You are not logged in.

#1 2018-08-09 09:45:41

lapsio
Member
From: Warsaw
Registered: 2015-09-30
Posts: 50

Is there any open source SSL decryptor?

I'm going to implement Snort and Suricata inline IPS solutions however considering that now almost evrything goes through SSL I don't think it makes much sense to use them without SSL decryption. There's plenty of commercial SSL decryptors like for example Wheel Lynx or Gigamon but I'm looking for some open source solutions. Basically I'm looking for setup like this:

LAN - https (with my CA) - ssl decryptor - Suricata (http) - Snort (http) - ssl decryptor - L4 firewall - https (with original CA) - WORLD

Lynx can work on 4 interfaces in following manner:
encrypted output to world, encrypted output to LAN and two decrypted inline interfaces in/out that could be connected to chained Snort and Suricata.

Is there any open source solution that would allow similar functionality?

Last edited by lapsio (2018-08-09 09:46:57)

Offline

#2 2018-08-09 09:50:58

progandy
Member
Registered: 2012-05-17
Posts: 5,184

Re: Is there any open source SSL decryptor?

https://docs.mitmproxy.org/stable/conce … tificates/
https://wiki.squid-cache.org/ConfigExam … mpExplicit

Personally, I wouldn't trust intercepted SSL if the intercept is not under my control.

Last edited by progandy (2018-08-09 10:01:03)


| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Offline

#3 2018-08-09 10:46:06

lapsio
Member
From: Warsaw
Registered: 2015-09-30
Posts: 50

Re: Is there any open source SSL decryptor?

progandy wrote:

https://docs.mitmproxy.org/stable/conce … tificates/
https://wiki.squid-cache.org/ConfigExam … mpExplicit

Personally, I wouldn't trust intercepted SSL if the intercept is not under my control.

Thanks, I think Squid can't really work as such ssl decrypting "container" with unecrypted in/out links, only decrypt ssl for own usage but I found some articles describing how to achieve what I'm interested in with two mitmproxy instances. Tutorials I saw used NFQ engine which is black magic to me and I think I'd rather prefer to use "standard" afpacket engine and few patchcords to loop traffic between interfaces to be entirely sure that IPS/IDS will be able to block connections.

In order to achieve such setup I can use policy based routing on Linux (ip rule) and point particular interface as default gateway to mitmproxy process/user right?

Last edited by lapsio (2018-08-09 10:46:52)

Offline

Board footer

Powered by FluxBB