Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TLS inspection (MITM) with relayd #82

Closed
horia opened this issue Dec 21, 2017 · 2 comments
Closed

TLS inspection (MITM) with relayd #82

horia opened this issue Dec 21, 2017 · 2 comments

Comments

@horia
Copy link
Contributor

horia commented Dec 21, 2017

No description provided.

@horia
Copy link
Contributor Author

horia commented Dec 23, 2017

relayd ssl inspection: lost child: pid 60617 terminated; signal 10
https://marc.info/?l=openbsd-bugs&m=151124171221288&w=2

@horia
Copy link
Contributor Author

horia commented Feb 7, 2018

For -current

file etc/pf.conf, in anchor "internal", child anchor "in"

  # relayd HTTP layer7 TLS inspection (split IPv4/6)
  anchor proto tcp from <tlsinspect> to port https tagged LAN_INET {
   pass log inet \  
    divert-to lo0 port 8443 \  
    tag LAN_SELF  
   pass log inet6 \  
    divert-to lo0 port 8443 \  
    tag LAN6_SELF6  
  }

file etc/relayd.conf

http protocol httpsfilter {
       return error
       match header set "Connection" value "close"

       pass
#      pass quick url file "/etc/relayd.d/custom_whitelist"
#      block url file "/etc/relayd.d/custom_blacklist"
#      include "/etc/relayd.d/auto_blacklist"

       tls ca key "/etc/ssl/relayd/private/ca.key" password "password123"
       tls ca cert "/etc/ssl/relayd/ca.crt"
}

relay tlsinspect {
        # Listen on localhost, accept diverted connections from pf(4)
        listen on 127.0.0.1 port 8443 tls
        listen on ::1 port 8443 tls
        protocol httpsfilter
        # Forward to the original target host
        forward with tls to destination
}

Create your own Certificate Authority (CA), called relayd

To start, first generate a new local CA key and certificate:

# mkdir -p /etc/ssl/relayd/private
# openssl req -x509 -days 365 -newkey rsa:2048 \
        -keyout /etc/ssl/relayd/private/ca.key -out /etc/ssl/relayd/ca.crt

Create Certificate Signing Requests (CSRs) for relayd TLS server

You will also need an SSL server key and cert for 127.0.0.1, see "listen on" in the RELAYS section of relayd.conf(5) and ssl(8) for more details.

Note that some new browsers have deprecated using the common name of a certificate and require that subject alt names are provided. This may require the use of -extfile server.ext when self-signing.

# echo 'subjectAltName=DNS:relay.vedetta.lan' > /etc/ssl/relayd/server.ext

Generate a private (unencrypted) key for relayd TLS server:

# openssl genrsa -out /etc/ssl/relayd/private/relay.vedetta.lan.key 2048

Generate a Certificate Signing Request (CSR) for relayd TLS server:

# openssl req -new -key /etc/ssl/relayd/private/relay.vedetta.lan.key \
        -out /etc/ssl/relayd/private/relay.vedetta.lan.csr \
        -nodes

Sign the relayd TLS server certificate with relayd CA:

# openssl x509 -sha256 -req -days 365 \
        -in /etc/ssl/relayd/private/relay.vedetta.lan.csr \
        -CA /etc/ssl/relayd/ca.crt -CAkey /etc/ssl/relayd/private/ca.key \
        -CAcreateserial -extfile /etc/ssl/relayd/server.ext \
        -out /etc/ssl/relayd/relay.vedetta.lan.crt

You can also sign the key yourself:

# openssl x509 -sha256 -req -days 365 \
        -in /etc/ssl/relayd/private/relay.vedetta.lan.csr \
        -signkey /etc/ssl/relayd/private/relay.vedetta.lan.key \
        -out /etc/ssl/relayd/relay.vedetta.lan.crt

Create the links for "listen on" relay configuration directive:

# cd /etc/ssl
# ln -s relayd/relay.vedetta.lan.crt 127.0.0.1.crt
# ln -s relayd/relay.vedetta.lan.crt ::1.crt
# cd /etc/ssl/private
# ln -s ../relayd/private/relay.vedetta.lan.key 127.0.0.1.key
# ln -s ../relayd/private/relay.vedetta.lan.key ::1.key

horia added a commit that referenced this issue Apr 10, 2018
horia added a commit that referenced this issue Apr 10, 2018
- Fix #125 Connect to switch0 at reboot, thank you @bentley
- Fix #82 TLS inspection (MITM) with relayd
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant