{"id":13842224,"url":"https://github.com/VerSprite/alpnpass","last_synced_at":"2025-07-11T14:31:19.964Z","repository":{"id":82257271,"uuid":"394367865","full_name":"VerSprite/alpnpass","owner":"VerSprite","description":"This tool will listen on a given port, strip SSL encryption, forward traffic through a plain TCP proxy, then encrypt the returning traffic again and send it to the target of your choice. Unlike most SSL stripping solutions this tool will negotiate ALPN and preserve the negotiated protocol all the way to the target.","archived":false,"fork":false,"pushed_at":"2021-10-18T18:08:06.000Z","size":15,"stargazers_count":29,"open_issues_count":0,"forks_count":7,"subscribers_count":5,"default_branch":"master","last_synced_at":"2024-11-21T12:45:06.507Z","etag":null,"topics":["alpn","mitm","mitmproxy","security","security-tools","ssl","tls"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"unlicense","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/VerSprite.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2021-08-09T16:40:57.000Z","updated_at":"2024-09-06T00:15:16.000Z","dependencies_parsed_at":null,"dependency_job_id":"44580f6a-a1bd-46ab-aaed-d9cfdcfb54d5","html_url":"https://github.com/VerSprite/alpnpass","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/VerSprite/alpnpass","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/VerSprite%2Falpnpass","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/VerSprite%2Falpnpass/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/VerSprite%2Falpnpass/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/VerSprite%2Falpnpass/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/VerSprite","download_url":"https://codeload.github.com/VerSprite/alpnpass/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/VerSprite%2Falpnpass/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":264833273,"owners_count":23670617,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["alpn","mitm","mitmproxy","security","security-tools","ssl","tls"],"created_at":"2024-08-04T17:01:29.772Z","updated_at":"2025-07-11T14:31:19.691Z","avatar_url":"https://github.com/VerSprite.png","language":"Go","readme":"ALPN Pass\n---------\n\nThis tool will listen on a given port, strip SSL encryption, forward traffic through a plain TCP proxy, then encrypt the returning traffic again and send it to the target of your choice. Unlike most SSL stripping solutions this tool will negotiate ALPN and preserve the negotiated protocol all the way to the target.\n\nThe intended use of the tool is helping analyze SSL encrypted traffic in any app that uses ALPN to multiplex several protocols into one port. You will need something else to actually look at the traffic, such as [IO Ninja](https://ioninja.com/) with the TCP Proxy plugin or [Wireshark](https://www.wireshark.org).\n\nCompiling\n---------\n\nJust run \"go build\" and everything should work automagically. There are no external dependencies.\n\nUsage\n-----\n\n```\n./alpnpass [alpnpass.json]\n```\n\nThe alpnpass.json configuration file is currently the only way to configure this tool. You can specify any other filename of course. Here is an example with all default values:\n\n```\n{\n\t\"InputPort\":            \"1111\",\n\t\"InterceptorPort\":      \"2222\",\n\t\"ReturnPort\":           \"3333\",\n\t\"OutputPort\":           \"4444\",\n\t\"InputBindIP\":          \"127.0.0.1\",\n\t\"InterceptorConnectIP\": \"127.0.0.1\",\n\t\"ReturnBindIP\":         \"127.0.0.1\",\n\t\"OutputConnectIP\":      \"127.0.0.1\",\n\t\"MinVersion\":           \"SSL30\",\n\t\"MaxVersion\":           \"TLS13\",\n\t\"Hostname\":             \"127.0.0.1\",\n\t\"CACert\":               \"ca.crt\",\n\t\"ServerCert\":           \"server.crt\",\n\t\"ServerKey\":            \"server.key\",\n\t\"ClientCert\":           \"client.crt\",\n\t\"ClientKey\":            \"client.key\",\n\t\"ALPN\":                 [\n\t\t\"h2\",\n\t\t\"h2c\",\n\t\t\"http/1.1\",\n\t\t\"http/1.0\",\n\t\t\"spdy/3\",\n\t\t\"spdy/2\",\n\t\t\"spdy/1\",\n\t\t\"stun.turn\",\n\t\t\"stun.nat-discovery\",\n\t\t\"webrtc\",\n\t\t\"c-webrtc\",\n\t\t\"ftp\",\n\t\t\"imap\",\n\t\t\"pop3\",\n\t\t\"managesieve\",\n\t\t\"coap\",\n\t\t\"xmpp-client\",\n\t\t\"xmpp-server\",\n\t\t\"acme-tls/1\",\n\t\t\"mqtt\",\n\t\t\"dot\",\n\t\t\"ntske/1\",\n\t\t\"sunrpc\",\n\t\t\"spdy/3.1\",\n\t\t\"h2-14\",\n\t\t\"h2-15\",\n\t\t\"h2-16\"\n\t],\n\t\"Ciphers\": [\n\t\t\"TLS_RSA_WITH_RC4_128_SHA\",\n\t\t\"TLS_RSA_WITH_AES_128_CBC_SHA256\",\n\t\t\"TLS_ECDHE_ECDSA_WITH_RC4_128_SHA\",\n\t\t\"TLS_ECDHE_RSA_WITH_RC4_128_SHA\",\n\t\t\"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256\",\n\t\t\"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256\",\n\t\t\"TLS_RSA_WITH_3DES_EDE_CBC_SHA\",\n\t\t\"TLS_RSA_WITH_AES_128_CBC_SHA\",\n\t\t\"TLS_RSA_WITH_AES_256_CBC_SHA\",\n\t\t\"TLS_RSA_WITH_AES_128_GCM_SHA256\",\n\t\t\"TLS_RSA_WITH_AES_256_GCM_SHA384\",\n\t\t\"TLS_AES_128_GCM_SHA256\",\n\t\t\"TLS_AES_256_GCM_SHA384\",\n\t\t\"TLS_CHACHA20_POLY1305_SHA256\",\n\t\t\"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA\",\n\t\t\"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA\",\n\t\t\"TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA\",\n\t\t\"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA\",\n\t\t\"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA\",\n\t\t\"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256\",\n\t\t\"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384\",\n\t\t\"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\",\n\t\t\"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\",\n\t\t\"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\",\n\t\t\"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256\"\n\t]\n}\n```\n\nIf the configuration file cannot be read or some settings are missing, the above default values will be used. (Note that the default list of ciphers may differ from the one you see above, since it depends on the exact version of golang used to compile the tool).\n\nWith the default configuration, alpnpass will open TCP port 1111, receive SSL connections and negotiate ALPN. Then it will connect to any intercepting TCP proxy of your choice in plaintext on port 2222, and expect return connections on port 3333. When receiving the return connection, traffic will be SSL encrypted again and sent to port 4444, using the same ALPN negotiated protocol.\n\nFor example, if you set the [IO Ninja](https://ioninja.com/) TCP proxy to listen on port 2222 and connect on port 3333, this will happen:\n\n```\nclient -\u003e alpnpass (port 1111, SSL) -\u003e IO Ninja (port 2222, plain) -\u003e alpnpass (port 3333, plain) -\u003e server (port 4444, SSL)\n```\n\nIf you use a tool like [Wireshark](https://www.wireshark.org) which can monitor traffic without being part of the stream itself, you can set `InterceptPort` and `ReturnPort` to the same value (for example '5555') and sniff the traffic on that port on the `lo` loopback device:\n\n```\nclient -\u003e alpnpass (port 1111, SSL) -\u003e alpnpass (port 5555, plain) -\u003e server (port 4444, SSL)\n```\n\nLimitations\n-----------\n\nSSL certificates are currently **not** autogenerated, you'll have to create one on your own.\n\nOnly one connection at a time is supported. This is probably what you want anyway since multiple simultaneous connections would be hard to handle if you're inspecting traffic manually, which is likely the only use case for this tool. :)\n","funding_links":[],"categories":["Go"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FVerSprite%2Falpnpass","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FVerSprite%2Falpnpass","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FVerSprite%2Falpnpass/lists"}