precursor

I forgot to post the debug output from sslsplit: Generated RSA key for leaf certs. SSLsplit 0.4.9 (built 2015-03-10) Copyright (c) 2009-2014, Daniel Roethlisberger <daniel@roe.ch> http://www.roe.ch/SSLsplit Build info: V:FILE Features: -DHAVE_NETFILTER NAT engines: netfilter* tproxy netfilter: IP_TRANSPARENT SOL_IPV6 !IPV6_ORIGINAL_DST compiled against OpenSSL 1.0.2 22 Jan 2015 (1000200f) rtlinked against OpenSSL 1.0.2 22 Jan 2015 (1000200f) TLS Server Name Indication (SNI) supported OpenSSL is thread-safe with THREADID Using SSL_MODE_RELEASE_BUFFERS SSL/TLS algorithm availability: RSA DSA ECDSA DH ECDH EC OpenSSL option availability: SSL_OP_NO_COMPRESSION SSL_OP_NO_TICKET SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION SSL_OP_TLS_ROLLBACK_BUG compiled against libevent 2.0.22-stable rtlinked against libevent 2.0.22-stable 2 CPU cores detected proxyspecs: - [0.0.0.0]:8080 tcp plain netfilter - [0.0.0.0]:8443 ssl plain netfilter Loaded CA: '/C=US/ST=UT/O=Internet Widgits Pty Ltd/CN=Someone' Using libevent backend 'epoll' Event base supports: edge yes, O(1) yes, anyfd no Inserted events: 0x12054b0 [fd 7] Read Persist 0x1208740 [fd 8] Read Persist 0x12088f0 [fd 9] Read Persist 0x12052e8 [fd 6] Read Persist 0x1208980 [fd 3] Signal Persist 0x1208bc0 [fd 1] Signal Persist 0x1208cf0 [fd 2] Signal Persist 0x1208e20 [fd 13] Signal Persist Initialized 4 connection handling threads Started 4 connection handling threads Starting main event loop. Connecting to [199.117.103.168]:80 tcp [192.168.0.22]:19970 [199.117.103.168]:80 SNI peek: [n/a] [complete] Connecting to [134.170.178.197]:443 ===> Original server certificate: Subject DN: /CN=*.xboxlive.com Common Names: *.xboxlive.com Fingerprint: 69:c6:f2:83:ee:0a:16:3b:fd:a6:df:f7:21:c9:97:0a:6d:7d:65:91 Certificate cache: MISS ===> Forged server certificate: Subject DN: /CN=*.xboxlive.com Common Names: *.xboxlive.com Fingerprint: 16:64:58:97:e4:90:80:7d:84:77:67:bd:f2:93:c6:f2:ea:d6:68:d4 ssl [192.168.0.22]:5808 [134.170.178.197]:443 sni:- crt:*.xboxlive.com origcrt:*.xboxlive.com Unclean SSL shutdown. SSL_free() in state 00002190 = SSL_ST_ACCEPT|0190 = 3RCKEA (SSLv3 read client key exchange A) [accept socket] Garbage collecting caches started. Garbage collecting caches done. SNI peek: [n/a] [complete] Connecting to [134.170.178.64]:443 ===> Original server certificate: Subject DN: /CN=*.xboxlive.com Common Names: *.xboxlive.com Fingerprint: 69:c6:f2:83:ee:0a:16:3b:fd:a6:df:f7:21:c9:97:0a:6d:7d:65:91 Certificate cache: HIT ===> Forged server certificate: Subject DN: /CN=*.xboxlive.com Common Names: *.xboxlive.com Fingerprint: 16:64:58:97:e4:90:80:7d:84:77:67:bd:f2:93:c6:f2:ea:d6:68:d4 ssl [192.168.0.22]:48310 [134.170.178.64]:443 sni:- crt:*.xboxlive.com origcrt:*.xboxlive.com Unclean SSL shutdown. SSL_free() in state 00002190 = SSL_ST_ACCEPT|0190 = 3RCKEA (SSLv3 read client key exchange A) [accept socket] SNI peek: [n/a] [complete] Connecting to [65.55.42.33]:443 SNI peek: [n/a] [complete] Connecting to [65.55.42.33]:443 SNI peek: [n/a] [complete] Connecting to [157.56.70.154]:443 ===> Original server certificate: Subject DN: /CN=*.xboxlive.com Common Names: *.xboxlive.com Fingerprint: 1d:53:37:af:7a:4d:b6:c9:ff:4d:39:35:f7:bb:06:64:58:54:36:bb Certificate cache: MISS ===> Forged server certificate: Subject DN: /CN=*.xboxlive.com Common Names: *.xboxlive.com Fingerprint: 4b:fb:b2:96:45:b8:fc:66:32:10:ab:36:21:13:c3:34:4a:5e:52:9c ssl [192.168.0.22]:32910 [65.55.42.33]:443 sni:- crt:*.xboxlive.com origcrt:*.xboxlive.com Unclean SSL shutdown. SSL_free() in state 00002190 = SSL_ST_ACCEPT|0190 = 3RCKEA (SSLv3 read client key exchange A) [accept socket] SNI peek: [n/a] [complete] Attempt reuse dst SSL session Connecting to [134.170.178.197]:443 ===> Original server certificate: Subject DN: /CN=*.xboxlive.com Common Names: *.xboxlive.com Fingerprint: 1d:53:37:af:7a:4d:b6:c9:ff:4d:39:35:f7:bb:06:64:58:54:36:bb Certificate cache: HIT ===> Forged server certificate: Subject DN: /CN=*.xboxlive.com Common Names: *.xboxlive.com Fingerprint: 4b:fb:b2:96:45:b8:fc:66:32:10:ab:36:21:13:c3:34:4a:5e:52:9c ssl [192.168.0.22]:29356 [65.55.42.33]:443 