Making an SSL-Decrypting Switch with mitmproxy

I need to decrypt SSL traffic for what amounts to a test network I need to monitor closely. I initially tried Squid, but there is basically no way to get the decrypted traffic out of Squid. Then I ran across mitmproxy, a piece of software intended for man-in-the-middle interception which makes it very easy to get at the decrypted traffic.

Most of the guides for mitmproxy tell you how to set it up with the proxy machine as a router, which works but is inconvenient. mitmproxy won't run on pfSense or Untangle, so it basically means if you wanna use this you have to roll your own router with Ubuntu Server (not much fun).

I've figured out how to use a Linux bridge with some redirection and shenanigans to create a totally transparent SSL intercepting proxy. The machine behaves exactly like a switch, but any HTTP/HTTPS traffic passing through it is forced through the proxy. With mitmproxy's features, you can pretty easily drop this in and write a few tshark scripts and be decrypting all your network's SSL traffic automatically for analysis in Wireshark. Obviously this is a very touchy thing to do and can be nefarious, but for testing on your own network and general fiddling around, I think it's pretty cool. (I do NOT advocate using this for malicious purposes!)

Here's my setup guide, let me know what you think!

1 Like