Re: [squid-users] can squid use dns server on random port(non-53)?

[Dieter Bloms]

Hello,

On Tue, Jun 26, Gordon Hsiao wrote:

> checked the manual it seems I can only set dnsserver with a new IP, is it
> possible to make squid support non-standard DNS port, e.g. 5353?

maybe you can use a dns resolver like unbound, dnscache, dnsmasq, 
which can be configure to listen on localhost port 53, so only squid can
access it via localhost and no other servers.
These dns resolvers can be configure to use a non standard port like
5353 for the destination dns servers.

But in the past I've never seen a dns server listening on port 5353, so
maybe the setup is a little broken.


-- 
Regards

  Dieter

--
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
From field.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] can squid use dns server on random port(non-53)?

[Gordon Hsiao]

checked the manual it seems I can only set dnsserver with a new IP, is it
possible to make squid support non-standard DNS port, e.g. 5353?

Thanks,
Gordon
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Adobe CC behing Squid

[Amos Jeffries]

On 26/06/18 20:53, admin wrote:
> Hello Amos,
>
> Adobe Cloud starts and asks correctly  for proxy-authentification.
> Then it tries to connect and gets a timeout and tries and...
>
> In Access.log I only see a connect to Adobe.com:
> TCP_TUNNEL:HIER_DIRECT
>

Hmm, that sounds like the traffic is either a) not going to the proxy
like it should, or b) going inside the tunnel.

If (a) it could be a routing issue, or a bug in the ACC software.

If (b) the credentials are not relevant except to the CONNECT message.
Do those CONNECT messages you see in the log ever contain the required
credentials?


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] ACL vs redirector order

[Amos Jeffries]

On 27/06/18 09:51, Gordon Hsiao wrote:
> Assuming I allow a domain to pass in ACL, but deny it in my redirector,
> which one will work?
> 
> Also, assuming I deny a domain in squid.conf, but allow in in the
> redirector, which one will take precedence?
> 
> Will there be a difference for the above when peek+splice / peek+bump
> was used?
> 

Your questions are very generic. Please be specific about what exactly
you are configuring, showing your config would be best.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] when will squid 4 be production ready?

[Amos Jeffries]

On 27/06/18 04:12, Gordon Hsiao wrote:
> squid4 has been released for quite a while, when will it be production
> ready or any rough timeline on the horizon?
> 



Here's hoping.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] ACL vs redirector order

[Gordon Hsiao]

Assuming I allow a domain to pass in ACL, but deny it in my redirector,
which one will work?

Also, assuming I deny a domain in squid.conf, but allow in in the
redirector, which one will take precedence?

Will there be a difference for the above when peek+splice / peek+bump was
used?

Thanks,
Gordon
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Trust a particular CA only for a limited domain

[Alex Rousskov]

On 06/26/2018 07:22 AM, Ahmad, Sarfaraz wrote:
> I need to provide access to my clients to a service on the internet that
> is using a private CA.
> 
> I do not want to trust that CA outside the scope of that destination
> domain.  (The thought is to not just blindly trust a random CA, rather
> if we have to, we limit it to the particular domain.)
> 
> Can something like this be achieved without toying with the squid’s code ?


I believe this can be done with a sslcrtvalidator_program helper:

* http://www.squid-cache.org/Doc/config/sslcrtvalidator_program/
*
https://wiki.squid-cache.org/Features/AddonHelpers#SSL_server_certificate_validator

Alternatively, you may be able to block (wrong) responses signed by that
CA using an external ACL that is supplied %ssl::>cert_issuer and origin
domain information.

The validator helper approach prevents untrusted HTTP messages from
reaching Squid, but the external ACL approach is easier to implement.


HTH,

Alex.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Chrome 67 Issue with SSL Bump

[Amit Pasari - XS INFOSOL Inc. USA]

Let me try the below solution , but if thats the case it shouldn't work 
with other browsers as well  , what i think is chrome is either not 
reading my cert or rejecting it .


Unsure .

Amit

On 6/26/18 10:38 PM, Walter H. wrote:

On 26.06.2018 19:03, Amit pasari wrote:

Dear Walter
I have tried with both SHA1 and SHA256 cert .


Sent from my iPhone

On Jun 26, 2018, at 9:43 PM, Walter H. > wrote:



On 26.06.2018 17:22, Amit Pasari - XS INFOSOL Inc. USA wrote:


I am using squid in transparent mode . Everything working fine in 
Firefox and IE after i have imported the certificate in both the 
browser  , but in Chrome 67 version on Windows 10 i am facing the 
below issue


NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM

When i open https://facebook.com , https://linkedin.com etc .

I am clueless on the same now .

Amit


Have you generated a SHA1 or SHA-256 certificate?

