./security/sslsplit, Transparent and scalable SSL/TLS interception

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]


Branch: CURRENT, Version: 0.4.10nb1, Package name: sslsplit-0.4.10nb1, Maintainer: pkgsrc-users

SSLsplit is a tool for man-in-the-middle attacks against SSL/TLS
encrypted network connections. Connections are transparently
intercepted through a network address translation engine and
redirected to SSLsplit. SSLsplit terminates SSL/TLS and initiates
a new SSL/TLS connection to the original destination address, while
logging all data transmitted. SSLsplit is intended to be useful
for network forensics and penetration testing.

SSLsplit supports plain TCP, plain SSL, HTTP and HTTPS connections
over both IPv4 and IPv6. For SSL and HTTPS connections, SSLsplit
generates and signs forged X509v3 certificates on-the-fly, based
on the original server certificate subject DN and subjectAltName
extension. SSLsplit fully supports Server Name Indication (SNI)
and is able to work with RSA, DSA and ECDSA keys and DHE and ECDHE
cipher suites. Depending on the version of OpenSSL, SSLsplit
supports SSL 3.0, TLS 1.0, TLS 1.1 and TLS 1.2, and optionally SSL
2.0 as well. SSLsplit can also use existing certificates of which
the private key is available, instead of generating forged ones.
SSLsplit supports NULL-prefix CN certificates and can deny OCSP
requests in a generic way. For HTTP and HTTPS connections, SSLsplit
removes response headers for HPKP in order to prevent public key
pinning, for HSTS to allow the user to accept untrusted certificates,
and Alternate Protocols to prevent switching to QUIC/SPDY.


Master sites:

SHA1: 6027a3fdb356cdd2dbd3ac566296ca779db0d076
RMD160: 1c41142c6d27046126ccc3b3dbbb0c4110d6147a
Filesize: 260.576 KB

Version history: (Expand)


CVS history: (Expand)


   2016-03-05 12:29:49 by Jonathan Perkin | Files touched by this commit (1813) | Package updated
Log message:
Bump PKGREVISION for security/openssl ABI bump.
   2016-01-20 18:43:47 by Leonardo Taccari | Files touched by this commit (1)
Log message:
sslsplit also needs libevent (noted via pkgsrc-bulk@).

While here pass all the dependencies via MAKE_ENV (this will - hopefully - avoid
further problem on platforms where openssl and libevent are not builtins).
   2015-11-04 02:18:12 by Alistair G. Crooks | Files touched by this commit (434)
Log message:
Add SHA512 digests for distfiles for security category

Problems found locating distfiles:
	Package f-prot-antivirus6-fs-bin: missing distfile fp-NetBSD.x86.32-fs-6.2.3.tar.gz
	Package f-prot-antivirus6-ws-bin: missing distfile fp-NetBSD.x86.32-ws-6.2.3.tar.gz
	Package libidea: missing distfile libidea-0.8.2b.tar.gz
	Package openssh: missing distfile openssh-7.1p1-hpn-20150822.diff.bz2
	Package uvscan: missing distfile vlp4510e.tar.Z

Otherwise, existing SHA1 digests verified and found to be the same on
the machine holding the existing distfiles (morden).  All existing
SHA1 digests retained for now as an audit trail.
   2015-03-15 19:33:29 by Tobias Nygren | Files touched by this commit (1)
Log message:
requires openssl
   2015-03-01 10:59:45 by Thomas Klausner | Files touched by this commit (4)
Log message:
Import sslsplit-0.4.10 as security/sslsplit.

SSLsplit is a tool for man-in-the-middle attacks against SSL/TLS
encrypted network connections.  Connections are transparently
intercepted through a network address translation engine and
redirected to SSLsplit.  SSLsplit terminates SSL/TLS and initiates
a new SSL/TLS connection to the original destination address, while
logging all data transmitted.  SSLsplit is intended to be useful
for network forensics and penetration testing.

SSLsplit supports plain TCP, plain SSL, HTTP and HTTPS connections
over both IPv4 and IPv6.  For SSL and HTTPS connections, SSLsplit
generates and signs forged X509v3 certificates on-the-fly, based
on the original server certificate subject DN and subjectAltName
extension.  SSLsplit fully supports Server Name Indication (SNI)
and is able to work with RSA, DSA and ECDSA keys and DHE and ECDHE
cipher suites.  Depending on the version of OpenSSL, SSLsplit
supports SSL 3.0, TLS 1.0, TLS 1.1 and TLS 1.2, and optionally SSL
2.0 as well.  SSLsplit can also use existing certificates of which
the private key is available, instead of generating forged ones.
SSLsplit supports NULL-prefix CN certificates and can deny OCSP
requests in a generic way.  For HTTP and HTTPS connections, SSLsplit
removes response headers for HPKP in order to prevent public key
pinning, for HSTS to allow the user to accept untrusted certificates,
and Alternate Protocols to prevent switching to QUIC/SPDY.