{"id":13490346,"url":"https://github.com/droe/sslsplit","last_synced_at":"2025-04-11T11:49:36.991Z","repository":{"id":2931336,"uuid":"3942762","full_name":"droe/sslsplit","owner":"droe","description":"Transparent SSL/TLS interception","archived":false,"fork":false,"pushed_at":"2024-09-11T19:36:55.000Z","size":1866,"stargazers_count":1794,"open_issues_count":78,"forks_count":327,"subscribers_count":102,"default_branch":"develop","last_synced_at":"2025-04-03T16:08:41.465Z","etag":null,"topics":["c","http","https","nat","sni","ssl","sslsplit","starttls","tls","tls-interception","transparent-proxy"],"latest_commit_sha":null,"homepage":"https://www.roe.ch/SSLsplit","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":"guelfoweb/knock","license":"bsd-2-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/droe.png","metadata":{"files":{"readme":"README.md","changelog":"NEWS.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":"AUTHORS.md","dei":null,"publiccode":null,"codemeta":null}},"created_at":"2012-04-05T18:30:36.000Z","updated_at":"2025-03-30T04:56:39.000Z","dependencies_parsed_at":"2023-02-16T03:45:35.890Z","dependency_job_id":"f767c2d3-1552-4a57-9204-d0b4da5e592c","html_url":"https://github.com/droe/sslsplit","commit_stats":{"total_commits":829,"total_committers":21,"mean_commits":"39.476190476190474","dds":"0.15802171290711697","last_synced_commit":"e17de8454a65d2b9ba432856971405dfcf1e7522"},"previous_names":[],"tags_count":16,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/droe%2Fsslsplit","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/droe%2Fsslsplit/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/droe%2Fsslsplit/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/droe%2Fsslsplit/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/droe","download_url":"https://codeload.github.com/droe/sslsplit/tar.gz/refs/heads/develop","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248389285,"owners_count":21095556,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["c","http","https","nat","sni","ssl","sslsplit","starttls","tls","tls-interception","transparent-proxy"],"created_at":"2024-07-31T19:00:45.208Z","updated_at":"2025-04-11T11:49:36.963Z","avatar_url":"https://github.com/droe.png","language":"C","readme":"# SSLsplit - transparent SSL/TLS interception\nhttps://www.roe.ch/SSLsplit\n\n[![Build Status](https://travis-ci.org/droe/sslsplit.svg)](https://travis-ci.org/droe/sslsplit)\n[![Gitter chat](https://badges.gitter.im/droe/sslsplit.png)](https://gitter.im/droe/sslsplit)\n\n## Overview\n\nSSLsplit is a tool for man-in-the-middle attacks against SSL/TLS encrypted\nnetwork connections.  It is intended to be useful for network forensics,\napplication security analysis and penetration testing.\n\nSSLsplit is designed to transparently terminate connections that are redirected\nto it using a network address translation engine.  SSLsplit then terminates\nSSL/TLS and initiates a new SSL/TLS connection to the original destination\naddress, while logging all data transmitted.  Besides NAT based operation,\nSSLsplit also supports static destinations and using the server name indicated\nby SNI as upstream destination.  SSLsplit is purely a transparent proxy and\ncannot act as a HTTP or SOCKS proxy configured in a browser.\n\nSSLsplit supports plain TCP, plain SSL, HTTP and HTTPS connections over both\nIPv4 and IPv6.  It also has the ability to dynamically upgrade plain TCP to SSL\nin order to generically support SMTP STARTTLS and similar upgrade mechanisms.\nSSLsplit fully supports Server Name Indication (SNI) and is able to work with\nRSA, DSA and ECDSA keys and DHE and ECDHE cipher suites.  Depending on the\nversion of OpenSSL built against, SSLsplit supports SSL 3.0, TLS 1.0, TLS 1.1\nand TLS 1.2, and optionally SSL 2.0 as well.\n\nFor SSL and HTTPS connections, SSLsplit generates and signs forged X509v3\ncertificates on-the-fly, mimicking the original server certificate's subject\nDN, subjectAltName extension and other characteristics.  SSLsplit has the\nability to use existing certificates of which the private key is available,\ninstead of generating forged ones.  SSLsplit supports NULL-prefix CN\ncertificates but otherwise does not implement exploits against specific\ncertificate verification vulnerabilities in SSL/TLS stacks.\n\nSSLsplit implements a number of defences against mechanisms which would\nnormally prevent MitM attacks or make them more difficult.  SSLsplit can deny\nOCSP requests in a generic way.  For HTTP and HTTPS connections, SSLsplit\nmangles headers to prevent server-instructed public key pinning (HPKP), avoid\nstrict transport security restrictions (HSTS), avoid Certificate Transparency\nenforcement (Expect-CT) and prevent switching to QUIC/SPDY, HTTP/2 or\nWebSockets (Upgrade, Alternate Protocols).  HTTP compression, encodings and\nkeep-alive are disabled to make the logs more readable.\n\nLogging options include traditional SSLsplit connect and content log files as\nwell as PCAP files and mirroring decrypted traffic to a network interface.\nAdditionally, certificates, master secrets and local process information can be\nlogged.\n\nSee the manual page sslsplit(1) for details on using SSLsplit and setting up\nthe various NAT engines.\n\n\n## Requirements\n\nSSLsplit depends on the OpenSSL, libevent 2.x, libpcap and libnet 1.1.x\nlibraries by default; libpcap and libnet are not needed if the mirroring\nfeature is omitted.  The build depends on GNU make and a POSIX.2 environment in\n`PATH`.  If available, pkg-config is used to locate and configure the\ndependencies.  The optional unit tests depend on the check library.\n\nSSLsplit currently supports the following operating systems and NAT mechanisms:\n\n-   FreeBSD: pf rdr and divert-to, ipfw fwd, ipfilter rdr\n-   OpenBSD: pf rdr-to and divert-to\n-   Linux: netfilter REDIRECT and TPROXY\n-   Mac OS X: pf rdr and ipfw fwd\n\nSupport for local process information (`-i`) is currently available on Mac OS X\nand FreeBSD.\n\nSSL/TLS features and compatibility greatly depend on the version of OpenSSL\nlinked against.  For optimal results, use a recent release of OpenSSL or\nLibreSSL.\n\n\n## Installation\n\nWith the requirements above available, run:\n\n    make\n    make test       # optional unit tests\n    make sudotest   # optional unit tests requiring privileges\n    make install    # optional install\n\nDependencies are autoconfigured using pkg-config.  If dependencies are not\npicked up and fixing `PKG_CONFIG_PATH` does not help, you can specify their\nrespective locations manually by setting `OPENSSL_BASE`, `LIBEVENT_BASE`,\n`LIBPCAP_BASE`, `LIBNET_BASE` and/or `CHECK_BASE` to the respective prefixes.\n\nYou can override the default install prefix (`/usr/local`) by setting `PREFIX`.\nFor more build options and build-time defaults see [`GNUmakefile`](GNUmakefile)\nand [`defaults.h`](defaults.h).\n\n\n## Documentation\n\nSee the manual pages `sslsplit(1)` and `sslsplit.conf(5)` for user\ndocumentation.  See [`NEWS.md`](NEWS.md) for release notes listing significant\nchanges between releases and [`SECURITY.md`](SECURITY.md) for information on\nsecurity vulnerability disclosure.\n\n\n## License\n\nSSLsplit is provided under a 2-clause BSD license.\nSSLsplit contains components licensed under the MIT and APSL licenses.\nSee [`LICENSE`](LICENSE), [`LICENSE.contrib`](LICENSE.contrib) and\n[`LICENSE.third`](LICENSE.third) as well as the respective source file headers\nfor details.\n\n\n## Credits\n\nSee [`AUTHORS.md`](AUTHORS.md) for the list of contributors.\n\nSSLsplit was inspired by `mitm-ssl` by Claes M. Nyberg and `sslsniff` by Moxie\nMarlinspike, but shares no source code with them.\n\n\n","funding_links":[],"categories":["C","\u003ca id=\"79499aeece9a2a9f64af6f61ee18cbea\"\u003e\u003c/a\u003e浏览嗅探\u0026\u0026流量拦截\u0026\u0026流量分析\u0026\u0026中间人","\u003ca id=\"42f9e068b6511bcbb47d6b2b273097da\"\u003e\u003c/a\u003e未分类","Network and Web Protocols","Tools"],"sub_categories":["\u003ca id=\"11c73d3e2f71f3914a3bca35ba90de36\"\u003e\u003c/a\u003e中间人\u0026\u0026MITM","\u003ca id=\"3bd67ee9f322e2c85854991c85ed6da0\"\u003e\u003c/a\u003e投毒\u0026\u0026Poisoning","mTLS","Dynamic Analysis Tools"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdroe%2Fsslsplit","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdroe%2Fsslsplit","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdroe%2Fsslsplit/lists"}