HTTPS failing because ClientHello cannot be parsed

[mincymathew]

[root@c240-wzp2322007 ~]# curl -v -x -x 172.29.148.11:10025 --key /root/ca.key -cert --tlsv1.2 /root/ca.crt https://172.22.254.126

• About to connect() to proxy 172.29.148.11 port 8443 (#0)
• Trying 172.29.148.11...
• Connected to 172.29.148.11 (172.29.148.11) port 8443 (#0)
• Establish HTTP proxy tunnel to 172.22.254.126:443

CONNECT 172.22.254.126:443 HTTP/1.1
Host: 172.22.254.126:443
User-Agent: curl/7.29.0
Proxy-Connection: Keep-Alive

• Recv failure: Connection reset by peer
• Received HTTP code 0 from proxy after CONNECT
• Connection #0 to host 172.29.148.11 left intact
  curl: (56) Recv failure: Connection reset by peer

sslsplit -D -l connections.log -j /tmp/sslsplit/ -S /tmp/sslsplit/ -P -k /home/mimathew/MyClient1.key -c /home/mimathew/MyClient1.pem autossl 172.29.148.11 10025 https 172.29.148.11 8443 173.36.240.184 443 http 172.29.148.11 8080 173.36.240.184 80
TCP disconnected to [172.29.148.11]:10025
TCP disconnected from [172.29.148.11]:40139
Checking for a client hello
parsing buffer of sz 120
candidate at offset 0
: 43 : 4f : 4e : 4e
TCP disconnected to [172.29.148.11]:10025
TCP disconnected from [172.29.148.11]:40137
: 45 : 43 : 54 : 20
TCP disconnected to [172.29.148.11]:10025
: 31 : 37 : 32 : 2e
TCP disconnected to [172.29.148.11]:10025
TCP disconnected from [172.29.148.11]:40133
: 32 : 32 : 2e : 32 : 35
TCP disconnected to [172.29.148.11]:10025
TCP disconnected from [172.29.148.11]:40131
: 34
TCP disconnected from [172.29.148.11]:40135
: 2e : 31 : 32 : 36 : 3a : 34 : 34 : 33 : 20 : 48 : 54 : 54 : 50 : 2f : 31 : 2e
TCP disconnected to [172.29.148.11]:10025
TCP disconnected to [172.29.148.11]:10025
: 31 : 0d : 0a
TCP disconnected from [172.29.148.11]:40129
TCP disconnected to [172.29.148.11]:10025
TCP disconnected from [172.29.148.11]:40125
: 48 : 6f
TCP disconnected from [172.29.148.11]:40127
: 73 : 74 : 3a : 20 : 31 : 37 : 32 : 2e : 32 : 32 : 2e : 32 : 35 : 34 : 2e : 31 : 32 : 36 : 3a : 34 : 34 : 33 : 0d : 0a : 55 : 73 : 65 : 72 : 2d : 41 : 67 : 65 : 6e : 74 : 3a : 20 : 63 : 75 : 72 : 6c : 2f : 37 : 2e : 32 : 39 : 2e : 30 : 0d : 0a : 50 : 72 : 6f : 78 : 79 : 2d : 43 : 6f : 6e : 6e : 65 : 63 : 74 : 69 : 6f : 6e : 3a : 20 : 4b : 65 : 65 : 70 : 2d : 41 : 6c : 69 : 76 : 65 : 0d : 0a : 0d : 0a ===> No match: rv 1, *clienthello NULL
Peek found no ClientHello
Received privsep req type 00 sz 1 on srvsock 15
Received privsep req type 00 sz 1 on srvsock 13
Child pid 175217 exited with status 0

Sslsplit fails to find ClientHello. This goes on in a loop and SSLSplit finally exits.

[mincymathew]

When I give a fwdaddr, then the issue of packet looping goes away. How can this work for SSL requests coming for multiple unknown destination servers? Perhaps, I am configuring something wrong.

[sonertari]

I see that you have a proxyspec like autossl 172.29.148.11 10025 in your sslsplit command line, but then you also use the same IP:port pair 172.29.148.11:10025 as the proxy in your curl command line. That's not how you are supposed to redirect traffic to sslsplit. You should redirect traffic using a packet filtering rule, such as the following on OpenBSD/pf:

pass in log quick on $int_if proto tcp from $int_net to !$int_if port submission divert-to lo port 8466

Note that the above rule does not redirect the traffic destined to $int_if. But in your setup you do redirect it, and in fact, that's why you get an infinite redirection, I think. I have never used autossl with http/s, and the above pf rule is for smtp, but they should be similar. You can find sample packet filter rules on the sslsplit man page.