Provided by: sslsplit_0.5.5-2.1build2_amd64 bug

NAME

       sslsplit.conf - Configuration file for SSLsplit

DESCRIPTION

       The file sslsplit.conf configures SSLsplit, sslsplit(1).

FILE FORMAT

       The  file  consists  of comments and options with arguments. Each line which starts with a
       hash (#) symbol is ignored by the parser. Options and arguments are  of  the  form  Option
       Argument. The arguments are of the following types:

       BOOL   Boolean value (yes/no).

       STRING String.

DIRECTIVES

       When  an  option  is not used (hashed or doesn't exist in the configuration file) sslsplit
       takes a default action. If an option does not have a command line equivalent,  -o  opt=val
       option can be used to override it on the command line.

       CACert STRING
              Use CA cert (and key) to sign forged certs. Equivalent to -c command line option.

       CAKey STRING
              Use CA key (and cert) to sign forged certs. Equivalent to -k command line option.

       ClientCert STRING
              Use  cert  from  pemfile  when  destination requests client certs. Equivalent to -a
              command line option.

       ClientKey STRING
              Use key from pemfile when destination  requests  client  certs.  Equivalent  to  -b
              command line option.

       CAChain STRING
              Use  CA  chain  from  pemfile  (intermediate  and  root CA certs). Equivalent to -C
              command line option.

       LeafKey STRING
              Use key from pemfile for generating leaf  certs.  Equivalent  to  -K  command  line
              option.
              Default: generate

       LeafCRLURL STRING
              Use  URL  as  CRL  distribution  point  for all forged leaf certs. Equivalent to -q
              command line option.

       LeafCertDir STRING
              Use cert+chain+key PEM files from certdir to target all sites matching  the  common
              names (non-matching: generate if CA). Equivalent to -t command line option.

       DefaultLeafCert STRING
              Use  cert+chain+key  from  PEM  file  for leaf certificates if there is no match in
              LeafCertDir. Equivalent to -A command line option.

       WriteGenCertsDir STRING
              Write leaf key and only generated certificates to gendir. Equivalent to -w  command
              line option.

       WriteAllCertsDir STRING
              Write  leaf  key  and  all  certificates  to  gendir. Equivalent to -W command line
              option.

       DenyOCSP BOOL
              Deny all OCSP requests on all proxyspecs. Equivalent to -O command line option.

       Passthrough BOOL
              Passthrough SSL connections if they cannot be split because of client cert auth  or
              no matching cert and no CA. Equivalent to -P command line option.
              Default: drop

       DHGroupParams STRING
              Use DH group params from pemfile. Equivalent to -g command line option.
              Default: keyfiles or auto

       ECDHCurve STRING
              Use ECDH named curve. Equivalent to -G command line option.
              Default: prime256v1

       SSLCompression BOOL
              Enable/disable  SSL/TLS  compression  on  all connections. Equivalent to -Z command
              line option.

       ForceSSLProto STRING
              Force SSL/TLS protocol version only. Equivalent to -r command line option.
              Default: all

       DisableSSLProto STRING
              Disable SSL/TLS protocol version. Equivalent to -R command line option.
              Default: none

       Ciphers STRING
              Use the given OpenSSL cipher suite spec. Equivalent to -s command line option.
              Default: ALL:-aNULL

       OpenSSLEngine STRING
              The OpenSSL engine to activate, either the ID  or  the  full  path  to  the  shared
              library  implementing  the engine.  If an ID is given, the engine needs to be known
              to the system-wide OpenSSL  configuration.   Only  available  if  built  against  a
              version of OpenSSL with engine support.  Equivalent to -x command line option.

       NATEngine STRING
              Specify default NAT engine to use. Equivalent to -e command line option.

       User STRING
              Drop privileges to user. Equivalent to -u command line option.
              Default: nobody, if run as root

       Group STRING
              Drop privileges to group. Equivalent to -m command line option.
              Default: Primary group of user

       Chroot STRING
              chroot()  to  jaildir  (impacts  sni proxyspecs, see sslsplit(1)). Equivalent to -j
              command line option.

       PidFile STRING
              Write pid to file. Equivalent to -p command line option.

       ConnectLog STRING
              Connect log: log one line summary per  connection  to  logfile.  Equivalent  to  -l
              command line option.

       ContentLog STRING
              Content     log:     full    data    to    file    or    named    pipe    (excludes
              ContentLogDir/ContentLogPathSpec). Equivalent to -L command line option.

       ContentLogDir STRING
              Content   log:    full    data    to    separate    files    in    dir    (excludes
              ContentLog/ContentLogPathSpec). Equivalent to -S command line option.

       ContentLogPathSpec STRING
              Content    log:    full    data    to    sep   files   with   %   subst   (excludes
              ContentLog/ContentLogDir). Equivalent to -F command line option.

       LogProcInfo BOOL
              Look up local process owning each connection for logging. Equivalent to -i  command
              line option.

       PcapLog STRING
              Pcap  log: packets to pcapfile (excludes PcapLogDir/PcapLogPathSpec). Equivalent to
              -X command line option.

       PcapLogDir STRING
              Pcap log: packets to separate  files  in  dir  (excludes  PcapLog/PcapLogPathSpec).
              Equivalent to -Y command line option.

       PcapLogPathSpec STRING
              Pcap  log:  packets  to  sep  files  with  %  subst  (excludes PcapLog/PcapLogDir).
              Equivalent to -y command line option.

       MirrorIf STRING
              Mirror packets to interface. Equivalent to -I command line option.

       MirrorTarget STRING
              Mirror packets to target address (used with MirrorIf).  Equivalent  to  -T  command
              line option.

       MasterKeyLog STRING
              Log  master  keys to logfile in SSLKEYLOGFILE format. Equivalent to -M command line
              option.

       Daemon BOOL
              Daemon mode: run in background, log error messages  to  syslog.  Equivalent  to  -d
              command line option.

       Debug BOOL
              Debug  mode:  run  in  foreground,  log  debug messages on stderr. Equivalent to -D
              command line option.

       VerifyPeer BOOL
              Verify peer using default certificates.
              Default: no

       AddSNIToCertificate BOOL
              When disabled, never add the SNI to forged certificates, even if the  SNI  provided
              by  the  client  does  not  match  the  server certificate's CN/SAN. Helps pass the
              wrong.host test at https://badssl.com.
              Default: yes

       ProxySpec STRING
              Proxy specification: type  listenaddr+port  [natengine|targetaddr+port|"sni"+port].
              Multiple specs are allowed, one on each line.

FILES

       /etc/sslsplit/sslsplit.conf

AUTHOR

       The config file facility was added by Soner Tari <sonertari@gmail.com>.

SEE ALSO

       sslsplit(1)