sslsplit.conf - Configuration file for SSLsplit

Author

The config file facility was added by Soner Tari <sonertari@gmail.com>.

Description

The file sslsplit.conf configures SSLsplit, sslsplit(1).

Directives

When an option is not used (hashed or doesn't exist in the configuration file) sslsplit takes a default action. If an option does not have a command line equivalent, -o opt=val option can be used to override it on the command line. CACertSTRING Use CA cert (and key) to sign forged certs. Equivalent to -c command line option. CAKeySTRING Use CA key (and cert) to sign forged certs. Equivalent to -k command line option. ClientCertSTRING Use cert from pemfile when destination requests client certs. Equivalent to -a command line option. ClientKeySTRING Use key from pemfile when destination requests client certs. Equivalent to -b command line option. CAChainSTRING Use CA chain from pemfile (intermediate and root CA certs). Equivalent to -C command line option. LeafKeySTRING Use key from pemfile for generating leaf certs. Equivalent to -K command line option. Default: generate LeafCRLURLSTRING Use URL as CRL distribution point for all forged leaf certs. Equivalent to -q command line option. LeafCertDirSTRING Use cert+chain+key PEM files from certdir to target all sites matching the common names (non- matching: generate if CA). Equivalent to -t command line option. DefaultLeafCertSTRING Use cert+chain+key from PEM file for leaf certificates if there is no match in LeafCertDir. Equivalent to -A command line option. WriteGenCertsDirSTRING Write leaf key and only generated certificates to gendir. Equivalent to -w command line option. WriteAllCertsDirSTRING Write leaf key and all certificates to gendir. Equivalent to -W command line option. DenyOCSPBOOL Deny all OCSP requests on all proxyspecs. Equivalent to -O command line option. PassthroughBOOL Passthrough SSL connections if they cannot be split because of client cert auth or no matching cert and no CA. Equivalent to -P command line option. Default: drop DHGroupParamsSTRING Use DH group params from pemfile. Equivalent to -g command line option. Default: keyfiles or auto ECDHCurveSTRING Use ECDH named curve. Equivalent to -G command line option. Default: prime256v1 SSLCompressionBOOL Enable/disable SSL/TLS compression on all connections. Equivalent to -Z command line option. ForceSSLProtoSTRING Force SSL/TLS protocol version only. Equivalent to -r command line option. Default: all DisableSSLProtoSTRING Disable SSL/TLS protocol version. Equivalent to -R command line option. Default: none CiphersSTRING Use the given OpenSSL cipher suite spec. Equivalent to -s command line option. Default: ALL:-aNULL OpenSSLEngineSTRING The OpenSSL engine to activate, either the ID or the full path to the shared library implementing the engine. If an ID is given, the engine needs to be known to the system-wide OpenSSL configuration. Only available if built against a version of OpenSSL with engine support. Equivalent to -x command line option. NATEngineSTRING Specify default NAT engine to use. Equivalent to -e command line option. UserSTRING Drop privileges to user. Equivalent to -u command line option. Default: nobody, if run as root GroupSTRING Drop privileges to group. Equivalent to -m command line option. Default: Primary group of user ChrootSTRING chroot() to jaildir (impacts sni proxyspecs, see sslsplit(1)). Equivalent to -j command line option. PidFileSTRING Write pid to file. Equivalent to -p command line option. ConnectLogSTRING Connect log: log one line summary per connection to logfile. Equivalent to -l command line option. ContentLogSTRING Content log: full data to file or named pipe (excludes ContentLogDir/ContentLogPathSpec). Equivalent to -L command line option. ContentLogDirSTRING Content log: full data to separate files in dir (excludes ContentLog/ContentLogPathSpec). Equivalent to -S command line option. ContentLogPathSpecSTRING Content log: full data to sep files with % subst (excludes ContentLog/ContentLogDir). Equivalent to -F command line option. LogProcInfoBOOL Look up local process owning each connection for logging. Equivalent to -i command line option. PcapLogSTRING Pcap log: packets to pcapfile (excludes PcapLogDir/PcapLogPathSpec). Equivalent to -X command line option. PcapLogDirSTRING Pcap log: packets to separate files in dir (excludes PcapLog/PcapLogPathSpec). Equivalent to -Y command line option. PcapLogPathSpecSTRING Pcap log: packets to sep files with % subst (excludes PcapLog/PcapLogDir). Equivalent to -y command line option. MirrorIfSTRING Mirror packets to interface. Equivalent to -I command line option. MirrorTargetSTRING Mirror packets to target address (used with MirrorIf). Equivalent to -T command line option. MasterKeyLogSTRING Log master keys to logfile in SSLKEYLOGFILE format. Equivalent to -M command line option. DaemonBOOL Daemon mode: run in background, log error messages to syslog. Equivalent to -d command line option. DebugBOOL Debug mode: run in foreground, log debug messages on stderr. Equivalent to -D command line option. VerifyPeerBOOL Verify peer using default certificates. Default: no AddSNIToCertificateBOOL When disabled, never add the SNI to forged certificates, even if the SNI provided by the client does not match the server certificate's CN/SAN. Helps pass the wrong.host test at https://badssl.com. Default: yes ProxySpecSTRING Proxy specification: type listenaddr+port [natengine|targetaddr+port|"sni"+port]. Multiple specs are allowed, one on each line.

File Format

The file consists of comments and options with arguments. Each line which starts with a hash (#) symbol is ignored by the parser. Options and arguments are of the form OptionArgument. The arguments are of the following types: BOOL Boolean value (yes/no). STRING String.