Dynamic SSL blockpage.

[Ed Schuyler]

*********************************************************************************************************************************************************************************

*********************************************************************************************************************************************************************************

Based on Ed Schuyler's contribution, Rob Asher built an RPM pakage for NxFilter + SSLSplit. It will take care of everything including automatic certificate generation. To find out more click the link below,

  https://www.reddit.com/r/nxfilter/comments/ayh81c/nxfilter_sslsplit_rpm/

*********************************************************************************************************************************************************************************

*********************************************************************************************************************************************************************************

For those wondering, I've figured out how to get dynamically generated SSL certificates working for nxFilter and decided to share that with everybody.  This horrible guide will get you started towards adding a CA to your nxfilter that generates ssl certificates on the fly for all blocked sites.  Of course you still need to add this CA cert to the trusted cert store of all your systems, but that can be done via GPO in windows domains or other deployment tools if you use them or even one machine at a time if you're a masochist.  

I've managed to do this on an Ubuntu 16 install.  This will have to be adapted for other linux versions and most likely will never work on windows due to there being no windows version of sslsplit.

I'll just dump the steps I took right out of my notes.  I'll clarify and help as much as I can through feedback:

First, since I hate typing sudo all the time, I just went ahead and started a root session from the linux prompt:

sudo -i

Next, I downloaded a bunch of pre-requisite packages from apt:

apt-get -y install openssl build-essential libssl-dev libevent-dev libpcap-dev libnet-dev

Next, I made sure I was in the root home directory, and downloaded the source code for sslsplit:

cd ~
wget https://codeload.github.com/droe/sslsplit/tar.gz/0.5.4

I'm using the source version of sslsplit because the apt version is old and generates weak ssl certificates that some browsers complain about.

Next, I'm going to extract the download, go into it's folder, build it, and plop it into the executable path:

tar -zxvf 0.5.4.tar.gz
cd sslsplit-0.5.4
make
cp sslsplit /usr/bin

Now I'm going to take a break from the sslsplit tsuff and get back to it later.  It's time to setup a local certificate authority.  

First, we're going to make a ca folder and all it's subfolders and basic files:

mkdir /etc/ssl/ca

cd /etc/ssl/ca

mkdir crl

mkdir newcerts

mkdir serial

mkdir certs

mkdir private

touch index.txt

touch private/.rand

Next, we're going to create or upload a file to /etc/ssl/ca called openssl.cnf with the following contents:

[ ca ]

default_ca = CA_default

[ CA_default ]

dir = /etc/ssl/ca

certs = $dir/certs

crl_dir = $dir/crl

new_certs_dir = $dir/newcerts

database = $dir/index.txt

serial = $dir/serial

RANDFILE = $dir/private/.rand

private_key = $dir/private/ca.key.pem

certificate = $dir/certs/ca.cert.pem

crlnumber = $dir/crlnumber

crl_extensions = crl_ext

default_crl_days = 30

default_md = sha256

name_opt = ca_default

cert_opt = ca_default

default_days = 375

preserve = no

policy = policy_default

[ policy_default ]

contryName = optional

stateOrProvinceName = optional

organizationName = optional

organizatoinUnitName = optional

commonName = supplied

emailAddress = optional

[ req ]

default_bits = 2048

distinguished_name = req_distinguished_name

string_mask = utf8only

default_md = sha256

x509_extensions = v3_ca

[ req_distinguished_name ]

countryName = Country Name (2 letter code)

stateOrProvinceName = State or Province Name

localityName = Locality Name

0.organizationName = Organization Name

organizationalUnitName = Organizational Unit Name

commonName = Common Name

emailAddress = Email Address

[ v3_ca ]

subjectKeyIdentifier = hash

authorityKeyIdentifier = keyid:always,issuer

basicConstraints = critical, CA:true

keyUsage = critical, digitalSignature, cRLSign, keyCertSign

[ v3_intermediate_ca ]

subjectKeyIdentifier = hash

authorityKeyIdentifier = keyid:always,issuer

basicConstraints = critical, CA:true, pathlen:0

keyUsage = critical, digitalSignature, cRLSign, keyCertSign

[ usr_cert ]

basicConstraints = CA:FALSE

nsCertType = client, email

nsComment = "OpenSSL Generated Client Certificate"

subjectKeyIdentifier = hash

authorityKeyIdentifier = keyid,issuer

keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment

extendedKeyUsage = clientAuth, emailProtection

[ server_cert ]

basicConstraints = CA:FALSE

nsCertType = server

nsComment = "OpenSSL Generated Server Certificate"

