# Install sslsplit with Homebrew, apt, dnf, Nix, pacman

Man-in-the-middle attacks against SSL encrypted network connections. Version 0.5.5 via Homebrew; verified 2026-06-22.

## Install

```sh
sudo av install brew:sslsplit
```

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install sslsplit
```

  Evidence: local Homebrew formula metadata

### Linux

- Debian apt (92%):

```sh
sudo apt install sslsplit
```

  Evidence: Debian stable package indexes: sslsplit from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz

- dnf (92%):

```sh
sudo dnf install sslsplit
```

  Evidence: Fedora Rawhide package metadata: sslsplit from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst

- Nix (92%):

```sh
nix profile install nixpkgs#sslsplit
```

  Evidence: nixpkgs package indexes: pkgs/by-name/ss/sslsplit/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1

- pacman (92%):

```sh
sudo pacman -S sslsplit
```

  Evidence: Arch Linux sync databases: sslsplit from https://geo.mirror.pkgbuild.com/extra/os/x86_64/extra.db.tar.gz

## Package facts

- **Package key:** brew:sslsplit
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/sslsplit>
- **Version:** 0.5.5
- **Source summary:** Man-in-the-middle attacks against SSL encrypted network connections
- **Homepage:** <https://www.roe.ch/SSLsplit>
- **Repository:** <https://github.com/droe/sslsplit>
- **Upstream docs:** <https://github.com/droe/sslsplit#readme>
- **License:** BSD-2-Clause
- **Source archive:** <https://github.com/droe/sslsplit/archive/refs/tags/0.5.5.tar.gz>
- **Last updated:** 2026-06-22T14:06:22-07:00
- **Generated:** 2026-07-08T07:18:31+00:00

## Executables

- sslsplit (cli)
- sslsplit (alias)

## Dependencies

- libevent
- libnet
- libpcap
- openssl@3

## Build dependencies

- check
- pkgconf

## Install behavior

- Post-install hook: not defined
- Bottle: available on arm64_big_sur, arm64_linux, arm64_monterey, arm64_sequoia, arm64_sonoma, arm64_tahoe, arm64_ventura, big_sur, monterey, sonoma, ventura, x86_64_linux

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 0.5.5
- Package-manager updated: 2026-06-22
- Local data: ok
- Upstream repository: https://github.com/droe/sslsplit
- Upstream latest detected: 0.5.5 (current)
## Project history and usage

SSLsplit is a transparent SSL/TLS interception tool for network forensics, application security analysis, and penetration testing. It is packaged because it combines low-level NAT integration, forged-certificate TLS interception, and forensic logging in a single Unix-style command.

### Project history

The official project page says SSLsplit is developed by Daniel Roethlisberger and contributors and was first publicly released as 0.4.2 in 2012. Its README says it was inspired by Claes M. Nyberg's mitm-ssl and Moxie Marlinspike's sslsniff, while sharing no source code with them.

SSLsplit is designed to transparently terminate NAT-redirected connections, create a new SSL/TLS connection to the original destination, and log transmitted data. Over time it added defenses against mechanisms that complicate interception, including OCSP handling, HSTS and HPKP header mangling, Expect-CT suppression, and prevention of protocol upgrades such as QUIC, SPDY, HTTP/2, and WebSockets.

### Adoption history

The official project page lists package or port availability across FreeBSD, OpenBSD, NetBSD, DragonFly BSD, Homebrew, Arch Linux, Debian, Ubuntu, Gentoo, Fedora/RHEL/CentOS, openSUSE, Mageia, BlackArch, Kali Linux, and related security distributions or appliances. The supplied package metadata also shows Homebrew, Debian, Fedora, Nix, Arch, and Ubuntu packaging.

Its packaging footprint follows from its role in labs and security distributions: users need a reproducible build of a sensitive interception tool with OpenSSL, libevent, libpcap, libnet, NAT engine support, and platform-specific behavior aligned.

### How it is used

Typical usage requires redirecting traffic with a platform NAT engine, then running sslsplit with proxy specifications such as http, https, tcp, ssl, or autossl, CA certificate/key material, and logging destinations. The tool can write connection logs, content logs, PCAP output, mirrored packets, generated certificates, master secrets, and local process information.

Supported NAT mechanisms in official documentation include FreeBSD pf rdr and divert-to, ipfw fwd, ipfilter rdr; OpenBSD pf rdr-to and divert-to; Linux netfilter REDIRECT and TPROXY; and macOS pf rdr and ipfw fwd.

### Why package nerds care

SSLsplit is package-nerd significant because it is deeply coupled to OS networking facilities. A useful package is not only the binary; it is the right combination of OpenSSL compatibility, NAT-engine support, privilege behavior, man pages, sample configuration, and logging defaults.

It also belongs to the family of security tools whose value is inseparable from ethical context. Distributions package it for legitimate forensics, testing, and education, but its capability is explicitly man-in-the-middle interception.

### Timeline

- 2012: SSLsplit 0.4.2 was the first public release.
- 2013: Version 0.4.7 filtered HPKP headers and added HTTP status and content length to connection logs.
- 2014: Versions 0.4.8 through 0.4.10 improved pf support on macOS, added protocol forcing options, and added separate file logging with process information.
