RHEL/CentOS

Quickstart

You may download our sslsplit-quickstart script to install or remove sslsplit. In the directory where you have downloaded the quickstart script, run the following commands to:

  • Install sslsplit
chmod +x sslsplit-quickstart.sh && NETSIL_SP_HOST=${your_netsil_ip} ./sslsplit-quickstart.sh install
  • Remove sslsplit
./sslsplit-quickstart.sh remove

Quickstart Configuration

The quickstart script can be parameterized with environment variables to fit your installation environment. Refer to the table below for details:

Parameter Default Choices Description
DEST_PORT 443 (https) 0 - 65536 The port to which your encrypted traffic is being sent.
PKG_TYPE n/a deb, rpm, docker Defines the sslsplit package type. It is automatically set based on the OS, but you can override it with docker on a DEB or RPM-based OS if you have installed the collectors via docker.
COLLECTOR_CONTAINER_NAME n/a String The container name of the collector with which we are setting up sslsplit. This defaults to netsil_collectors if PKG_TYPE is docker.

Manual Installation

Part 1 - Setup

  1. Download sslsplit

    wget --no-check-certificate -q -O \
        netsil-sslsplit.rpm \
        https://repo.netsil.com/stable/netsil-sslsplit-centos-7-x64.rpm
    
  2. Install sslsplit

    sudo rpm -i -U --replacefiles --replacepkgs netsil-sslsplit.rpm
    
  3. Start sslsplit

    sudo /etc/init.d/netsil-sslsplit start
    

Part 2 - Certificates

  1. Copy sslsplit's self-signed certificate to the certificates directory

    sudo cp /opt/netsil/sslsplit/certs/netsil-ca.crt /etc/pki/ca-trust/source/anchors/
    
  2. Set the proper permissions on the self-signed certficate

    sudo chmod 644 /etc/pki/ca-trust/source/anchors/netsil-ca.crt
    
  3. Update the CA store

    sudo update-ca-trust
    

Applications with certificate bundles

Client applications such as MySQL and PostgreSQL use their own certificate bundles and don't use the root certificates on the host. To make these applications trust SSLsplit, provide the public certificate of SSlsplit along with the certificate(s) of the actual server to the application.

For example, Amazon's RDS has a standard set of public certificates available as a bundle. Add SSLsplit's public certificate to the trusted certificates (all the certificates concatenated into a single file). This is the location of SSLsplit's public certificate in the collector: /opt/netsil/sslsplit/certs/netsil-ca.crt. Configure the MySQL client application via its SSL certs configuration to use the new trusted server certificates. The client should now be able to trust SSLsplit.

Part 3 - IPtables

Outgoing Traffic

Listed below are directions for intercepting outgoing SSL traffic towards a destination port.

  1. Insert iptables rules

    Run the following command on the collector host to add iptables rules for destination port 443

    sudo iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner nobody -m tcp --dport 443 -j REDIRECT --to-ports 10443
    
  2. Check that rules were inserted correctly

    sudo iptables -t nat -L
    

    If the IP tables rule for sslsplit is installed an entry similar to the following will be seen in Chain OUTPUT:

    REDIRECT   tcp  --  anywhere             anywhere             ! owner UID match 65534 tcp dpt:https redir ports 10443
    

Incoming Traffic

For the most part, setting up outgoing traffic capture rules should suffice. For the edge cases, instructions for setting up incoming traffic capture rules are provided here.

  1. Insert iptables rules

    Run the following command on the collector host to add iptables rules for destination port 443

    sudo iptables -t nat -A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 10443
    
  2. Check that rules were inserted correctly with the following command

    sudo iptables -t nat -L
    

    If the iptables rule for SSLsplit is installed an entry similar to the following will be seen in Chain PREROUTING:

    REDIRECT   tcp  --  anywhere             anywhere             tcp dpt:https redir ports 10443
    
  3. External clients can trust SSLsplit only if it presents a secure certificate. To do so, follow the directions below in Using your own Certificate.

Disabling SSL Capture

  1. Run the following command on the host to remove iptables rules for outgoing traffic on destination port 443:

    sudo iptables -t nat -D OUTPUT -p tcp -m owner ! --uid-owner nobody -m tcp --dport 443 -j REDIRECT --to-ports 10443
    
  2. Run the following command on the host to remove iptables rules for incoming traffic on destination port 443 (can skip if you did not configure sslsplit for incoming traffic):

    sudo iptables -t nat -D PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 10443
    
  3. Stop sslsplit with

    sudo /etc/init.d/netsil-sslsplit stop
    
  4. Restart the collectors

    sudo /etc/init.d/netsil-collectors restart
    
  5. Remove collector's self-signed certificate from the certificates directory:

    sudo rm /etc/pki/ca-trust/source/anchors/netsil-ca.crt
    
  6. Update the CA store:

    sudo update-ca-trust
    

IMPORTANT: When uninstalling collectors or sslsplit, remember to follow the instrutions to disable SSL capture first so iptables rules are removed.

Advanced Configuration

Using your own Certificate

  1. Create the SSLsplit certificate directory on the host:

    sudo mkdir -p /opt/netsil/sslsplit/certs/
    
  2. Copy the certificate and key files:

    sudo cp your-ca.crt /opt/netsil/sslsplit/certs/netsil-ca.crt
    sudo cp your-ca.key /opt/netsil/sslsplit/certs/netsil-ca.key
    
  3. If SSLsplit was already running, restart it:

    /etc/init.d/netsil-sslsplit restart
    

Uninstalling

sudo yum remove netsil-sslsplit