subjectKeyIdentifier = ahash

authorityKeyIdentifier = keyid,issuer:always

keyUsage = critical, digitalSignature, keyEncypherment

extendedKeyUsage = serverAuth

[ crl_ext ]

authorityKeyIdentifier=keyid:always

[ oscp ]

basicConstraints = CA:FALSE

subjectKeyIdentifier = hash

authorityKeyIdentifier = keyid,issuer

keyUsage = critical, digitalSignature

extendedKeyUsage = critical, OCSPSigning

Finally, we're going to create the CA certificate that sslsplit will need in order to do it's thing:

openssl genrsa -aes256 -out /etc/ssl/ca/private/ca.key.pem

openssl req -config /etc/ssl/ca/openssl.cnf -key /etc/ssl/ca/private/ca.key.pem -new -x509 -days 7300 -sha256 -extensions v3_ca -out /etc/ssl/ca/certs/ca.cert.pem

You'll get prompted for a bunch of info - if you've worked with openssl for generating certificates before then this should be self explanatory.  If not, you should google that stuff because I don't remember clearly enough to guide anybody on it and didn't record the prompts in my notes.

Now, we're going to run sslsplit from the command line to make sure everything's configured properly.  Please note in the following command, the area in bold/italics/underline needs to be replaced with your system's IP (not localhost or 127.0.0.1).

/usr/bin/sslsplit -k /etc/ssl/ca/private/ca.key.pem -c /etc/ssl/ca/certs/ca.cert.pem -P https {listen ip} 8443 -d

If you get no errors, the final step in this setup is to create an iptables rule to redirect the inbound 443 traffic to sslsplit first.  

ufw enable
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8443

That's it.  If you go to a blocked site, you'll still get a certificate error, but there's a twist to this.  You'll notice all certificates are signed by the certificate authority you created and no longer using the same mismatched one.  All you have to do is grab that certificate authority cert and add it to your trusted root store on your workstation.  If you're in a windows domain this can be mass deployed by GPO.  

If you're good with this, then all that's left is to make these changes stick on reboot:

First, lets save the iptables:

iptables-save>/etc/iptables.up.rules

Next,  lets make sure sslsplit starts up with the system.  use nano or an editor of your choice to open /etc/rc.local and add the following line to the end:

/usr/bin/sslsplit -k /etc/ssl/ca/private/ca.key.pem -c /etc/ssl/ca/certs/ca.cert.pem -P https {listen ip} 8443 -d

I'm using this in production where I'm at and deployed the CA cert via gpo.  It's been working great and blocked https domains are no longer spitting out SSL cert errors.

[Jahastech]

If this one works that'd be so nice. I will test it and confirm it.

[Jahastech]

This one really works. Brilliant! Thank you for letting us know about this. Do you need something like a free license for Jahaslist? If you need it, contact me through support @ nxfilter.org.

[Jahastech]

There are 2 corrections in OP's posting,

  apt-get-y -> apt-get -y

  https://github.com/droe/sslsplit/aarchive/0.5.4.tar.gz -> https://github.com/droe/sslsplit/archive/0.5.4.tar.gz

-------------------------------------------------------------------------------
And you need to import /etc/ssl/ca/certs/ca.cert.pem file on IE's 'Tools > Internet Options > Content'. Click Certificates and then the Trusted Root Certification Authorities not to see the SSL warning anymore. If you use Firefox, you need to do it on Firefox one more.

One thing to note is that I can't see the block reason on NxFilter's block page if it's on HTTPS. I guess it's because we redirected it on iptables. I will see if I can do something about it.

[Michael Mast]

I look forward to trying this in Docker. Thanks for the writeup!

[Ed Schuyler]

Thanks for pointing those mistakes out.  I'm not sure how to edit my post.  Do I need a special permission or am I missing something?  Feel free to edit it yourself if you've got the access to do so.

[Jahastech]

I fixed those.

[Clinger Jr. | TechNet]

A similar approach would not be possible on Windows using Certify the web?

[Ed Schuyler]

Close but not quite.  In the context of my example, Certify the web would take place of the openssl CA but OpenSSL exists and functions nearly identical on windows already.  

What we're missing on the windows side is something with the functionality of sslsplit.  

sslsplit is a proxy that takes/intercepts ssl traffic it receives and passes it to the originally intended server.  It uses the public and private key of the CA we created with OpenSSL to generate it's certificates on the fly for the https traffic it intercepts.  The on-the-fly cert generation is what sets it apart from all other proxies.  It's designed intention is to basically break SSL and allow a man-in-the-middle attack.  It can intercept and decrypt SSL traffic this way.  But when used with nxFilter, the only traffic it's intercepting is blockpage traffic - so it's just the right tool for the job.