- 2016: Version 0.5.0 added generic STARTTLS support through the autossl proxy specification and introduced privilege separation.
- 2018: Version 0.5.4 added PCAP and packet-mirroring content log modes and the sslsplit.conf manual page.
- 2019: Version 0.5.5 fixed packaging and install-path behavior, including SYSCONFDIR-controlled installation of sample config files.

### Related projects

- Official README names mitm-ssl and sslsniff as inspirations.
- Related operational tools include OpenSSL, libevent, libpcap, libnet, platform NAT engines, Wireshark via PCAP or SSLKEYLOGFILE-style outputs, and security distributions such as Kali and BlackArch.

### Sources

- <https://github.com/droe/sslsplit#readme>
- <https://github.com/droe/sslsplit/blob/master/NEWS.md>
- <https://www.roe.ch/SSLsplit>
- input source_facts.package-manager


## Security Notes

broad file, network, media, or database tool signal. escape, surveillance, or offensive capability signal.

- **Geiger risk:** red / medium
- broad file, network, media, or database tool signal
- escape, surveillance, or offensive capability signal

## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** sslsplit
- **Version Scheme:** 0
- **Revision:** 2
- **Head Version:** HEAD
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** head, stable

## Other Package-Manager Records

- Debian apt - sslsplit - 0.5.5-2.1+b1: normalized package name match | Debian stable package indexes: sslsplit from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | transparent and scalable SSL/TLS interception | http://www.roe.ch/SSLsplit
- Nix - sslsplit: normalized package name match | nixpkgs package indexes: pkgs/by-name/ss/sslsplit/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1
- Ubuntu apt - sslsplit - 0.5.5-2.1build4: normalized package name match | Ubuntu 24.04 LTS package indexes: sslsplit from https://archive.ubuntu.com/ubuntu/dists/noble/universe/binary-amd64/Packages.gz | transparent and scalable SSL/TLS interception | http://www.roe.ch/SSLsplit
- dnf - sslsplit - 0.5.5-22.fc45: normalized package name match | Fedora Rawhide package metadata: sslsplit from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst | Transparent and scalable SSL/TLS interception | http://www.roe.ch/SSLsplit
- pacman - sslsplit - 0.5.5-3: normalized package name match | Arch Linux sync databases: sslsplit from https://geo.mirror.pkgbuild.com/extra/os/x86_64/extra.db.tar.gz | Tool for man-in-the-middle attacks against SSL/TLS encrypted network connections | https://www.roe.ch/SSLsplit


## Related links

- [Secret-risk packages](https://www.automicvault.com/pkg/secret-risk-packages/) - Has protected-tool coverage, approval-gate, or non-low Geiger security signals.
- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [Networking and protocol packages](https://www.automicvault.com/pkg/networking-protocol-tools/) - Matched network, protocol, or remote-service metadata.
- [Security and crypto packages](https://www.automicvault.com/pkg/security-crypto-tools/) - Matched security, identity, cryptography, password, signing, or certificate metadata.
- [libevent](https://www.automicvault.com/pkg/brew/libevent/) - Runtime dependency declared by Homebrew.
- [libnet](https://www.automicvault.com/pkg/brew/libnet/) - Runtime dependency declared by Homebrew.
- [libpcap](https://www.automicvault.com/pkg/brew/libpcap/) - Runtime dependency declared by Homebrew.
- [openssl@3](https://www.automicvault.com/pkg/brew/openssl-3/) - Runtime dependency declared by Homebrew.
- [check](https://www.automicvault.com/pkg/brew/check/) - Build dependency declared by Homebrew.
- [pkgconf](https://www.automicvault.com/pkg/brew/pkgconf/) - Build dependency declared by Homebrew.
- [ssldump](https://www.automicvault.com/pkg/brew/ssldump/) - Shares av.db curated category or tags: cli, network-analysis, security, ssl, tls.
- [gmssl](https://www.automicvault.com/pkg/brew/gmssl/) - Shares av.db curated category or tags: cli, security, ssl, tls.
- [gnutls](https://www.automicvault.com/pkg/brew/gnutls/) - Shares av.db curated category or tags: cli, security, ssl, tls.
- [libressl](https://www.automicvault.com/pkg/brew/libressl/) - Shares av.db curated category or tags: cli, security, ssl, tls.
- [mbedtls](https://www.automicvault.com/pkg/brew/mbedtls/) - Shares av.db curated category or tags: cli, security, ssl, tls.
- [silk](https://www.automicvault.com/pkg/brew/silk/) - Shares av.db curated category or tags: cli, network-analysis, security.
- [ssllabs-scan](https://www.automicvault.com/pkg/brew/ssllabs-scan/) - Shares av.db curated category or tags: cli, security, ssl, tls.
- [sslscan](https://www.automicvault.com/pkg/brew/sslscan/) - Shares av.db curated category or tags: cli, security, ssl, tls.
- [stunnel](https://www.automicvault.com/pkg/brew/stunnel/) - Security-sensitive metadata or terminology overlaps. Shared terms: cli, openssl, openssl-3, security, ssl.

## Combined YAML source

View the package source record on GitHub. [combined/sslsplit.yml](https://github.com/automic-vault/db/blob/main/combined/sslsplit.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- external package-manager database matches
- cross-ecosystem install command graph
