As a proof of concept, the
openssl tool can be used on Linux or OS X to create a rudimentary MITM SSL proxy.
openssl s_client used below will terminate after an API request-response completes since the Chef API protocol closes the client-server connection after each response. That means this MITM SSL Proxy is only good for one API request-response at a time. You would have to start the
openssl s_client again to achieve another successful API request-response. Other methods could be used to automatically restart the
openssl s_client but that is out of scope for this proof of concept.
openssl to create a self signed certificate server.pem.
openssl req -batch -new -x509 -days 365 -nodes -out server.pem -keyout server.pem
Create two named pipes.
mkfifo request response
Run the following command lines in separate terminal windows.
openssl s_server -quiet -cert server.pem -accept 4433 < response | tee -a request openssl s_client -quiet -connect api.opscode.com:443 < request | tee -a response
Replace the domain name in knife.rb or client.rb
chef_server_url parameter with
Now you can use tools like tcpdump or wireshark to capture the cleartext traffic to a file or watch it in real time.
sudo tcpdump -ilo -s0 -w ./captured.pcap 'port 4434'
When you are done you can delete the named pipes using the following command.
rm request response