_url|300|8192 proxyspecs:

  • listen=[0.0.0.0]:10443 ssl|http connect= [0.0.0.0]:443 opts= conn opts: negotiate|ALL:-aNULL|TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256|no ecdhcurve|no leafcrlurl|remove_http_referer|verify_peer|no user_auth_url|300|8192 split|| Loaded Global CA: '/C=cn/ST=cn/O=cn/OU=cn/CN=cn' Loaded ProxySpec CA: '/C=cn/ST=cn/O=cn/OU=cn/CN=cn' SSL/TLS leaf certificates taken from:
  • Global generated on the fly Privsep fastpath disabled Created self-pipe [r=4,w=5] Created chld-pipe [r=6,w=7] Created socketpair 0 [p=8,c=9] Created socketpair 1 [p=10,c=11] Created socketpair 2 [p=12,c=13] Created socketpair 3 [p=14,c=15] Created socketpair 4 [p=16,c=17] Created socketpair 5 [p=18,c=19] Privsep parent pid 2654 Privsep child pid 2657 Using libevent backend 'epoll' Event base supports: edge yes, O(1) yes, anyfd no Received privsep req type 03 sz 9 on srvsock 8 Dropped privs to user nobody group - chroot - Received privsep req type 00 sz 1 on srvsock 10 Received privsep req type 00 sz 1 on srvsock 12 Received privsep req type 00 sz 1 on srvsock 14 Inserted events: Received privsep req type 00 sz 1 on srvsock 18 0x2420fc8 [fd 5] Read Persist Internal 0x24211a0 [fd 7] Read Persist Internal 0x2420828 [fd 8] Read Persist 0x2421af0 [sig 1] Signal Persist 0x2421c20 [sig 2] Signal Persist 0x2420ef0 [sig 3] Signal Persist 0x2421e80 [sig 10] Signal Persist 0x2421d50 [sig 13] Signal Persist 0x24201c0 [sig 15] Signal Persist 0x2421fd0 [fd -1] Persist Timeout=1682254078.759666 Active events: Initialized 8 connection handling threads Started 8 connection handling threads Starting main event loop. SNI peek: [n/a] [complete], fd=43 Connecting to [0.0.0.0]:443 Client-side BEV_EVENT_ERROR Error from bufferevent: 0:- 336134278:134:certificate verify failed:20:SSL routines:144:ssl3_get_server_certificate Additional SSL error: 1:1:-:0:-:0:- SSL_free() in state 00003005 = SSL_ST_CONNECT|SSL_ST_ACCEPT|0005 = SSLERR (error) [connect socket] SNI peek: [n/a] [complete], fd=43 Connecting to [0.0.0.0]:443 Client-side BEV_EVENT_ERROR Error from bufferevent: 0:- 336134278:134:certificate verify failed:20:SSL routines:144:ssl3_get_server_certificate Additional SSL error: 1:1:-:0:-:0:- SSL_free() in state 00003005 = SSL_ST_CONNECT|SSL_ST_ACCEPT|0005 = SSLERR (error) [connect socket] SNI peek: [n/a] [complete], fd=43 Connecting to [0.0.0.0]:443 Client-side BEV_EVENT_ERROR Error from bufferevent: 0:- 336134278:134:certificate verify failed:20:SSL routines:144:ssl3_get_server_certificate Additional SSL error: 1:1:-:0:-:0:- SSL_free() in state 00003005 = SSL_ST_CONNECT|SSL_ST_ACCEPT|0005 = SSLERR (error) [connect socket] SNI peek: [n/a] [complete], fd=43 Connecting to [0.0.0.0]:443 Client-side BEV_EVENT_ERROR Error from bufferevent: 0:- 336134278:134:certificate verify failed:20:SSL routines:144:ssl3_get_server_certificate Additional SSL error: 1:1:-:0:-:0:- SSL_free() in state 00003005 = SSL_ST_CONNECT|SSL_ST_ACCEPT|0005 = SSLERR (error) [connect socket] SNI peek: [n/a] [complete], fd=43 Connecting to [0.0.0.0]:443 Client-side BEV_EVENT_ERROR Error from bufferevent: 0:- 336134278:134:certificate verify failed:20:SSL routines:144:ssl3_get_server_certificate Additional SSL error: 1:1:-:0:-:0:- SSL_free() in state 00003005 = SSL_ST_CONNECT|SSL_ST_ACCEPT|0005 = SSLERR (error) [connect socket] SNI peek: [n/a] [complete], fd=43 Connecting to [0.0.0.0]:443 Client-side BEV_EVENT_ERROR Error from bufferevent: 0:- 336134278:134:certificate verify failed:20:SSL routines:144:ssl3_get_server_certificate Additional SSL error: 1:1:-:0:-:0:- SSL_free() in state 00003005 = SSL_ST_CONNECT|SSL_ST_ACCEPT|0005 = SSLERR (error) [connect socket] SNI peek: [n/a] [complete], fd=43 Connecting to [0.0.0.0]:443 Client-side BEV_EVENT_ERROR Error from bufferevent: 0:- 336134278:134:certificate verify failed:20:SSL routines:144:ssl3_get_server_certificate Additional SSL error: 1:1:-:0:-:0:- SSL_free() in state 00003005 = SSL_ST_CONNECT|SSL_ST_ACCEPT|0005 = SSLERR (error) [connect socket] SNI peek: [n/a] [complete], fd=43 Connecting to [0.0.0.0]:443 Client-side BEV_EVENT_ERROR Error from bufferevent: 0:- 336134278:134:certificate verify failed:20:SSL routines:144:ssl3_get_server_certificate Additional SSL error: 1:1:-:0:-:0:- SSL_free() in state 00003005 = SSL_ST_CONNECT|SSL_ST_ACCEPT|0005 = SSLERR (error) [connect socket] SNI peek: [n/a] [complete], fd=43 Connecting to [0.0.0.0]:443 Client-side BEV_EVENT_ERROR Error from bufferevent: 0:- 336134278:134:certificate verify failed:20:SSL routines:144:ssl3_get_server_certificate Additional SSL error: 1:1:-:0:-:0:- SSL_free() in state 00003005 = SSL_ST_CONNECT|SSL_ST_ACCEPT|0005 = SSLERR (error) [connect socket] SNI peek: [n/a] [complete], fd=43 Connecting to [0.0.0.0]:443 Client-side BEV_EVENT_ERROR Error from bufferevent: 0:- 336134278:134:certificate verify failed:20:SSL routines:144:ssl3_get_server_certificate Additional SSL error: 1:1:-:0:-:0:- SSL_free() in state 00003005 = SSL_ST_CONNECT|SSL_ST_ACCEPT|0005 = SSLERR (error) [connect socket] SNI peek: [n/a] [complete], fd=43 Connecting to [0.0.0.0]:443 Client-side BEV_EVENT_ERROR Error from bufferevent: 0:- 336134278:134:certificate verify failed:20:SSL routines:144:ssl3_get_server_certificate Additional SSL error: 1:1:-:0:-:0:- SSL_free() in state 00003005 = SSL_ST_CONNECT|SSL_ST_ACCEPT|0005 = SSLERR (error) [connect socket] SNI peek: [n/a] [complete], fd=43 Connecting to [0.0.0.0]:443 Client-side BEV_EVENT_ERROR Error from bufferevent: 0:- 336134278:134:certificate verify failed:20:SSL routines:144:ssl3_get_server_certificate Additional SSL error: 1:1:-:0:-:0:- SSL_free() in state 00003005 = SSL_ST_CONNECT|SSL_ST_ACCEPT|0005 = SSLERR (error) [connect socket] SNI peek: [n/a] [complete], fd=43 Connecting to [0.0.0.0]:443 Client-side BEV_EVENT_ERROR Error from bufferevent: 0:- 336134278:134:certificate verify failed:20:SSL routines:144:ssl3_get_server_certificate Additional SSL error: 1:1:-:0:-:0:- SSL_free() in state 00003005 = SSL_ST_CONNECT|SSL_ST_ACCEPT|0005 = SSLERR (error) [connect socket] SNI peek: [n/a] [complete], fd=43 Connecting to [0.0.0.0]:443 Client-side BEV_EVENT_ERROR Error from bufferevent: 0:- 336134278:134:certificate verify failed:20:SSL routines:144:ssl3_get_server_certificate Additional SSL error: 1:1:-:0:-:0:- SSL_free() in state 00003005 = SSL_ST_CONNECT|SSL_ST_ACCEPT|0005 = SSLERR (error) [connect socket] SNI peek: [n/a] [complete], fd=43 Connecting to [0.0.0.0]:443 Client-side BEV_EVENT_ERROR Error from bufferevent: 0:- 336134278:134:certificate verify failed:20:SSL routines:144:ssl3_get_server_certificate Additional SSL error: 1:1:-:0:-:0:- SSL_free() in state 00003005 = SSL_ST_CONNECT|SSL_ST_ACCEPT|0005 = SSLERR (error) [connect socket] SNI peek: [n/a] [complete], fd=43 Connecting to [0.0.0.0]:443 Client-side BEV_EVENT_ERROR Error from bufferevent: 0:- 336134278:134:certificate verify failed:20:SSL routines:144:ssl3_get_server_certificate Additional SSL error: 1:1:-:0:-:0:- SSL_free() in state 00003005 = SSL_ST_CONNECT|SSL_ST_ACCEPT|0005 = SSLERR (error) [connect socket] SNI peek: [n/a] [complete], fd=43 Connecting to [0.0.0.0]:443 Client-side BEV_EVENT_ERROR Error from bufferevent: 0:- 336134278:134:certificate verify failed:20:SSL routines:144:ssl3_get_server_certificate Additional SSL error: 1:1:-:0:-:0:- SSL_free() in state 00003005 = SSL_ST_CONNECT|SSL_ST_ACCEPT|0005 = SSLERR (error) [connect socket] SNI peek: [n/a] [complete], fd=43 Connecting to [0.0.0.0]:443 Client-side BEV_EVENT_ERROR Error from bufferevent: 0:- 336134278:134:certificate verify failed:20:SSL routines:144:ssl3_get_server_certificate Additional SSL error: 1:1:-:0:-:0:- SSL_free() in state 00003005 = SSL_ST_CONNECT|SSL_ST_ACCEPT|0005 = SSLERR (error) [connect socket] SNI peek: [n/a] [complete], fd=43 Connecting to [0.0.0.0]:443 Client-side BEV_EVENT_ERROR Error from bufferevent: 0:- 336134278:134:certificate