File: ssl_mitm

package info (click to toggle)
e2guardian 5.5.9-2
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 6,352 kB
  • sloc: cpp: 26,398; makefile: 640; sh: 324; perl: 55
file content (72 lines) | stat: -rw-r--r-- 2,697 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
 
The SSL MITM option allows https sites to be content checked.

The request from the client is intercepted, a spoofed certificate supplied for
the target site and an encrypted connection made back to the client.
A separate encrypted connection to the target server is set up.  The resulting
http dencrypted stream is then filtered as normal.

Sites in the exception lists are treated in the same way as before
(i.e. NOT unencrypted) so sites dealing with sensistive information that should
not be intercepted (e.g. bank finance, account logins, etc) and other sites
deemed 'safe' can be made exempt from being examined.

Advantages are that the user gets a proper block page and full https urls are
logged, https urls can be whitelisted when site as a whole is banned and content
can be content checked.

Disavantages are that in order for MITM to be usable a private root CA
certificate has to be installed on each browser and that more processing power
is needed on the server in order to encrypt and unencrypt the traffic.

Note that full HTTPS MITM requires a lot more CPU power.

To set up MITM:

   Configure and compile e2guardian with the --enable-sslmitm flag set
   
   Before generating your certs and keys check that your openssl.conf file
   has the following in the ca section:-

      basicConstraints=critical,CA:TRUE

   Generate your certicates and keys:-

	Generate a key for the rootCA

	    openssl genrsa 4096 > private_root.pem

	Generate the root CA certificate

	    openssl req -new -x509 -days 3650 -sha256 -key private_root.pem \
			-out my_rootCA.crt

	Create a DER format version of root certificate

		openssl x509 -in my_rootCA.crt -outform DER -out my_rootCA.der

	Generate a key for use with upstream SSL conections

		openssl genrsa 4096 > private_cert.pem

   Copy the my_rootCA.crt and my_rootCA.der to a web server so that your users
        can download them.

   Create a directory call generatedcerts to store the generated certificates:-
	This directory must be writable by the e2guardian user

   Assign cert and key paths in e2guardian.conf:-

	cacertificatepath = '/usr/local/etc/e2guardian/my_rootCA.crt'
	caprivatekeypath = '/usr/local/etc/e2guardian/private_root.pem'
	certprivatekeypath = '/usr/local/etc/e2guardian/private_cert.pem'

	generatedcertpath = '/usr/local/etc/e2guardian/generatedcerts'

   Set enablessl = on in e2guardian.conf
   Set sslmitm = on in e2guardianfx.conf

   Load my_rootCA certificate on each browser.

   On the browser Set both http proxy and https proxy to the same port 
   defined in the option filterports, if you use e2guardian as direct proxy. 
   The transparenthttpsport is only for transparent https proxying.