SSL Wrapper, found at http://cesanta.com/products.html,
allows you to tunnel any TCP connection between two hosts using SSL. However, the documentation for it is practically nonexistant.
To hopefully save you some time, I have implemented and
tested it myself and will now share my notes with you.
Generating SSL Certificates
First, you need to set up your own CA using OpenSSL. Then you need to generate two certificate/key
pairs and get them signed by your CA.
#Generate a 2048-bit RSA private key for the CA:
openssl genrsa -des3 -out ca/ca.key 2048
#Generate the server certificate
openssl req -new -newkey rsa:2048 -nodes -keyout server.key
-out server.csr -days 365
openssl x509 -req -days 365 -in server.csr -CA ca.pem -CAkey
ca.pem -CAcreateserial -out server.crt
#Generate the client certificate
openssl req -new -newkey rsa:2048 -nodes -keyout chris.key
-out chris.csr -days 365
openssl x509 -req -days 365 -in chris.csr -CA ca.pem -CAkey
ca.pem -CAcreateserial -out chris.crt
Run the program
Server-side: HTTP server is running at 192.168.1.1, SSL
wrapper will listen on port 443
(Using sudo to listen on privileged port 443)
sudo ./ssl_wrapper ssl://443:server.pem:ca.crt
tcp://192.168.1.1:80
Client-side: Will listen on port 8080 for HTTP connections,
will connect to the SSL Wrapper server at 192.168.100.24:443
./ssl_wrapper tcp://8080 ssl://192.168.100.24:443:chris.pem
MITM Attack
A correctly configured SSL Wrapper will not allow a
connection if it is under a MITM attack.
(Using Cain in this example)
Google Chrome will display the message “localhost didn’t
send any data” during an MITM attack.
MITM attack possible using incorrect configuration
If it is not configured correctly (not using a CA with
client certificate), an MITM attack is possible.
Server-side: HTTP server is running at 192.168.1.1, SSL
wrapper will listen on port 443
(Using sudo to listen on privileged port 443)
sudo ./ssl_wrapper ssl://443:server.pem tcp://192.168.1.1:80
Client-side: Will listen on port 8080 for HTTP connections,
will connect to the SSL Wrapper server at 192.168.100.24:443
./ssl_wrapper tcp://8080 ssl://192.168.100.24:443
No comments:
Post a Comment