How to Create a Transparent SSL Forward Proxy using SSLsplit on CentOS 7.x to Capture/Sniff SSL packets

We are trying to do a packet capture of network traffic from a server, but cannot capture SSL/TLS traffic because it is encrypted. This tutorial is to show how to install SSLsplit as a Transparent SSL Forward Proxy to capture encrypted traffic, essentially creating a man-in-the-middle for troubleshooting/debugging. Keep in mind that this method of debugging doesn’t work on all sites but can be a useful tool on your networking tool belt.


  • CentOS 7.x Minimal install NOTE: CentOS 6.x is not supported for SSLsplit
  • EPEL for CentOS 7
  • Windows server for our testing with Internet Explorer. You may use other SSL initiators


1. Download Latest Version of EPEL and install

  • We’re downloading our version from

[[email protected] ~]# wget
[[email protected] ~]# rpm -ivh epel-release-7-5.noarch.rpm


2. Install SSLsplit via yum

[[email protected] ~]# yum install sslsplit -y


3. Generate SSLSplit Root CA Certificate

  • These following commands generates a 2048-bit RSA private key from OpenSSL and a self signed CA certificate (valid for 365 days) from the private key. Use defaults for the certificate

[[email protected] ~]# mkdir ~/sslsplit-keys
[[email protected] ~]# openssl genrsa -out ~/sslsplit-keys/ca.key 4096
[[email protected] ~]# openssl req -new -x509 -days 365 -key ~/sslsplit-keys/ca.key -out ~/sslsplit-keys/ca.crt


4. Enable IP Forwarding in Linux

[[email protected] ~]# sysctl -w net.ipv4.ip_forward=1
  •  Make it permanent by modifying /etc/sysctl.conf and add the following line
net.ipv4.ip_forward = 1


5. Remove Firewalld and Replace with IPTables

  • For simplicity sake, let’s fall back to the original CentOS IPTables. You may change the following entries to firewalld if you are familiar
# systemctl disable firewalld
# yum install iptables-services
# touch /etc/sysconfig/iptables
# touch /etc/sysconfig/ip6tables 
# systemctl start iptables
# systemctl start ip6tables
# systemctl enable iptables
# systemctl enable ip6tables
  • Enable HTTP and HTTPS (ports 80 and 443) on IPTables by issuing the following commands

[[email protected] ~]# iptables -t nat -F
[[email protected] ~]# iptables -t nat -A PREROUTING -p tcp –dport 80 -j REDIRECT –to-ports 8080
[[email protected] ~]# iptables -t nat -A PREROUTING -p tcp –dport 443 -j REDIRECT –to-ports 8443
[[email protected] ~]# iptables -I INPUT -p tcp -m state –state NEW -m tcp –dport 80 -j ACCEPT
[[email protected] ~]# iptables -I INPUT -p tcp -m state –state NEW -m tcp –dport 443 -j ACCEPT
[[email protected] ~]# iptables -I INPUT -p tcp -m state –state NEW -m tcp –dport 8443 -j ACCEPT
[[email protected] ~]# iptables -I INPUT -p tcp -m state –state NEW -m tcp –dport 8080 -j ACCEPT
[[email protected] ~]# service iptables save

  • Restart iptables

[[email protected] ~]# service iptables restart

  • Check to see if IPTables is saved properly

[[email protected] ~]# cat /etc/sysconfig/iptables

-A PREROUTING -p tcp -m tcp –dport 80 -j REDIRECT –to-ports 8080
-A PREROUTING -p tcp -m tcp –dport 443 -j REDIRECT –to-ports 8443
# Completed on Tue Dec 30 13:21:19 2014
# Generated by iptables-save v1.4.21 on Tue Dec 30 13:21:19 2014
:OUTPUT ACCEPT [49:4944]
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state –state NEW -m tcp –dport 8443 -j ACCEPT
-A INPUT -p tcp -m state –state NEW -m tcp –dport 8080 -j ACCEPT
-A INPUT -p tcp -m state –state NEW -m tcp –dport 443 -j ACCEPT
-A INPUT -p tcp -m state –state NEW -m tcp –dport 80 -j ACCEPT
-A INPUT -p tcp -m state –state NEW -m tcp –dport 22 -j ACCEPT
-A INPUT -j REJECT –reject-with icmp-host-prohibited
-A FORWARD -j REJECT –reject-with icmp-host-prohibited

6. Start SSLsplit

  • Execute the following to start SSLsplit.
  • Attributes -D = Debug Mode, -l = Logfile, -S = Log Folder for storing, -k = Private Key, -c = CA Certificate

[[email protected] ~]# sslsplit -D -l connections.log -S ~/sslsplit-logs/ -k ~/sslsplit-keys/ca.key -c ~/sslsplit-keys/ca.crt ssl 8443 tcp 8080
Generated RSA key for leaf certs.
SSLsplit 0.4.8 (built 2014-09-30)
Copyright (c) 2009-2014, Daniel Roethlisberger <[email protected]>

NAT engines: netfilter* tproxy
compiled against OpenSSL 1.0.1e 11 Feb 2013 (1000105f)
rtlinked against OpenSSL 1.0.1e-fips 11 Feb 2013 (1000105f)
TLS Server Name Indication (SNI) supported
OpenSSL is thread-safe with THREADID
Using direct access workaround when loading certs
SSL/TLS algorithm availability: RSA DSA ECDSA DH ECDH EC
compiled against libevent 2.0.21-stable
rtlinked against libevent 2.0.21-stable
4 CPU cores detected
– []:8080 tcp plain netfilter
– []:8443 ssl plain netfilter
Loaded CA: ‘/C=CA/ST=ON/L=Toronto/O=Default Company Ltd/OU=IT’
Using libevent backend ‘epoll’
Event base supports: edge yes, O(1) yes, anyfd no
Inserted events:
0x7f39155cd970 [fd 7] Read Persist
0x7f39155cdbd0 [fd 8] Read Persist
0x7f39155d0670 [fd 9] Read Persist
0x7f39155cd7a8 [fd 6] Read Persist
0x7f39155d0700 [fd 3] Signal Persist
0x7f39155d0940 [fd 1] Signal Persist
0x7f39155d0a70 [fd 2] Signal Persist
0x7f39155d0ba0 [fd 13] Signal Persist
Initialized 8 connection handling threads
Started 8 connection handling threads
Starting main event loop.


7. Install CA Certificate on Windows Machine

  • Install ca.crt certificate created in step 3 onto the Windows machine under Trusted Root Certification Authorities


8. Repoint Certain Domains With Windows Host Files

  • Modify your host file in c:\windows\system32\drivers\etc\hosts and change domains you would like to sniff the SSL. For our example, we would like to sniff Linkedin. Add the following to your hosts file:

# Change the IP address below to your SSLsplit server IP

9. Use Internal Explorer and Go and Test

  • Use internet explorer on destination computer and go to https site. Your captured traffic should be logged in ~/sslsplit-logs folder


Leave a Comment