sslsplit.conf - Configuration file for SSLsplit
The file sslsplit.conf configures SSLsplit, sslsplit(1).
The file consists of comments and options with arguments. Each
line which starts with a hash (#) symbol is ignored by the parser.
Options and arguments are of the form Option Argument. The arguments
are of the following types:
- BOOL
- Boolean value (yes/no).
- STRING
- String.
When an option is not used (hashed or doesn't exist in the
configuration file) sslsplit takes a default action. If an option does not
have a command line equivalent, -o opt=val option can be used to override it
on the command line.
- CACert
STRING
- Use CA cert (and key) to sign forged certs. Equivalent to -c command line
option.
- CAKey STRING
- Use CA key (and cert) to sign forged certs. Equivalent to -k command line
option.
- ClientCert
STRING
- Use cert from pemfile when destination requests client certs. Equivalent
to -a command line option.
- ClientKey
STRING
- Use key from pemfile when destination requests client certs. Equivalent to
-b command line option.
- CAChain
STRING
- Use CA chain from pemfile (intermediate and root CA certs). Equivalent to
-C command line option.
- LeafCerts
STRING
- Use key from pemfile for leaf certs. Equivalent to -K command line option.
Default: generate
- CRL STRING
- Use URL as CRL distribution point for all forged certs. Equivalent to -q
command line option.
- TargetCertDir
STRING
- Use cert+chain+key PEM files from certdir to target all sites matching the
common names (non-matching: generate if CA). Equivalent to -t command line
option.
- WriteGenCertsDir
STRING
- Write leaf key and only generated certificates to gendir. Equivalent to -w
command line option.
- WriteAllCertsDir
STRING
- Write leaf key and all certificates to gendir. Equivalent to -W command
line option.
- DenyOCSP
BOOL
- Deny all OCSP requests on all proxyspecs. Equivalent to -O command line
option.
- Passthrough
BOOL
- Passthrough SSL connections if they cannot be split because of client cert
auth or no matching cert and no CA. Equivalent to -P command line option.
Default: drop
- DHGroupParams
STRING
- Use DH group params from pemfile. Equivalent to -g command line option.
Default: keyfiles or auto
- ECDHCurve
STRING
- Use ECDH named curve. Equivalent to -G command line option.
Default: prime256v1
- SSLCompression
BOOL
- Enable/disable SSL/TLS compression on all connections. Equivalent to -Z
command line option.
- ForceSSLProto
STRING
- Force SSL/TLS protocol version only. Equivalent to -r command line option.
Default: all
- DisableSSLProto
STRING
- Disable SSL/TLS protocol version. Equivalent to -R command line option.
Default: none
- Ciphers
STRING
- Use the given OpenSSL cipher suite spec. Equivalent to -s command line
option.
Default: ALL:-aNULL
- OpenSSLEngine
STRING
- The OpenSSL engine to activate, either the ID or the full path to the
shared library implementing the engine. If an ID is given, the engine
needs to be known to the system-wide OpenSSL configuration. Only available
if built against a version of OpenSSL with engine support. Equivalent to
-x command line option.
- NATEngine
STRING
- Specify default NAT engine to use. Equivalent to -e command line
option.
- User STRING
- Drop privileges to user. Equivalent to -u command line option.
Default: nobody, if run as root
- Group STRING
- Drop privileges to group. Equivalent to -m command line option.
Default: Primary group of user
- Chroot
STRING
- chroot() to jaildir (impacts sni proxyspecs, see sslsplit(1)). Equivalent
to -j command line option.
- PidFile
STRING
- Write pid to file. Equivalent to -p command line option.
- ConnectLog
STRING
- Connect log: log one line summary per connection to logfile. Equivalent to
-l command line option.
- ContentLog
STRING
- Content log: full data to file or named pipe (excludes
ContentLogDir/ContentLogPathSpec). Equivalent to -L command line
option.
- ContentLogDir
STRING
- Content log: full data to separate files in dir (excludes
ContentLog/ContentLogPathSpec). Equivalent to -S command line option.
- ContentLogPathSpec
STRING
- Content log: full data to sep files with % subst (excludes
ContentLog/ContentLogDir). Equivalent to -F command line option.
- LogProcInfo
BOOL
- Look up local process owning each connection for logging. Equivalent to -i
command line option.
- PcapLog
STRING
- Pcap log: packets to pcapfile (excludes PcapLogDir/PcapLogPathSpec).
Equivalent to -X command line option.
- PcapLogDir
STRING
- Pcap log: packets to separate files in dir (excludes
PcapLog/PcapLogPathSpec). Equivalent to -Y command line option.
- PcapLogPathSpec
STRING
- Pcap log: packets to sep files with % subst (excludes PcapLog/PcapLogDir).
Equivalent to -y command line option.
- MirrorIf
STRING
- Mirror packets to interface. Equivalent to -I command line option.
- MirrorTarget
STRING
- Mirror packets to target address (used with MirrorIf). Equivalent to -T
command line option.
- MasterKeyLog
STRING
- Log master keys to logfile in SSLKEYLOGFILE format. Equivalent to -M
command line option.
- Daemon
BOOL
- Daemon mode: run in background, log error messages to syslog. Equivalent
to -d command line option.
- Debug BOOL
- Debug mode: run in foreground, log debug messages on stderr. Equivalent to
-D command line option.
- VerifyPeer
BOOL
- Verify peer using default certificates.
Default: no
- AddSNIToCertificate
BOOL
- When disabled, never add the SNI to forged certificates, even if the SNI
provided by the client does not match the server certificate's CN/SAN.
Helps pass the wrong.host test at https://badssl.com.
Default: yes
- ProxySpec
STRING
- Proxy specification: type listenaddr+port
[natengine|targetaddr+port|"sni"+port]. Multiple specs are
allowed, one on each line.
/usr/etc/sslsplit/sslsplit.conf
The config file facility was added by Soner Tari
<sonertari@gmail.com>.