verify failed:20:SSL routines:144:ssl3_get_server_certificate Additional SSL error: 1:1:-:0:-:0:- SSL_free() in state 00003005 = SSL_ST_CONNECT|SSL_ST_ACCEPT|0005 = SSLERR (error) [connect socket] SNI peek: [n/a] [complete], fd=43 Connecting to [0.0.0.0]:443 Client-side BEV_EVENT_ERROR Error from bufferevent: 0:- 336134278:134:certificate verify failed:20:SSL routines:144:ssl3_get_server_certificate Additional SSL error: 1:1:-:0:-:0:- SSL_free() in state 00003005 = SSL_ST_CONNECT|SSL_ST_ACCEPT|0005 = SSLERR (error) [connect socket] SNI peek: [n/a] [complete], fd=43 Connecting to [0.0.0.0]:443 Client-side BEV_EVENT_ERROR Error from bufferevent: 0:- 336134278:134:certificate verify failed:20:SSL routines:144:ssl3_get_server_certificate Additional SSL error: 1:1:-:0:-:0:- SSL_free() in state 00003005 = SSL_ST_CONNECT|SSL_ST_ACCEPT|0005 = SSLERR (error) [connect socket] SNI peek: [n/a] [complete], fd=43 Connecting to [0.0.0.0]:443 Client-side BEV_EVENT_ERROR Error from bufferevent: 0:- 336134278:134:certificate verify failed:20:SSL routines:144:ssl3_get_server_certificate Additional SSL error: 1:1:-:0:-:0:- SSL_free() in state 00003005 = SSL_ST_CONNECT|SSL_ST_ACCEPT|0005 = SSLERR (error) [connect socket] SNI peek: [n/a] [complete], fd=43 Connecting to [0.0.0.0]:443 Client-side BEV_EVENT_ERROR Error from bufferevent: 0:- 336134278:134:certificate verify failed:20:SSL routines:144:ssl3_get_server_certificate Additional SSL error: 1:1:-:0:-:0:- SSL_free() in state 00003005 = SSL_ST_CONNECT|SSL_ST_ACCEPT|0005 = SSLERR (error) [connect socket] SNI peek: [n/a] [complete], fd=43 Connecting to [0.0.0.0]:443 Client-side BEV_EVENT_ERROR Error from bufferevent: 0:- 336134278:134:certificate verify failed:20:SSL routines:144:ssl3_get_server_certificate Additional SSL error: 1:1:-:0:-:0:- SSL_free() in state 00003005 = SSL_ST_CONNECT|SSL_ST_ACCEPT|0005 = SSLERR (error) [connect socket] SNI peek: [n/a] [complete], fd=43 Connecting to [0.0.0.0]:443 Client-side BEV_EVENT_ERROR Error from bufferevent: 0:- 336134278:134:certificate verify failed:20:SSL routines:144:ssl3_get_server_certificate Additional SSL error: 1:1:-:0:-:0:- SSL_free() in state 00003005 = SSL_ST_CONNECT|SSL_ST_ACCEPT|0005 = SSLERR (error) [connect socket] SNI peek: [n/a] [complete], fd=43 Connecting to [0.0.0.0]:443 Client-side BEV_EVENT_ERROR Error from bufferevent: 0:- 336134278:134:certificate verify failed:20:SSL routines:144:ssl3_get_server_certificate Additional SSL error: 1:1:-:0:-:0:- SSL_free() in state 00003005 = SSL_ST_CONNECT|SSL_ST_ACCEPT|0005 = SSLERR (error) [connect socket] SNI peek: [n/a] [complete], fd=43 Connecting to [0.0.0.0]:443 Client-side BEV_EVENT_ERROR Error from bufferevent: 0:- 336134278:134:certificate verify failed:20:SSL routines:144:ssl3_get_server_certificate Additional SSL error: 1:1:-:0:-:0:- SSL_free() in state 00003005 = SSL_ST_CONNECT|SSL_ST_ACCEPT|0005 = SSLERR (error) [connect socket] SNI peek: [n/a] [complete], fd=43 Connecting to [0.0.0.0]:443 Client-side BEV_EVENT_ERROR Error from bufferevent: 0:- 336134278:134:certificate verify failed:20:SSL routines:144:ssl3_get_server_certificate Additional SSL error: 1:1:-:0:-:0:- SSL_free() in state 00003005 = SSL_ST_CONNECT|SSL_ST_ACCEPT|0005 = SSLERR (error) [connect socket] SNI peek: [n/a] [complete], fd=43 Connecting to [0.0.0.0]:443 Client-side BEV_EVENT_ERROR Error from bufferevent: 0:- 336134278:134:certificate verify failed:20:SSL routines:144:ssl3_get_server_certificate Additional SSL error: 1:1:-:0:-:0:- SSL_free() in state 00003005 = SSL_ST_CONNECT|SSL_ST_ACCEPT|0005 = SSLERR (error) [connect socket] SNI peek: [n/a] [complete], fd=43 Connecting to [0.0.0.0]:443 Client-side BEV_EVENT_ERROR Error from bufferevent: 0:- 336134278:134:certificate verify failed:20:SSL routines:144:ssl3_get_server_certificate Additional SSL error: 1:1:-:0:-:0:- SSL_free() in state 00003005 = SSL_ST_CONNECT|SSL_ST_ACCEPT|0005 = SSLERR (error) [connect socket]

