Openssl 中间人SSL代理

Openssl 中间人SSL代理

仅仅能在Linux相关的系统上使用,有很多性能及应用方面的限制,可以用来测试。

文章来自:https://gist.github.com/jeremiahsnapp/6426298

以下为原文

As a proof of concept, the openssl tool can be used on Linux or OS X to create a rudimentary MITM SSL proxy.

The openssl s_client used below will terminate after an API request-response completes since the Chef API protocol closes the client-server connection after each response. That means this MITM SSL Proxy is only good for one API request-response at a time. You would have to start the openssl s_client again to achieve another successful API request-response. Other methods could be used to automatically restart the openssl s_client but that is out of scope for this proof of concept.

Use openssl to create a self signed certificate server.pem.

openssl req -batch -new -x509 -days 365 -nodes -out server.pem -keyout server.pem

Create two named pipes.

mkfifo request response

Run the following command lines in separate terminal windows.

openssl s_server -quiet -cert server.pem -accept 4433 < response | tee -a request
openssl s_client -quiet -connect api.opscode.com:443 < request | tee -a response

Replace the domain name in knife.rb or client.rb chef_server_url parameter with 127.0.0.1:4433.

Now you can use tools like tcpdump or wireshark to capture the cleartext traffic to a file or watch it in real time.

sudo tcpdump -ilo -s0 -w ./captured.pcap 'port 4434'

When you are done you can delete the named pipes using the following command.

rm request response
上一篇
下一篇