sni:- crt:*.xboxlive.com origcrt:*.xboxlive.com ===> Original server certificate: Subject DN: /CN=*.xboxlive.com Common Names: *.xboxlive.com Fingerprint: 1d:53:37:af:7a:4d:b6:c9:ff:4d:39:35:f7:bb:06:64:58:54:36:bb Certificate cache: HIT ===> Forged server certificate: Subject DN: /CN=*.xboxlive.com Common Names: *.xboxlive.com Fingerprint: 4b:fb:b2:96:45:b8:fc:66:32:10:ab:36:21:13:c3:34:4a:5e:52:9c ssl [192.168.0.22]:28325 [157.56.70.154]:443 sni:- crt:*.xboxlive.com origcrt:*.xboxlive.com ===> Original server certificate: Subject DN: /CN=*.xboxlive.com Common Names: *.xboxlive.com Fingerprint: 69:c6:f2:83:ee:0a:16:3b:fd:a6:df:f7:21:c9:97:0a:6d:7d:65:91 Certificate cache: HIT ===> Forged server certificate: Subject DN: /CN=*.xboxlive.com Common Names: *.xboxlive.com Fingerprint: 16:64:58:97:e4:90:80:7d:84:77:67:bd:f2:93:c6:f2:ea:d6:68:d4 ssl [192.168.0.22]:25598 [134.170.178.197]:443 sni:- crt:*.xboxlive.com origcrt:*.xboxlive.com Unclean SSL shutdown. SSL_free() in state 00002190 = SSL_ST_ACCEPT|0190 = 3RCKEA (SSLv3 read client key exchange A) [accept socket] Unclean SSL shutdown. SSL_free() in state 00002190 = SSL_ST_ACCEPT|0190 = 3RCKEA (SSLv3 read client key exchange A) [accept socket] Unclean SSL shutdown. SSL_free() in state 00002190 = SSL_ST_ACCEPT|0190 = 3RCKEA (SSLv3 read client key exchange A) [accept socket] SNI peek: [n/a] [complete] Connecting to [172.230.192.227]:443 SNI peek: [n/a] [complete] Attempt reuse dst SSL session Connecting to [65.55.42.33]:443 ===> Original server certificate: Subject DN: /C=US/ST=WA/L=Redmond/O=Microsoft Corporation/OU=Xbox/CN=*.xbox.com Common Names: *.xbox.com/*.xbox.com Fingerprint: fa:36:ff:8e:70:87:3d:52:3b:65:23:43:65:63:36:5e:4f:24:a6:eb Certificate cache: MISS ===> Forged server certificate: Subject DN: /C=US/ST=WA/L=Redmond/O=Microsoft Corporation/OU=Xbox/CN=*.xbox.com Common Names: *.xbox.com/*.xbox.com Fingerprint: 44:4c:08:75:ea:66:05:74:ff:37:de:d0:15:2e:bb:c2:26:e3:12:76 ssl [192.168.0.22]:10291 [172.230.192.227]:443 sni:- crt:*.xbox.com/*.xbox.com origcrt:*.xbox.com/*.xbox.com ===> Original server certificate: Subject DN: /CN=*.xboxlive.com Common Names: *.xboxlive.com Fingerprint: 1d:53:37:af:7a:4d:b6:c9:ff:4d:39:35:f7:bb:06:64:58:54:36:bb Certificate cache: HIT ===> Forged server certificate: Subject DN: /CN=*.xboxlive.com Common Names: *.xboxlive.com Fingerprint: 4b:fb:b2:96:45:b8:fc:66:32:10:ab:36:21:13:c3:34:4a:5e:52:9c ssl [192.168.0.22]:57485 [65.55.42.33]:443 sni:- crt:*.xboxlive.com origcrt:*.xboxlive.com Unclean SSL shutdown. SSL_free() in state 00002190 = SSL_ST_ACCEPT|0190 = 3RCKEA (SSLv3 read client key exchange A) [accept socket] Unclean SSL shutdown. SSL_free() in state 00002190 = SSL_ST_ACCEPT|0190 = 3RCKEA (SSLv3 read client key exchange A) [accept socket] SSL_free() in state 00000003 = 0003 = SSLOK (SSL negotiation finished successfully) [connect socket] Garbage collecting caches started. Garbage collecting caches done. ^CReceived signal 2 Main event loop stopped.

I'm attempting to sniff my Xbox 360's traffic and see the cleartext data sent over HTTPS+SSL. My xbox 360's local IP address is: 192.168.0.22. My attacker Arch Linux box's address is: 192.168.0.18. I have installed dsniff and SSLsplit on attacker box and am performing an ARP cache poisoning attack using the following commands simultaneous in two terminal windows: arpspoof -i enp0s25 -t 192.168.0.1 192.168.0.22 arpspoof -i enp0s25 -t 192.168.0.22 192.168.0.1 I created a fake certificate using the following commands: openssl genrsa -out ca.key 4096 openssl req -new -x509 -days 1826 -key ca.key -out ca.crt I am running sslsplit like this: sslsplit -D -l connections.log -j /var/log/sslsplit/ -S logdir/ -k ca.key -c ca.crt ssl 0.0.0.0 8443 tcp 0.0.0.0 8080 When I login to XBL on the 360, I see non-SSL traffic over port 80 in the logs, but the SSL traffic over port 443 has log files with nothing in them (size=0KB). My guess is there is a problem with my certificate, it's not able to verify that it has been signed by a Root CA. Do you know of a way to fix this issue? If that's not the issue, what is and how can I fix it? Thanks for your help.