I hope that clears a bit up.

[Ed Schuyler]

The following tool may be able to do the same in windows:

https://www.mitmproxy.org

The only problem is I'm unsure how I'd do port redirection in windows the way iptables does it in Linux.  Perhaps a support feature that can be added to nxFilter somewhere in the config could be a checkbox and two text boxes.  The checkbox would enable support for a MITM ssl proxy.  The first textbox would be the port the proxy's listening on so the nxFilter is aware of where the actual traffic is coming in on, the second text box would be the port nxFilter is really listening on (maybe it's not important and you just need to make nxFilter listen on an alternate https port - I don't know enough about it yet for sure).  I think this would work well for nxFilter on windows with mitmproxy while the linux version would still use sslsplit and iptables.

Anybody have time to try this?

[Jahastech]

Ed found a way of showing the block reason on HTTPS too.

  https://groups.google.com/forum/#!topic/nxfilter200/fLkAkbUqg7g

By the way, the reason we don't see the block reason is that NxFilter only sees SSLsplit's IP address.

  user -> SSLsplit -> NxFilter

That's MITM.

[Jahastech]

Ed  also found a way of showing a block page on Windows.

  https://groups.google.com/forum/#!msg/nxfilter200/cHDxBqupgbs/cuJABNNEBQAJ

[til...@gmail.com]

Does this replace all SSL certificates with the self-generated? 

Here even the authenticated users get the MITM certificate on all websites, not their original certificate.

[Jahastech]

In my testing, it works fine. If I block Google, I get the self signed one but if I unblock it, I get the original one from Google. Is it not some kind of cache? You tried to access some site on HTTPS but you were forwarded to the login page and then after passed the login page, you still get that self signed one?

[musashi ro]

can anyone guide me? I tried using 18.04 but i am getting errors when building sslsplit it says "sslsplit pkg-config not found" with some errors. I tried 16.04 but I cannot install any packages (i edited the sources file)

thanks in advance! 

[Jahastech]

Maybe you don't have pkg-config. Try to install it,

  sudo apt-get install pkg-config

[musashi ro]

i've installed pkg-config and followed the steps above.  I am only getting "site cant be reached" before the user logs in which is fine for my deployment plan. My only problem now is getting the login page in HTTPS. Is this possible?

[Jahastech]

Did you import the certificate?

[Jahastech]

But I am not sure if you are on the right place. Did you not get SSL warning?

[musashi ro]

Yes, I imported the ca-cert.pem using 

certutil –addstore –f "CA" <pathtocertificatefile>

I refreshed the browser and got a certificate warning. The cert still shows as issued by "block.nxfilter.org".

Do we have a discord? If possible I'd like to get further assistance on this

[Jahastech]

I don't know what 'certutil' is. In my case, I just imported it on Firefox and Chrome and it works fine. I am not an export for SSLSplit but you can see the connection between NxFilter and SSLSplit on your system. Or you can see some log message about finding errors on NxFilter log file from 127.0.0.1 which is the IP address of SSLSplit.

[Jahastech]

And what is your problem exactly? When do you get "site cant be reached" then? You get SSL warning even if you import your certificate then how do you get "site cant be reached"?

[musashi ro]

Sorry for the confusion

I get site cant be reached when accessing HTTPS websites which is fine. 

I get the SSL error when accessing the login page with HTTPS (https://login.example.com:8443). If I bypass the SSL error, i get ERR_INVALID_HTTP_RESPONSE

[Jahastech]

The first thing, you just need to see the block page without warning. Not "site can't be reached".

  - So there's something wrong with your setup.

The second one, you can access it through HTTP if you typed the address.

[Jahastech]

Did you change NxFilter HTTPS  to 8443?

  NxFilter should use 443

  SSLSplit uses 8443

Run SSLSplit without -d option. It runs on foreground and show how it works.

[musashi ro]

Yes, I can access it using HTTP but I prefer HTTPS. Do you have a guide for getting certificate from Lets Encrypt and making it work with the embedded tomcat in NXFilter? 

[Jahastech]

Are you sure that your SSLSplit running? On previous message I said,

[Jahastech]

But I don't think login page works on https when you use sslsplit. Thing is that there's a redirection process and it seems like making a problem. Not so sure though. We will see if there's any solution for that.

[Jahastech]

I think this one works,

  https://login.example.com/block,login.jsp

Just a full url for the login page. Then there's no redirection on https.

