I am trying to set up SSLSplit on OSX Mavericks according to this tutorial.
I got it working on a Ubuntu Machine, so I know SSLSplit works just fine and the issue is only with packets not being forwarded to the port on which SSLSplit is listening on Mavericks. On the SSLSplit homepage it says :
SSLsplit currently supports the following operating systems and NAT engines:
Mac OS X: ipfw fwd
so I try to set up port forwarding using the following two commands, but I read somewhere that ipfw has been dropped in OSX 10.9 Mavericks.
sudo sysctl -w net.inet.ip.forwarding=1
sudo ipfw add fwd 127.0.0.1,8080 tcp from 192.168.2.2 to any 443 in via bridge100
I even tried this in OSX 10.8.5, the commands don't give any error on either operating systems but traffic is not being forwarded.
I also tried the pfctl approach as mentioned here. But with this method, I don't think SSLSplit is too happy, since I think the packet loops around, I get too many files open error and SSLSplit crashes. Can SSLSplit work with pfctl? Does it really care how traffic is forwarded to the port on which it is listening? Or does the error occur because of some misconfiguration on my part?
Has someone been able to use SSLSplit on OSX Mavericks? Can you guide me with the port forwarding part? It would be better if you could explain the entire process.
I am not using tools such as mitmproxy since I have to decrypt the SSL Layer over non-HTTP Traffic.
Can SSLSplit work with pfctl? Does it really care how traffic is forwarded to the port on which it is listening? Or does the error occur because of some misconfiguration on my part?
When receiving a connection on a socket, SSLsplit needs to determine where the connection was originally destined to, before it got intercepted and redirected by ipfw, pf or some other NAT mechanism. Each NAT mechanism requires that SSLsplit uses a different way of figuring out what the original destination address was. When using pf rdr, that mechanism is the DIOCNATLOOK ioctl interface. For ipfw fwd, that mechanism is a standard getsockname() call. If you call getsockname() on a connected socket redirected by pf rdr, you will receive the local socket endpoint which is the IP address and port that sslsplit is listening on, therefore creating and endless packet loop. If you do that on a ipfw fwd divert socket, you get the original destination.
Has someone been able to use SSLSplit on OSX Mavericks? Can you guide me with the port forwarding part?
Unfortunately, there is currently no way to make SSLsplit support pf on Mac OS X since Apple does not seem to install the required header files required to use the DIOCNATLOOK ioctl interface, and the headers shipping with the source distribution differ from the OpenBSD/FreeBSD counterparts in that the ioctl interface has slightly changed and was made private. It would be possible to add support for that Apple modified private ioctl interface to SSLsplit, but nobody has written the code to do that so far.
SSLsplit is quite usable in SNI configurations though, where the destination address is taken from the SNI hostname the client asks for, but that of course only works with clients supporting SNI. Also working are configurations with static destinations.
There is also pf divert-to which would be compatible with ipfw fwd, but that feature of pf is not available on Mac OS X pf so far.
Also see this bug tracker issue: https://github.com/droe/sslsplit/issues/15
Update: SSLsplit git master now includes experimental support for pf on Mac OS X 10.7, 10.8 and 10.9 which will be part of the upcoming 0.4.8 release.