forked from droe/sslsplit
-
Notifications
You must be signed in to change notification settings - Fork 0
/
sslsplit.conf
125 lines (86 loc) · 3.77 KB
/
sslsplit.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
# This is the SSLsplit configuration file
# Use CA cert (and key) to sign forged certs
CACert /etc/sslsplit/ca.crt
# Use CA key (and cert) to sign forged certs
CAKey /etc/sslsplit/ca.key
# Use cert from pemfile when destination requests client certs
#ClientCert /etc/sslsplit/client.crt
# Use key from pemfile when destination requests client certs
#ClientKey /etc/sslsplit/client.key
# Use CA chain from pemfile (intermediate and root CA certs)
#CAChain /etc/sslsplit/chain.crt
# Use key from pemfile for leaf certs (default: generate)
#LeafCerts /etc/sslsplit/leaf.key
# Use URL as CRL distribution point for all forged certs
#CRL http://example.com
# Use cert+chain+key PEM files from certdir to target all sites
# matching the common names (non-matching: generate if CA)
#TargetCertDir /etc/sslsplit/target
# Write leaf key and only generated certificates to gendir
#WriteGenCertsDir /var/run/sslsplit
# Write leaf key and all certificates to gendir
#WriteAllCertsDir /var/run/sslsplit
# Deny all OCSP requests on all proxyspecs
#DenyOCSP yes
# Passthrough SSL connections if they cannot be split because of
# client cert auth or no matching cert and no CA (default: drop)
#Passthrough yes
# Use DH group params from pemfile (default: keyfiles or auto)
#DHGroupParams /etc/sslsplit/dh.pem
# Use ECDH named curve (default: prime256v1)
#ECDHCurve prime256v1
# Enable/disable SSL/TLS compression on all connections
#SSLCompression no
# Force SSL/TLS protocol version only (default: all)
#ForceSSLProto tls12
# Disable SSL/TLS protocol version (default: none)
#DisableSSLProto tls10
# Use the given OpenSSL cipher suite spec (default: ALL:-aNULL)
Ciphers MEDIUM:HIGH
# OpenSSL engine to activate, either ID or full path to shared library
#OpenSSLEngine cloudhsm
# Specify default NAT engine to use
#NATEngine netfilter
# Drop privileges to user and group (default if run as root: nobody)
#User sslsplit
#Group sslsplit
# chroot() to jaildir (impacts sni proxyspecs, see manual page)
#Chroot /var/run/sslsplit
# Write pid to pidfile (default: no pid file)
#PidFile /var/run/sslsplit.pid
# Connect log: log one line summary per connection to logfile
#ConnectLog /var/log/sslsplit/connect.log
# Content log: full data to file or named pipe (excludes ContentLogDir/ContentLogPathSpec)
#ContentLog /var/log/sslsplit/content.log
# Content log: full data to separate files in dir (excludes ContentLog/ContentLogPathSpec)
#ContentLogDir /var/log/sslsplit/content
# Content log: full data to sep files with % subst (excludes ContentLog/ContentLogDir)
#ContentLogPathSpec /var/log/sslsplit/%X/%u-%s-%d-%T.log
# Look up local process owning each connection for logging
#LogProcInfo yes
# Log master keys to logfile in SSLKEYLOGFILE format
#MasterKeyLog /var/log/sslsplit/masterkeys.log
# Pcap log: packets to pcapfile (excludes PcapLogDir/PcapLogPathSpec)
#PcapLog /var/log/sslsplit/content.pcap
# Pcap log: packets to separate files in dir (excludes PcapLog/PcapLogPathSpec)
#PcapLogDir /var/log/sslsplit/pcap
# Pcap log: packets to sep files with % subst (excludes PcapLog/PcapLogDir)
#PcapLogPathSpec /var/log/sslsplit/%X/%u-%s-%d-%T.pcap
# Mirror packets to interface
#MirrorIf lo
# Mirror packets to target address, used with MirrorIf
#MirrorTarget 127.0.0.1
# Daemon mode: run in background, log error messages to syslog
Daemon yes
# Debug mode: run in foreground, log debug messages on stderr
#Debug yes
# Verify peer using default certificates
#VerifyPeer no
# When disabled, never add the SNI to forged certificates, even if the SNI
# provided by the client does not match the server certificate's CN/SAN.
# Helps pass the wrong.host test at https://badssl.com.
#AddSNIToCertificate yes
# Proxy specifications
# type listenaddr+port [natengine|targetaddr+port|"sni"+port]
ProxySpec https 127.0.0.1 8443
ProxySpec https ::1 8443