Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
sslsplit.conf(5)		   SSLsplit		      sslsplit.conf(5)

NAME
       sslsplit.conf - Configuration file for SSLsplit

DESCRIPTION
       The file	sslsplit.conf configures SSLsplit, sslsplit(1).

FILE FORMAT
       The  file  consists  of	comments and options with arguments. Each line
       which starts with a hash	(#) symbol is ignored by the  parser.  Options
       and arguments are of the	form Option Argument. The arguments are	of the
       following types:

       BOOL   Boolean value (yes/no).

       STRING String.

DIRECTIVES
       When an option is not used (hashed or doesn't exist in  the  configura-
       tion  file) sslsplit takes a default action. If an option does not have
       a command line equivalent, -o opt=val option can	be used	to override it
       on the command line.

       CACert STRING
	      Use  CA  cert  (and  key)	to sign	forged certs. Equivalent to -c
	      command line option.

       CAKey STRING
	      Use CA key (and cert) to sign forged  certs.  Equivalent	to  -k
	      command line option.

       ClientCert STRING
	      Use  cert	 from  pemfile when destination	requests client	certs.
	      Equivalent to -a command line option.

       ClientKey STRING
	      Use key from pemfile when	 destination  requests	client	certs.
	      Equivalent to -b command line option.

       CAChain STRING
	      Use  CA  chain  from  pemfile  (intermediate and root CA certs).
	      Equivalent to -C command line option.

       LeafKey STRING
	      Use key from pemfile for generating leaf certs. Equivalent to -K
	      command line option.
	      Default: generate

       LeafCRLURL STRING
	      Use  URL	as  CRL	 distribution point for	all forged leaf	certs.
	      Equivalent to -q command line option.

       LeafCertDir STRING
	      Use cert+chain+key PEM files from	certdir	to  target  all	 sites
	      matching the common names	(non-matching: generate	if CA).	Equiv-
	      alent to -t command line option.

       DefaultLeafCert STRING
	      Use cert+chain+key from PEM file for leaf	certificates if	 there
	      is  no  match  in	LeafCertDir. Equivalent	to -A command line op-
	      tion.

       WriteGenCertsDir	STRING
	      Write leaf key and only generated	certificates to	gendir.	Equiv-
	      alent to -w command line option.

       WriteAllCertsDir	STRING
	      Write  leaf key and all certificates to gendir. Equivalent to -W
	      command line option.

       DenyOCSP	BOOL
	      Deny all OCSP requests on	all proxyspecs.	Equivalent to -O  com-
	      mand line	option.

       Passthrough BOOL
	      Passthrough  SSL	connections if they cannot be split because of
	      client cert auth or no matching cert and no CA. Equivalent to -P
	      command line option.
	      Default: drop

       DHGroupParams STRING
	      Use  DH group params from	pemfile. Equivalent to -g command line
	      option.
	      Default: keyfiles	or auto

       ECDHCurve STRING
	      Use ECDH named curve. Equivalent to -G command line option.
	      Default: prime256v1

       SSLCompression BOOL
	      Enable/disable SSL/TLS compression on all	 connections.  Equiva-
	      lent to -Z command line option.

       ForceSSLProto STRING
	      Force  SSL/TLS  protocol	version	only. Equivalent to -r command
	      line option.
	      Default: all

       DisableSSLProto STRING
	      Disable SSL/TLS protocol version.	Equivalent to -R command  line
	      option.
	      Default: none

       Ciphers STRING
	      Use  the	given OpenSSL cipher suite spec. Equivalent to -s com-
	      mand line	option.
	      Default: ALL:-aNULL

       OpenSSLEngine STRING
	      The OpenSSL engine to activate, either the ID or the  full  path
	      to  the  shared  library	implementing  the engine.  If an ID is
	      given, the engine	needs to be known to the  system-wide  OpenSSL
	      configuration.   Only  available	if  built against a version of
	      OpenSSL with engine support.  Equivalent to -x command line  op-
	      tion.

       NATEngine STRING
	      Specify default NAT engine to use. Equivalent to -e command line
	      option.

       User STRING
	      Drop privileges to user. Equivalent to -u	command	line option.
	      Default: nobody, if run as root

       Group STRING
	      Drop privileges to group.	Equivalent to -m command line option.
	      Default: Primary group of	user

       Chroot STRING
	      chroot() to jaildir (impacts sni proxyspecs,  see	 sslsplit(1)).
	      Equivalent to -j command line option.

       PidFile STRING
	      Write pid	to file. Equivalent to -p command line option.

       ConnectLog STRING
	      Connect  log:  log  one  line summary per	connection to logfile.
	      Equivalent to -l command line option.

       ContentLog STRING
	      Content log: full	data to	file or	named pipe (excludes  Content-
	      LogDir/ContentLogPathSpec).  Equivalent  to  -L command line op-
	      tion.

       ContentLogDir STRING
	      Content log: full	data to	separate files in dir  (excludes  Con-
	      tentLog/ContentLogPathSpec).  Equivalent	to -S command line op-
	      tion.

       ContentLogPathSpec STRING
	      Content log: full	data to	sep files with % subst (excludes  Con-
	      tentLog/ContentLogDir). Equivalent to -F command line option.

       LogProcInfo BOOL
	      Look up local process owning each	connection for logging.	Equiv-
	      alent to -i command line option.

       PcapLog STRING
	      Pcap log:	packets	to pcapfile (excludes  PcapLogDir/PcapLogPath-
	      Spec). Equivalent	to -X command line option.

       PcapLogDir STRING
	      Pcap   log:   packets   to   separate  files  in	dir  (excludes
	      PcapLog/PcapLogPathSpec).	Equivalent to -Y command line option.

       PcapLogPathSpec STRING
	      Pcap  log:  packets  to  sep  files  with	 %   subst   (excludes
	      PcapLog/PcapLogDir). Equivalent to -y command line option.

       MirrorIf	STRING
	      Mirror  packets  to interface. Equivalent	to -I command line op-
	      tion.

       MirrorTarget STRING
	      Mirror packets to	target address (used with  MirrorIf).  Equiva-
	      lent to -T command line option.

       MasterKeyLog STRING
	      Log  master  keys	to logfile in SSLKEYLOGFILE format. Equivalent
	      to -M command line option.

       Daemon BOOL
	      Daemon mode: run in background, log error	 messages  to  syslog.
	      Equivalent to -d command line option.

       Debug BOOL
	      Debug  mode:  run	 in  foreground, log debug messages on stderr.
	      Equivalent to -D command line option.

       VerifyPeer BOOL
	      Verify peer using	default	certificates.
	      Default: no

       AddSNIToCertificate BOOL
	      When disabled, never add the SNI to forged certificates, even if
	      the  SNI	provided  by the client	does not match the server cer-
	      tificate's  CN/SAN.  Helps   pass	  the	wrong.host   test   at
	      https://badssl.com.
	      Default: yes

       ProxySpec STRING
	      Proxy   specification:  type  listenaddr+port  [natengine|targe-
	      taddr+port|"sni"+port]. Multiple specs are allowed, one on  each
	      line.

FILES
       /usr/local/etc/sslsplit/sslsplit.conf

AUTHOR
       The config file facility	was added by Soner Tari	<sonertari@gmail.com>.

SEE ALSO
       sslsplit(1)

sslsplit 0.5.5			  2020-08-09		      sslsplit.conf(5)

NAME | DESCRIPTION | FILE FORMAT | DIRECTIVES | FILES | AUTHOR | SEE ALSO

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=sslsplit.conf&sektion=5&manpath=FreeBSD+12.2-RELEASE+and+Ports>

home | help