scslab / tcpcrypt Goto Github PK

This project forked from sorbo/tcpcrypt

Fast TCP encryption

License: Other

Emacs Lisp 0.04% Shell 1.79% C 91.46% Objective-C 1.03% Assembly 2.38% Makefile 1.01% Batchfile 0.07% Groff 0.89% M4 0.96% C++ 0.38%

tcpcrypt's Introduction

Tcpcrypt

Tcpcrypt is a protocol that attempts to encrypt (almost) all of your network traffic. Unlike other security mechanisms, Tcpcrypt works out of the box: it requires no configuration, no changes to applications, and your network connections will continue to work even if the remote end does not support Tcpcrypt, in which case connections will gracefully fall back to standard clear-text TCP.

Tcpcrypt supports Linux, Mac OS X, Windows, and FreeBSD.

For more information, see tcpcrypt.org.

Installing tcpcrypt

git clone git://github.com/scslab/tcpcrypt.git
cd tcpcrypt
./bootstrap.sh
./configure
make
sudo ./launch_tcpcryptd.sh

The launch script starts tcpcryptd and adds firewall rules to divert all TCP traffic on port 80 to tcpcryptd. When the script exits (on Ctrl-C or kill), it restores your firewall config to its former state -- no permanent changes are made.

On Linux, you must first install libnfnetlink, libnetfilter_queue, and libcap.

Optional: running make install will install libtcpcrypt and tcpcrypt headers, for building apps that use tcpcrypt's session ID.

Try it out

Go to http://tcpcrypt.org/test.php with tcpcryptd running. If tcpcrypt is working, you'll be able to join the tcpcrypt Hall of Fame and your tcpcrypt session ID will be displayed at the bottom of the page.

Now let's examine the packets going over the wire by starting tcpdump and then reloading the URL above.

sudo tcpdump -X -s0 host tcpcrypt.org

Compare this tcpdump output, which appears encrypted (or at least unreadable), with the cleartext packets you would see without tcpcryptd running.

Troubleshooting

If it's not working, the most likely causes are the following.

Your browser already had an open, non-tcpcrypted TCP connection to tcpcrypt.org before you ran the launch script. Quit and reopen your browser, wait 30 seconds, or use a different browser to retrieve the tcpcrypt.org URL.
There's a conflict with your existing firewall rules. See the firewall setup section in the install guide for your platform.

Visit http://wiki.github.com/scslab/tcpcrypt/troubleshooting if you're still unable to make it work.

More info

The INSTALL-* files have more detailed installation and firewall setup instructions. See tcpcrypt.org for general info, including the protocol specification and the tcpcrypt paper, "The case for ubiquitous transport-level encryption", presented at USENIX Security 2010.

The code repository lives at http://github.com/scslab/tcpcrypt.

tcpcrypt's People

Contributors

Stargazers

Watchers

tcpcrypt's Issues

fatal error: 'openssl/err.h' file not found

Hi,

I tried to install it on Mac 10.13.3. But, an error occured!

➜  tcpcrypt git:(master) make
/Applications/Xcode.app/Contents/Developer/usr/bin/make  all-am
gcc -DHAVE_CONFIG_H -I.    -I./src -I./include -I./src -g -O2 -Wall -Wno-deprecated-declarations -MT src/src_tcpcryptd-tcpcryptd.o -MD -MP -MF src/.deps/src_tcpcryptd-tcpcryptd.Tpo -c -o src/src_tcpcryptd-tcpcryptd.o `test -f 'src/tcpcryptd.c' || echo './'`src/tcpcryptd.c
src/tcpcryptd.c:15:10: fatal error: 'openssl/err.h' file not found
#include <openssl/err.h>
         ^~~~~~~~~~~~~~~
1 error generated.
make[1]: *** [src/src_tcpcryptd-tcpcryptd.o] Error 1
make: *** [all] Error 2

Could anyone help me?

Thanks

src/tcpcrypt.c:4110]: (error) Resource leak: f

Source code is

if (seed) {
    srand(seed);
    xprintf(XP_DEBUG, "Random seed set to %u\n", seed);
} else {
    errx(1, "Could not provide random seed");
}

}

Suggest add call to fclose( f).

Build fails with libpcap 1.9.0

Hello, tcpcrypt 0.5 builds fine for me on macOS High Sierra if I use the version of libpcap that ships with macOS in /usr.

However, if I try to use libpcap 1.9.0 as installed by MacPorts in /opt/local, then the build of tcpcrypt fails with:

libtool: link: ccache /usr/bin/clang -I./src -I./include -I./src -pipe -Os -arch x86_64 -Wall -Wno-deprecated-declarations -Wl,-headerpad_max_install_names -arch x86_64 -o src/tcpcryptd src/tcpcryptd-tcpcryptd.o src/tcpcryptd-tcpcrypt.o src/tcpcryptd-crypto.o src/tcpcryptd-crypto_aes.o src/tcpcryptd-crypto_hmac.o src/tcpcryptd-crypto_dummy.o src/tcpcryptd-profile.o src/tcpcryptd-checksum.o src/tcpcryptd-test.o src/tcpcryptd-crypto_hkdf.o src/tcpcryptd-crypto_reg.o src/tcpcryptd-crypto_ecdhe.o src/tcpcryptd-util.o shared/src_tcpcryptd-socket_address.o unix/src_tcpcryptd-priv.o src/tcpcryptd-freebsd.o src/tcpcryptd-unix.o  -L/opt/local/lib -lpcap -lcrypto -lpthread
Undefined symbols for architecture x86_64:
  "_pcap_set_filter_info", referenced from:
      _divert_open_pcap in tcpcryptd-unix.o
  "_pcap_set_want_pktap", referenced from:
      _divert_open_pcap in tcpcryptd-unix.o
ld: symbol(s) not found for architecture x86_64
clang: error: linker command failed with exit code 1 (use -v to see invocation)
make[1]: *** [src/tcpcryptd] Error 1

Web site security

No SSL on the web site and no hashes on the binaries
https://letsencrypt.org/

Tcpcrypt low performance

Hi
I want to use tcpcrypt instead of SSL in my apache web server, but HTTPS performance is 10x better than tcpcrypt.
On ubuntu server 16.10 with apache Jmeter and tcpcrypt, average sample time (The number of milliseconds that the server took to fully serve the request ) is 200 ms! with using https, average is 18-20 ms. the same issue for connect time: 78 ms for HTTPS vs. 1026 for tcpcrypt.
Is there any solution?
Warning messages from tcpcrypt:
Webserver side: Can't find RDR
client (apache jmeter) side: No timestamp provided in packet - expect low performance due to calls to gettimeofday

tcpcrypt.org web site is offline

The web site is offline because none of the nameservers for the domain name can be reached.

$ dig A tcpcrypt.org
	
; <<>> DiG 9.10.6 <<>> A tcpcrypt.org
;; global options: +cmd
;; connection timed out; no servers could be reached

Is this still an active project ?

hi, can somebody categorize the level of maturity of the protocol, is it used exercised actively by some ? which outfits ? etc

thanks

-Charles

Windows service wont start

The service is deleted immediately after launch for inexplicable reasons.

Event ID 7000 in Service Control Manager
The system cannot find the file specified.

OSX version DOA

Instructions for use of binary do not provide the name of the "launcher" app.
Launching via the "launcher" app requires a user button-press, making it needlessly difficult to make tcpcrypt run automagically at startup.
It doesn't work anyway, the test page times out and fails. No log entries that appear to be associated with TCPCRYPT. Mac firewall is turned off.
Does it require a restart after installation? Not stated.