RHEL/CentOS
Quickstart¶
You may download our sslsplit-quickstart script to install or remove sslsplit. In the directory where you have downloaded the quickstart script, run the following commands to:
- Install sslsplit
chmod +x sslsplit-quickstart.sh && EPOCH_AOC_HOST=${your_epoch_host} ./sslsplit-quickstart.sh install
- Remove sslsplit
./sslsplit-quickstart.sh remove
Quickstart Configuration¶
The quickstart script can be parameterized with environment variables to fit your installation environment. Refer to the table below for details:
| Parameter | Default | Choices | Description |
|---|---|---|---|
| DEST_PORT | 443 (https) | 0 - 65536 | The port to which your encrypted traffic is being sent. |
| PKG_TYPE | n/a | deb, rpm, docker | Defines the sslsplit package type. It is automatically set based on the OS, but you can override it with docker on a DEB or RPM-based OS if you have installed the collectors via docker. |
| COLLECTOR_CONTAINER_NAME | n/a | String | The container name of the collector with which we are setting up sslsplit. This defaults to epoch_collectors if PKG_TYPE is docker. |
Manual Installation¶
Part 1 - Setup¶
-
Download sslsplit
wget --no-check-certificate -q -O \ epoch-sslsplit.rpm \ https://repo.epoch.nutanix.com/stable/epoch-sslsplit-centos-7-x64.rpm -
Install sslsplit
sudo rpm -i -U --replacefiles --replacepkgs epoch-sslsplit.rpm -
Start sslsplit
sudo /etc/init.d/epoch-sslsplit start
Part 2 - Certificates¶
-
Copy sslsplit's self-signed certificate to the certificates directory
sudo cp /opt/nutanix/epoch/sslsplit/certs/epoch-ca.crt /etc/pki/ca-trust/source/anchors/ -
Set the proper permissions on the self-signed certficate
sudo chmod 644 /etc/pki/ca-trust/source/anchors/epoch-ca.crt -
Update the CA store
sudo update-ca-trust
Applications with certificate bundles¶
Client applications such as MySQL and PostgreSQL use their own certificate bundles and don't use the root certificates on the host. To make these applications trust SSLsplit, provide the public certificate of SSlsplit along with the certificate(s) of the actual server to the application.
For example, Amazon's RDS has a standard set of public certificates available as a bundle. Add SSLsplit's public certificate to the trusted certificates (all the certificates concatenated into a single file). This is the location of SSLsplit's public certificate in the collector: /opt/nutanix/epoch/sslsplit/certs/epoch-ca.crt. Configure the MySQL client application via its SSL certs configuration to use the new trusted server certificates. The client should now be able to trust SSLsplit.
Part 3 - IPtables¶
Outgoing Traffic¶
Listed below are directions for intercepting outgoing SSL traffic towards a destination port.
-
Insert
iptablesrulesRun the following command on the collector host to add
iptablesrules for destination port 443sudo iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner nobody -m tcp --dport 443 -j REDIRECT --to-ports 10443 -
Check that rules were inserted correctly
sudo iptables -t nat -LIf the IP tables rule for sslsplit is installed an entry similar to the following will be seen in
Chain OUTPUT:REDIRECT tcp -- anywhere anywhere ! owner UID match 65534 tcp dpt:https redir ports 10443
Incoming Traffic¶
For the most part, setting up outgoing traffic capture rules should suffice. For the edge cases, instructions for setting up incoming traffic capture rules are provided here.
-
Insert
iptablesrulesRun the following command on the collector host to add
iptablesrules for destination port 443sudo iptables -t nat -A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 10443 -
Check that rules were inserted correctly with the following command
sudo iptables -t nat -LIf the
iptablesrule for SSLsplit is installed an entry similar to the following will be seen inChain PREROUTING:REDIRECT tcp -- anywhere anywhere tcp dpt:https redir ports 10443 -
External clients can trust SSLsplit only if it presents a secure certificate. To do so, follow the directions below in Using your own Certificate.
Disabling SSL Capture¶
-
Run the following command on the host to remove
iptablesrules for outgoing traffic on destination port 443:sudo iptables -t nat -D OUTPUT -p tcp -m owner ! --uid-owner nobody -m tcp --dport 443 -j REDIRECT --to-ports 10443 -
Run the following command on the host to remove
iptablesrules for incoming traffic on destination port 443 (can skip if you did not configure sslsplit for incoming traffic):sudo iptables -t nat -D PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 10443 -
Stop sslsplit with
sudo /etc/init.d/epoch-sslsplit stop -
Restart the collectors
sudo /etc/init.d/epoch-collectors restart -
Remove collector's self-signed certificate from the certificates directory:
sudo rm /etc/pki/ca-trust/source/anchors/epoch-ca.crt -
Update the CA store:
sudo update-ca-trust
IMPORTANT: When uninstalling collectors or sslsplit, remember to follow the instrutions to disable SSL capture first so iptables rules are removed.
Advanced Configuration¶
Using your own Certificate¶
-
Create the SSLsplit certificate directory on the host:
sudo mkdir -p /opt/nutanix/epoch/sslsplit/certs/ -
Copy the certificate and key files:
sudo cp your-ca.crt /opt/nutanix/epoch/sslsplit/certs/epoch-ca.crt sudo cp your-ca.key /opt/nutanix/epoch/sslsplit/certs/epoch-ca.key -
If SSLsplit was already running, restart it:
/etc/init.d/epoch-sslsplit restart
Uninstalling¶
sudo yum remove epoch-sslsplit