love200103223 avatar Apr 23 '23 12:04 love200103223

Is there a problem with this public key format and the format defined in sslproxy

[root@iZuf62gz7wcz2kez5kk495Z ssl]# sslproxy -k /root/ssl/httpd.key -c /root/ssl/cacert.pem https 0.0.0.0 10443 0.0.0.0 443 -X q.pcap -D4 sslproxy: CA cert does not match key in ProxySpec. 140439748397120:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: CERTIFICATE 140439748397120:error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib:ssl_rsa.c:484: 140439748397120:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: DH PARAMETERS 140439748397120:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: DH PARAMETERS 140439748397120:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: ANY PRIVATE KEY 140439748397120:error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib:ssl_rsa.c:649: 140439748397120:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: DH PARAMETERS 140439748397120:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: DH PARAMETERS 140439748397120:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:x509_cmp.c:343:

love200103223 avatar Apr 23 '23 12:04 love200103223

You should use a CA cert/key pair with sslproxy. I see above that sslproxy complains about not matching key and cert. So you should generate a CA cert/key pair and use them on your sslproxy command line.

And you should install the CA cert to the web browser too. However, I don't know your setup, but it seems like you are trying to run sslproxy as a reverse proxy. If that's the case, you cannot install it to the web browsers of those remote clients, of course, in which case there is no solution but to ask the person connecting to install the CA cert to his/her web browser him/herself.

Also, another reason for those errors may be related with cert verification. You can disable server cert verification in sslproxy. But you should use a config file for that, and set the VerifyPeer option to no.

sonertari avatar Apr 24 '23 08:04 sonertari

Thank you for your answer.

Could you please tell me where this configuration file is.

Can this sslproxy be deployed on devices without an IP, which means it is strung in the architecture as a transparent mode. Can this be achieved.

Thank you very much for your answer

love200103223 avatar Apr 24 '23 09:04 love200103223

You can find a sample config file in the sources.

If you're asking about L2 bridge mode, no, sslproxy does not support bridge mode. SSLproxy runs at L3/L4 level.

sonertari avatar Apr 24 '23 12:04 sonertari

OK.Thank you for your answer.

love200103223 avatar Apr 25 '23 01:04 love200103223