[musashi ro]

i see. that's sad. any way I can get an SSL cert using lets encrypt and use this certificate? I read it works with tomcat but not sure if I can do it with the embedded tomcat in NXFilter.

(greatly appreciate all the replies)

[Jahastech]

You mean that you want to install your own certificate? Yes. I did that several years ago for testing. But I don't remember exactly. Read this,

  http://nxfilter.org/tutorial.html#custom-ssl

And find some example for Tomcat.

[Ed Schuyler]

The problem this entire time is probably the iptables redirect rule.  I think starting with ubuntu 18.x, the eth0 interface was renamed to something else.  If you typed in the command exactly how I wrote it, it won't redirect properly. 

[Jahastech]

Yeah, could be but I think they can handle it. And I know at least 2 people confirmed it working.

I use one more line for iptables rule though,

ufw enable
iptables -P INPUT ACCEPT
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8443

[Ed Schuyler]

So just to elaborate, I have an ubuntu server I upgraded from 16 to 18 and it messed everything I was running.  

When I ran an ifconfig, I noticed eth0 was renamed to enp2s0 - no idea why, but that was the source of much of my grief in a similar situation.

If this were my nxfilter system, this:

ufw enable

iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8443

Should now be this:

ufw enable
iptables -A PREROUTING -t nat -i enp2s0 -p tcp --dport 443 -j REDIRECT --to-port 8443

Disclaimer:  This exact change is untested by me.  The Ubuntu systems I'm referring to that I got this experience from weren't running nxfilter, but the interface naming issue would transcend that.

[Jahastech]

And Charles Gunzelman might be working on Docker image for NxFilter + SSLSplit.

  https://github.com/packetworks/docker-nxfilter

Don't know when it will be available though. But if you can run it in a Docker container, it will be a lot easier.

[musashi ro]

I finally got it working - almost, but I made progress today! Thanks Ed for pointing out the interface naming difference.

Only problem now is that the https websites don't redirect to the login page properly (https is missing from the URL). If I add https://, then I get the login page. Is this the problem you mentioned Jahastech? 

Any tips?

[musashi ro]

also i cannot make sslsplit stick on reboot.

[musashi ro]

sorry for the spam, I cannot edit posts.

I found out that logging in to the HTTPs version of the login page doesn't authenticate properly to AD. I am still getting blocks even after clearing cache.

[Jahastech]

Yeah, it doesn't work on https when you use sslsplit. I guess the redirection makes some problem here.

To start sslsplit on reboot, if I were you I will add the comand into /etc/rc.local. But there may be a better one.

[Charles Gunzelman]

I've added the needed components to the experimental branch of nxfilter-base. Please test and let me know if you have any issues by opening a GitHub issue.

  https://github.com/packetworks/docker-nxfilter

[Rob Asher]

Thanks to Ed pointing the way, I've added a new RPM to the repo.  It's basically an automated setup package for NxFilter with SSLsplit.  All the details can be read here:  https://www.reddit.com/r/nxfilter/comments/ayh81c/nxfilter_sslsplit_rpm/

Rob

[user-01]

Hi, guys.

In my case its worked fine if i don't check "Enable authentication" (CONFIG > SETUP page).

After switch on "Enable authentication" i get wrong page in my browser instead of block page.

I think its because with enable authentication embedded web-server (tomcat) redirect client browser to login.example.com (default settings) or another domain (according to the settings NxFilter).

That you thing about it?

---

Detailed info/config:

1. OS (on srvserver side (where nxfilter installed)): Ubuntu server 18.10 x64 and CentOS 7.6.1810

2. OS (on client side): MS Windows 7 Professional x64

3. Web browsers (on cli.side): IE 11, G.Chrome (last ver.) and FF (last ver.)

4. Java virt.machine (on srv.side): openJDK 8 (in Ubuntu and CentOS) and 11 (in Ubuntu)

5. SSLSplit (on srv.side): 0.5.4

6. NxFilter (on srv.side): 4.3.3.8

7. OpenSSL (on srv.side): 1.1.1 (in Ubuntuu) and 1.0.2k (in CentOS).

[Jahastech]

Read this,

  https://groups.google.com/forum/?hl=en#!topic/nxfilter200/PPPt1hbGA6k

With v4.3.3.9, Disable Login Redirection will be working on webserver side. That'd be the solution.

[user-01]

Hi.

Thanks.

[Jahastech]

I found a comment from someone in the moderator queue. Google makes false positives with its filtering. Sorry for that. In his posting, he said the Github URL form SSLSplit has been changed. So I updated Ed's original posting. Thanks for the heads up.