Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TLS inspection (MITM) with relayd #82

Closed
horia opened this issue Dec 21, 2017 · 2 comments
Closed

TLS inspection (MITM) with relayd #82

horia opened this issue Dec 21, 2017 · 2 comments
Projects
Roadmap

Comments

@horia
Copy link
Contributor

horia commented Dec 21, 2017

No description provided.

@horia horia created this issue from a note in Roadmap (In Progress) Dec 21, 2017
@horia
Copy link
Contributor Author

horia commented Dec 23, 2017

relayd ssl inspection: lost child: pid 60617 terminated; signal 10
https://marc.info/?l=openbsd-bugs&m=151124171221288&w=2

@horia
Copy link
Contributor Author

horia commented Feb 7, 2018
edited
Loading

For -current

file etc/pf.conf, in anchor "internal", child anchor "in"

  # relayd HTTP layer7 TLS inspection (split IPv4/6)
  anchor proto tcp from <tlsinspect> to port https tagged LAN_INET {
   pass log inet \  
    divert-to lo0 port 8443 \  
    tag LAN_SELF  
   pass log inet6 \  
    divert-to lo0 port 8443 \  
    tag LAN6_SELF6  
  }

file etc/relayd.conf

http protocol httpsfilter {
       return error
       match header set "Connection" value "close"

       pass
#      pass quick url file "/etc/relayd.d/custom_whitelist"
#      block url file "/etc/relayd.d/custom_blacklist"
#      include "/etc/relayd.d/auto_blacklist"

       tls ca key "/etc/ssl/relayd/private/ca.key" password "password123"
       tls ca cert "/etc/ssl/relayd/ca.crt"
}

relay tlsinspect {
        # Listen on localhost, accept diverted connections from pf(4)
        listen on 127.0.0.1 port 8443 tls
        listen on ::1 port 8443 tls
        protocol httpsfilter
        # Forward to the original target host
        forward with tls to destination
}

Create your own Certificate Authority (CA), called relayd

To start, first generate a new local CA key and certificate:

# mkdir -p /etc/ssl/relayd/private
# openssl req -x509 -days 365 -newkey rsa:2048 \
        -keyout /etc/ssl/relayd/private/ca.key -out /etc/ssl/relayd/ca.crt

Create Certificate Signing Requests (CSRs) for relayd TLS server

You will also need an SSL server key and cert for 127.0.0.1, see "listen on" in the RELAYS section of relayd.conf(5) and ssl(8) for more details.

Note that some new browsers have deprecated using the common name of a certificate and require that subject alt names are provided. This may require the use of -extfile server.ext when self-signing.

# echo 'subjectAltName=DNS:relay.vedetta.lan' > /etc/ssl/relayd/server.ext

Generate a private (unencrypted) key for relayd TLS server:

# openssl genrsa -out /etc/ssl/relayd/private/relay.vedetta.lan.key 2048

Generate a Certificate Signing Request (CSR) for relayd TLS server:

# openssl req -new -key /etc/ssl/relayd/private/relay.vedetta.lan.key \
        -out /etc/ssl/relayd/private/relay.vedetta.lan.csr \
        -nodes

Sign the relayd TLS server certificate with relayd CA:

# openssl x509 -sha256 -req -days 365 \
        -in /etc/ssl/relayd/private/relay.vedetta.lan.csr \
        -CA /etc/ssl/relayd/ca.crt -CAkey /etc/ssl/relayd/private/ca.key \
        -CAcreateserial -extfile /etc/ssl/relayd/server.ext \
        -out /etc/ssl/relayd/relay.vedetta.lan.crt

You can also sign the key yourself:

# openssl x509 -sha256 -req -days 365 \
        -in /etc/ssl/relayd/private/relay.vedetta.lan.csr \
        -signkey /etc/ssl/relayd/private/relay.vedetta.lan.key \
        -out /etc/ssl/relayd/relay.vedetta.lan.crt

Create the links for "listen on" relay configuration directive:

# cd /etc/ssl
# ln -s relayd/relay.vedetta.lan.crt 127.0.0.1.crt
# ln -s relayd/relay.vedetta.lan.crt ::1.crt
# cd /etc/ssl/private
# ln -s ../relayd/private/relay.vedetta.lan.key 127.0.0.1.key
# ln -s ../relayd/private/relay.vedetta.lan.key ::1.key

horia added a commit that referenced this issue Apr 10, 2018
@horia
Fix #82 - TLS inspection (MITM) with relayd
34eb28a
@horia horia mentioned this issue Apr 10, 2018
Merged
Roadmap automation moved this from In Progress to Done Apr 10, 2018
horia added a commit that referenced this issue Apr 10, 2018
@horia
Merge pull request #127 from vedetta-com/wip
2e4b12a 
- Fix #125 Connect to switch0 at reboot, thank you @bentley
- Fix #82 TLS inspection (MITM) with relayd
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
Roadmap
  
Done
Milestone
No milestone
Development

No branches or pull requests
1 participant
@horia