Transparent SSL Forward Proxy using SSLsplit on CentOS 7.x to Capture/Sniff SSL packets

2015 年 1 月 12 日3460


        We are trying to do a packet capture of network traffic from a server, but cannot capture SSL/TLS traffic because it is encrypted. This tutorial is to show how to install SSLsplit as a Transparent SSL Forward Proxy to capture encrypted traffic, essentially creating a man-in-the-middle for troubleshooting/debugging. Keep in mind that this method of debugging doesn’t work on all sites but can be a useful tool on your networking tool belt.

•CentOS 7.x Minimal install NOTE: CentOS 6.x is not supported for SSLsplit
•EPEL for CentOS 7
•Windows server for our testing with Internet Explorer. You may use other SSL initiators


1. Download Latest Version of EPEL and install
•We’re downloading our version from

[root@centos ~]# wget
[root@centos ~]# rpm -ivh epel-release-7-5.noarch.rpm


2. Install SSLsplit via yum

[root@centos ~]# yum install sslsplit -y


3. Generate SSLSplit Root CA Certificate
•These following commands generates a 2048-bit RSA private key from OpenSSL and a self signed CA certificate (valid for 365 days) from the private key. Use defaults for the certificate

[root@centos ~]# mkdir ~/sslsplit-keys
[root@centos ~]# openssl genrsa -out ~/sslsplit-keys/ca.key 4096
[root@centos ~]# openssl req -new -x509 -days 365 -key ~/sslsplit-keys/ca.key -out ~/sslsplit-keys/ca.crt


4. Enable IP Forwarding in Linux

[root@centos ~]# sysctl -w net.ipv4.ip_forward=1

• Make it permanent by modifying /etc/sysctl.conf and add the following line

net.ipv4.ip_forward = 1


5. Remove Firewalld and Replace with IPTables
•For simplicity sake, let’s fall back to the original CentOS IPTables. You may change the following entries to firewalld if you are familiar

# systemctl disable firewalld
# yum install iptables-services
# touch /etc/sysconfig/iptables
# touch /etc/sysconfig/ip6tables
# systemctl start iptables
# systemctl start ip6tables
# systemctl enable iptables
# systemctl enable ip6tables
•Enable HTTP and HTTPS (ports 80 and 443) on IPTables by issuing the following commands

[root@centos ~]# iptables -t nat -F
[root@centos ~]# iptables -t nat -A PREROUTING -p tcp –dport 80 -j REDIRECT –to-ports 8080
[root@centos ~]# iptables -t nat -A PREROUTING -p tcp –dport 443 -j REDIRECT –to-ports 8443
[root@centos ~]# iptables -I INPUT -p tcp -m state –state NEW -m tcp –dport 80 -j ACCEPT
[root@centos ~]# iptables -I INPUT -p tcp -m state –state NEW -m tcp –dport 443 -j ACCEPT
[root@centos ~]# iptables -I INPUT -p tcp -m state –state NEW -m tcp –dport 8443 -j ACCEPT
[root@centos ~]# iptables -I INPUT -p tcp -m state –state NEW -m tcp –dport 8080 -j ACCEPT
[root@centos ~]# service iptables save
•Restart iptables

[root@centos ~]# service iptables restart
•Check to see if IPTables is saved properly

[root@centos ~]# cat /etc/sysconfig/iptables

-A PREROUTING -p tcp -m tcp –dport 80 -j REDIRECT –to-ports 8080
-A PREROUTING -p tcp -m tcp –dport 443 -j REDIRECT –to-ports 8443
# Completed on Tue Dec 30 13:21:19 2014
# Generated by iptables-save v1.4.21 on Tue Dec 30 13:21:19 2014
:OUTPUT ACCEPT [49:4944]
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state –state NEW -m tcp –dport 8443 -j ACCEPT
-A INPUT -p tcp -m state –state NEW -m tcp –dport 8080 -j ACCEPT
-A INPUT -p tcp -m state –state NEW -m tcp –dport 443 -j ACCEPT
-A INPUT -p tcp -m state –state NEW -m tcp –dport 80 -j ACCEPT
-A INPUT -p tcp -m state –state NEW -m tcp –dport 22 -j ACCEPT
-A INPUT -j REJECT –reject-with icmp-host-prohibited
-A FORWARD -j REJECT –reject-with icmp-host-prohibited

6. Start SSLsplit
•Execute the following to start SSLsplit.
•Attributes -D = Debug Mode, -l = Logfile, -S = Log Folder for storing, -k = Private Key, -c = CA Certificate

[root@centos ~]# sslsplit -D -l connections.log -S ~/sslsplit-logs/ -k ~/sslsplit-keys/ca.key -c ~/sslsplit-keys/ca.crt ssl 8443 tcp 8080
Generated RSA key for leaf certs.
SSLsplit 0.4.8 (built 2014-09-30)
Copyright (c) 2009-2014, Daniel Roethlisberger <>

NAT engines: netfilter* tproxy
compiled against OpenSSL 1.0.1e 11 Feb 2013 (1000105f)
rtlinked against OpenSSL 1.0.1e-fips 11 Feb 2013 (1000105f)
TLS Server Name Indication (SNI) supported
OpenSSL is thread-safe with THREADID
Using direct access workaround when loading certs
SSL/TLS algorithm availability: RSA DSA ECDSA DH ECDH EC
compiled against libevent 2.0.21-stable
rtlinked against libevent 2.0.21-stable
4 CPU cores detected
– []:8080 tcp plain netfilter
– []:8443 ssl plain netfilter
Loaded CA: ‘/C=CA/ST=ON/L=Toronto/O=Default Company Ltd/OU=IT’
Using libevent backend ‘epoll’
Event base supports: edge yes, O(1) yes, anyfd no
Inserted events:
0x7f39155cd970 [fd 7] Read Persist
0x7f39155cdbd0 [fd 8] Read Persist
0x7f39155d0670 [fd 9] Read Persist
0x7f39155cd7a8 [fd 6] Read Persist
0x7f39155d0700 [fd 3] Signal Persist
0x7f39155d0940 [fd 1] Signal Persist
0x7f39155d0a70 [fd 2] Signal Persist
0x7f39155d0ba0 [fd 13] Signal Persist
Initialized 8 connection handling threads
Started 8 connection handling threads
Starting main event loop.


7. Install CA Certificate on Windows Machine
•Install ca.crt certificate created in step 3 onto the Windows machine under Trusted Root Certification Authorities


8. Repoint Certain Domains With Windows Host Files
•Modify your host file in c:\windows\system32\drivers\etc\hosts and change domains you would like to sniff the SSL. For our example, we would like to sniff Linkedin. Add the following to your hosts file:

# Change the IP address below to your SSLsplit server IP

9. Use Internal Explorer and Go and Test
•Use internet explorer on destination computer and go to https site. Your captured traffic should be logged in ~/sslsplit-logs folder




0 0