forked from droe/sslsplit
-
Notifications
You must be signed in to change notification settings - Fork 1
/
sslsplit.conf.in
190 lines (149 loc) · 5.99 KB
/
sslsplit.conf.in
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
# Sample configuration for sslsplit @@VERSION@@
#
# Use the -f command line option to start sslsplit with a config file.
# See sslsplit.conf(5) and sslsplit(1) for documentation.
# Use CA cert (and key) to sign forged certs.
# Equivalent to -c command line option.
CACert /usr/local/etc/sslsplit/ca.crt
# Use CA key (and cert) to sign forged certs.
# Equivalent to -k command line option.
CAKey /usr/local/etc/sslsplit/ca.key
# Use cert from pemfile when destination requests client certs.
# Equivalent to -a command line option.
#ClientCert /usr/local/etc/sslsplit/client.crt
# Use key from pemfile when destination requests client certs.
# Equivalent to -b command line option.
#ClientKey /usr/local/etc/sslsplit/client.key
# Use CA chain from pemfile (intermediate and root CA certs).
# Equivalent to -C command line option.
#CAChain /usr/local/etc/sslsplit/chain.crt
# Use key from pemfile for generated leaf certs.
# Equivalent to -K command line option.
# (default: generate)
#LeafKey /usr/local/etc/sslsplit/leaf.key
# Use URL as CRL distribution point for all forged certs.
# Equivalent to -q command line option.
#LeafCRLURL http://example.com/example.crl
# Use cert+chain+key PEM files from certdir to target all sites matching the
# common names (non-matching: generate if CA).
# Equivalent to -t command line option.
#LeafCertDir /usr/local/etc/sslsplit/leaf.d
# Use cert+chain+key from PEM file instead of generating leaf keys on the fly.
# Equivalent to -A command line option.
#DefaultLeafCert /usr/local/etc/sslsplit/leaf.pem
# Write leaf key and only generated certificates to gendir.
# Equivalent to -w command line option.
#WriteGenCertsDir /var/log/sslsplit
# Write leaf key and all certificates to gendir.
# Equivalent to -W command line option.
#WriteAllCertsDir /var/log/sslsplit
# Deny all OCSP requests on all proxyspecs.
# Equivalent to -O command line option.
#DenyOCSP yes
# Passthrough SSL connections if they cannot be split because of client cert
# auth or no matching cert and no CA.
# Equivalent to -P command line option.
# (default: drop)
#Passthrough yes
# Use DH group params from pemfile.
# Equivalent to -g command line option.
# (default: keyfiles or auto)
#DHGroupParams /usr/local/etc/sslsplit/dh.pem
# Use ECDH named curve.
# Equivalent to -G command line option.
# (default: prime256v1)
#ECDHCurve prime256v1
# Enable/disable SSL/TLS compression on all connections.
# Equivalent to -Z command line option.
#SSLCompression no
# Force SSL/TLS protocol version only.
# Equivalent to -r command line option.
# (default: all)
#ForceSSLProto tls12
# Disable SSL/TLS protocol version.
# Equivalent to -R command line option.
# (default: none)
#DisableSSLProto tls10
# Use the given OpenSSL cipher suite spec.
# Equivalent to -s command line option.
# (default: ALL:-aNULL)
#Ciphers MEDIUM:HIGH
# The OpenSSL engine to activate, either the ID or the full path to the shared
# library implementing the engine. If an ID is given, the engine needs to be
# known to the system-wide OpenSSL configuration. Only available if built
# against a version of OpenSSL with engine support.
# Equivalent to -x command line option
#OpenSSLEngine cloudhsm
# Specify default NAT engine to use.
# Equivalent to -e command line option.
#NATEngine netfilter
# Drop privileges to user.
# Equivalent to -u command line option.
# (default: nobody, if run as root)
#User sslsplit
# Drop privileges to group.
# Equivalent to -m command line option.
# (default: primary group of user)
#Group sslsplit
# chroot() to jaildir (impacts sni proxyspecs, see sslsplit(1)).
# Equivalent to -j command line option.
#Chroot /var/run/sslsplit
# Write pid to file.
# Equivalent to -p command line option.
# (default: no pid file)
PidFile /var/run/sslsplit.pid
# Connect log: log one line summary per connection to logfile.
# Equivalent to -l command line option.
#ConnectLog /var/log/sslsplit/connect.log
# Content log: full data to file or named pipe
# (excludes ContentLogDir/ContentLogPathSpec).
# Equivalent to -L command line option.
#ContentLog /var/log/sslsplit/content.log
# Content log: full data to separate files in dir
# (excludes ContentLog/ContentLogPathSpec).
# Equivalent to -S command line option.
#ContentLogDir /var/log/sslsplit/content
# Content log: full data to sep files with % subst
# (excludes ContentLog/ContentLogDir).
# Equivalent to -F command line option.
#ContentLogPathSpec /var/log/sslsplit/%X/%u-%s-%d-%T.log
# Look up local process owning each connection for logging.
# Equivalent to -i command line option.
#LogProcInfo yes
# Pcap log: packets to pcapfile (excludes PcapLogDir/PcapLogPathSpec).
# Equivalent to -X command line option.
#PcapLog /var/log/sslsplit/content.pcap
# Pcap log: packets to separate files in dir
# (excludes PcapLog/PcapLogPathSpec).
# Equivalent to -Y command line option.
#PcapLogDir /var/log/sslsplit/pcap
# Pcap log: packets to sep files with % subst (excludes PcapLog/PcapLogDir).
# Equivalent to -y command line option.
#PcapLogPathSpec /var/log/sslsplit/%X/%u-%s-%d-%T.pcap
# Mirror packets to interface.
# Equivalent to -I command line option.
#MirrorIf lo
# Mirror packets to target address (used with MirrorIf).
# Equivalent to -T command line option.
#MirrorTarget 192.0.2.1
# Log master keys to logfile in SSLKEYLOGFILE format.
# Equivalent to -M command line option.
#MasterKeyLog /var/log/sslsplit/masterkeys.log
# Daemon mode: run in background, log error messages to syslog.
# Equivalent to -d command line option.
Daemon yes
# Debug mode: run in foreground, log debug messages on stderr.
# Equivalent to -D command line option.
#Debug yes
# Verify peer using default certificates
#VerifyPeer no
# When disabled, never add the SNI to forged certificates, even if the SNI
# provided by the client does not match the server certificate's CN/SAN.
# Helps pass the wrong.host test at https://badssl.com.
#AddSNIToCertificate yes
# Proxy specifications
# type listenaddr+port [natengine|targetaddr+port|"sni"+port]
ProxySpec http 127.0.0.1 8080
ProxySpec http ::1 8080
ProxySpec https 127.0.0.1 8443
ProxySpec https ::1 8443