24 lines
1.4 KiB
Text
24 lines
1.4 KiB
Text
|
SSLsplit is a tool for man-in-the-middle attacks against SSL/TLS
|
||
|
|
encrypted network connections. Connections are transparently
|
||
|
|
intercepted through a network address translation engine and
|
||
|
|
redirected to SSLsplit. SSLsplit terminates SSL/TLS and initiates
|
||
|
|
a new SSL/TLS connection to the original destination address, while
|
||
|
|
logging all data transmitted. SSLsplit is intended to be useful
|
||
|
|
for network forensics and penetration testing.
|
||
|
|
|
||
|
|
SSLsplit supports plain TCP, plain SSL, HTTP and HTTPS connections
|
||
|
|
over both IPv4 and IPv6. For SSL and HTTPS connections, SSLsplit
|
||
|
|
generates and signs forged X509v3 certificates on-the-fly, based
|
||
|
|
on the original server certificate subject DN and subjectAltName
|
||
|
|
extension. SSLsplit fully supports Server Name Indication (SNI)
|
||
|
|
and is able to work with RSA, DSA and ECDSA keys and DHE and ECDHE
|
||
|
|
cipher suites. Depending on the version of OpenSSL, SSLsplit
|
||
|
|
supports SSL 3.0, TLS 1.0, TLS 1.1 and TLS 1.2, and optionally SSL
|
||
|
|
2.0 as well. SSLsplit can also use existing certificates of which
|
||
|
|
the private key is available, instead of generating forged ones.
|
||
|
|
SSLsplit supports NULL-prefix CN certificates and can deny OCSP
|
||
|
|
requests in a generic way. For HTTP and HTTPS connections, SSLsplit
|
||
|
|
removes response headers for HPKP in order to prevent public key
|
||
|
|
pinning, for HSTS to allow the user to accept untrusted certificates,
|
||
|
|
and Alternate Protocols to prevent switching to QUIC/SPDY.
|