Openssl 中间人SSL代理
仅仅能在Linux相关的系统上使用,有很多性能及应用方面的限制,可以用来测试。
文章来自:https://gist.github.com/jeremiahsnapp/6426298
以下为原文
As a proof of concept, the openssl
tool can be used on Linux or OS X to create a rudimentary MITM SSL proxy.
The openssl s_client
used below will terminate after an API request-response completes since the Chef API protocol closes the client-server connection after each response. That means this MITM SSL Proxy is only good for one API request-response at a time. You would have to start the openssl s_client
again to achieve another successful API request-response. Other methods could be used to automatically restart the openssl s_client
but that is out of scope for this proof of concept.
Use openssl
to create a self signed certificate server.pem.
openssl req -batch -new -x509 -days 365 -nodes -out server.pem -keyout server.pem
Create two named pipes.
mkfifo request response
Run the following command lines in separate terminal windows.
openssl s_server -quiet -cert server.pem -accept 4433 < response | tee -a request
openssl s_client -quiet -connect api.opscode.com:443 < request | tee -a response
Replace the domain name in knife.rb or client.rb chef_server_url
parameter with 127.0.0.1:4433
.
Now you can use tools like tcpdump or wireshark to capture the cleartext traffic to a file or watch it in real time.
sudo tcpdump -ilo -s0 -w ./captured.pcap 'port 4434'
When you are done you can delete the named pipes using the following command.
rm request response