sslsplit.conf

sslsplit.conf(5) SSLsplit sslsplit.conf(5)

NAME

   sslsplit.conf - Configuration file for SSLsplit

DESCRIPTION

   The file sslsplit.conf configures SSLsplit, sslsplit(1).

FILE FORMAT

   The  file  consists  of comments and options with arguments. Each line which starts with a hash (#) symbol is ignored by the parser. Options and arguments are of the form Option Argu‐
   ment. The arguments are of the following types:

   BOOL   Boolean value (yes/no).

   STRING String.

DIRECTIVES

   When an option is not used (hashed or doesn't exist in the configuration file) sslsplit takes a default action. If an option does not have a command line equivalent, -o opt=val option
   can be used to override it on the command line.

   CACert STRING
          Use CA cert (and key) to sign forged certs. Equivalent to -c command line option.

   CAKey STRING
          Use CA key (and cert) to sign forged certs. Equivalent to -k command line option.

   ClientCert STRING
          Use cert from pemfile when destination requests client certs. Equivalent to -a command line option.

   ClientKey STRING
          Use key from pemfile when destination requests client certs. Equivalent to -b command line option.

   CAChain STRING
          Use CA chain from pemfile (intermediate and root CA certs). Equivalent to -C command line option.

   LeafKey STRING
          Use key from pemfile for generating leaf certs. Equivalent to -K command line option.
          Default: generate

   LeafCRLURL STRING
          Use URL as CRL distribution point for all forged leaf certs. Equivalent to -q command line option.

   LeafCertDir STRING
          Use cert+chain+key PEM files from certdir to target all sites matching the common names (non-matching: generate if CA). Equivalent to -t command line option.

   DefaultLeafCert STRING
          Use cert+chain+key from PEM file for leaf certificates if there is no match in LeafCertDir. Equivalent to -A command line option.

   WriteGenCertsDir STRING
          Write leaf key and only generated certificates to gendir. Equivalent to -w command line option.

   WriteAllCertsDir STRING
          Write leaf key and all certificates to gendir. Equivalent to -W command line option.

   DenyOCSP BOOL
          Deny all OCSP requests on all proxyspecs. Equivalent to -O command line option.

   Passthrough BOOL
          Passthrough SSL connections if they cannot be split because of client cert auth or no matching cert and no CA. Equivalent to -P command line option.
          Default: drop

   DHGroupParams STRING
          Use DH group params from pemfile. Equivalent to -g command line option.
          Default: keyfiles or auto

   ECDHCurve STRING
          Use ECDH named curve. Equivalent to -G command line option.
          Default: prime256v1

   SSLCompression BOOL
          Enable/disable SSL/TLS compression on all connections. Equivalent to -Z command line option.

   ForceSSLProto STRING
          Force SSL/TLS protocol version only. Equivalent to -r command line option.
          Default: all

   DisableSSLProto STRING
          Disable SSL/TLS protocol version. Equivalent to -R command line option.
          Default: none

   Ciphers STRING
          Use the given OpenSSL cipher suite spec. Equivalent to -s command line option.
          Default: ALL:-aNULL

   OpenSSLEngine STRING
          The OpenSSL engine to activate, either the ID or the full path to the shared library implementing the engine.  If an ID is given, the engine needs to be known  to  the  system-
          wide OpenSSL configuration.  Only available if built against a version of OpenSSL with engine support.  Equivalent to -x command line option.

   NATEngine STRING
          Specify default NAT engine to use. Equivalent to -e command line option.

   User STRING
          Drop privileges to user. Equivalent to -u command line option.
          Default: nobody, if run as root

   Group STRING
          Drop privileges to group. Equivalent to -m command line option.
          Default: Primary group of user

   Chroot STRING
          chroot() to jaildir (impacts sni proxyspecs, see sslsplit(1)). Equivalent to -j command line option.

   PidFile STRING
          Write pid to file. Equivalent to -p command line option.

   ConnectLog STRING
          Connect log: log one line summary per connection to logfile. Equivalent to -l command line option.

   ContentLog STRING
          Content log: full data to file or named pipe (excludes ContentLogDir/ContentLogPathSpec). Equivalent to -L command line option.

   ContentLogDir STRING
          Content log: full data to separate files in dir (excludes ContentLog/ContentLogPathSpec). Equivalent to -S command line option.

   ContentLogPathSpec STRING
          Content log: full data to sep files with % subst (excludes ContentLog/ContentLogDir). Equivalent to -F command line option.

   LogProcInfo BOOL
          Look up local process owning each connection for logging. Equivalent to -i command line option.

   PcapLog STRING
          Pcap log: packets to pcapfile (excludes PcapLogDir/PcapLogPathSpec). Equivalent to -X command line option.

   PcapLogDir STRING
          Pcap log: packets to separate files in dir (excludes PcapLog/PcapLogPathSpec). Equivalent to -Y command line option.

   PcapLogPathSpec STRING
          Pcap log: packets to sep files with % subst (excludes PcapLog/PcapLogDir). Equivalent to -y command line option.

   MirrorIf STRING
          Mirror packets to interface. Equivalent to -I command line option.

   MirrorTarget STRING
          Mirror packets to target address (used with MirrorIf). Equivalent to -T command line option.

   MasterKeyLog STRING
          Log master keys to logfile in SSLKEYLOGFILE format. Equivalent to -M command line option.

   Daemon BOOL
          Daemon mode: run in background, log error messages to syslog. Equivalent to -d command line option.

   Debug BOOL
          Debug mode: run in foreground, log debug messages on stderr. Equivalent to -D command line option.

   VerifyPeer BOOL
          Verify peer using default certificates.
          Default: no

   AddSNIToCertificate BOOL
          When  disabled,  never add the SNI to forged certificates, even if the SNI provided by the client does not match the server certificate's CN/SAN. Helps pass the wrong.host test
          at https://badssl.com.
          Default: yes

   ProxySpec STRING
          Proxy specification: type listenaddr+port [natengine|targetaddr+port|"sni"+port]. Multiple specs are allowed, one on each line.

FILES

   /etc/sslsplit/sslsplit.conf

AUTHOR

   The config file facility was added by Soner Tari <sonertari@gmail.com>.

SEE ALSO

   sslsplit(1)

sslsplit 0.5.5 2024-03-11 sslsplit.conf(5)