Walter


can you try this:

sslproxy_cert_sign_hash sha256

and use a SHA-256  certificate

Walter



--
XS Infosol

*Amit Pasari*
CEO
*XS Infosol Pvt Ltd*

 
 
 



*Call* : +91-120-4978080, Extn.101
*Mobile* : +91-9953007901
*Skype Id* : amitpasari
*Mail id* : a...@xsinfosol.com
*Website* : www.xsinfosol.com





___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Splice using SubjectCN/SAN from remote server certificate

[Alex Rousskov]

On 06/25/2018 11:42 PM, Ahmad, Sarfaraz wrote:

> we cannot look at the SubjectCN/SAN in the remote server certificate
> and then decide whether we want to splice or bump. (peeking at step 
> 2 really restricts our options) Is my understanding correct ? Or is
> there a way to accomplish this ?

In some rare cases, it is possible to peek at the server and then bump
the connections: For that to work, Squid must fool OpenSSL into
believing that OpenSSL generated the forwarded ClientHello message. This
requires adjusting internal OpenSSL state. That adjustment is possible
for some OpenSSL versions. Relying on this trick is unsafe because the
server may use a cipher (or another TLS feature) that Squid does not
actually support, precluding bumping.

In most modern scenarios, the adjustment is either impossible or unsafe.
Moderns Squids do not enable this feature by default:

> checking whether hello message can be overwritten in SSL struct... possibly; 
> to try, set SQUID_USE_OPENSSL_HELLO_OVERWRITE_HACK macro value to 1


Similarly, there are rare cases where it is possible to stare at the
server and then splice the connections. Doing so requires using the same
hack as described above: Squid forwards ClientHello intact while
allowing OpenSSL to later bump the connection because OpenSSL thinks
that it sent that ClientHello.


FWIW, please note that it is not possible to forward a modified
ClientHello and then splice TLS connections. Splicing requires
forwarding intact ClientHello and ServerHello messages because TLS
agents exchange their checksums in the Finished messages.

Also, TLS v1.3 will make most of this irrelevant because it encrypts the
server certificate. You would have to make most of your decisions during
step2.


HTH,

Alex.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Chrome 67 Issue with SSL Bump

[Walter H.]

On 26.06.2018 19:03, Amit pasari wrote:

Dear Walter
I have tried with both SHA1 and SHA256 cert .


Sent from my iPhone

On Jun 26, 2018, at 9:43 PM, Walter H. > wrote:



On 26.06.2018 17:22, Amit Pasari - XS INFOSOL Inc. USA wrote:


I am using squid in transparent mode . Everything working fine in 
Firefox and IE after i have imported the certificate in both the 
browser  , but in Chrome 67 version on Windows 10 i am facing the 
below issue


NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM

When i open https://facebook.com , https://linkedin.com etc .

I am clueless on the same now .

Amit


Have you generated a SHA1 or SHA-256 certificate?

Walter


can you try this:

sslproxy_cert_sign_hash sha256

and use a SHA-256  certificate

Walter


smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Chrome 67 Issue with SSL Bump

[Amit pasari]

Dear Walter 
 
I have tried with both SHA1 and SHA256 cert . 


Sent from my iPhone

> On Jun 26, 2018, at 9:43 PM, Walter H.  wrote:
> 
>> On 26.06.2018 17:22, Amit Pasari - XS INFOSOL Inc. USA wrote:
>> I am using squid in transparent mode . Everything working fine in Firefox 
>> and IE after i have imported the certificate in both the browser  , but in 
>> Chrome 67 version on Windows 10 i am facing the below issue 
>> NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM
>> When i open https://facebook.com , https://linkedin.com etc .
>> I am clueless on the same now . 
>> Amit
>> 
> Have you generated a SHA1 or SHA-256 certificate?
> 
> Walter
> 
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] when will squid 4 be production ready?

[Gordon Hsiao]

squid4 has been released for quite a while, when will it be production
ready or any rough timeline on the horizon?

Some little features are attractive such as automatic intermediate CA
download.

on another notes, it would be great if someone can update Squid book on
3.5/4.x, especially on ssl-bump and other new stuff.

Cheers,
Gordon
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Chrome 67 Issue with SSL Bump

[Walter H.]

On 26.06.2018 17:22, Amit Pasari - XS INFOSOL Inc. USA wrote:


I am using squid in transparent mode . Everything working fine in 
Firefox and IE after i have imported the certificate in both the 
browser  , but in Chrome 67 version on Windows 10 i am facing the 
below issue


NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM

When i open https://facebook.com , https://linkedin.com etc .

I am clueless on the same now .

Amit


Have you generated a SHA1 or SHA-256 certificate?

Walter



smime.p7s
Description: S/MIME Cryptographic Signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Chrome 67 Issue with SSL Bump

[Amit Pasari - XS INFOSOL Inc. USA]

Dear All,

I am using squid ver.3.5.26  on centos 6.7 with below configuration .

=

http_port 3128  intercept
https_port 3129 intercept ssl-bump generate-host-certificates=on 
dynamic_cert_mem_cache_size=4MB cert=/etc/myssl/public.pem 
capath=/etc/ssl/certs options=NO_SSLv3 key=/etc/myssl/private.pem


ssl_bump peek step1 all
ssl_bump peek step2 serverIsBank
ssl_bump splice step3 serverIsBank
ssl_bump bump all

==

I am using squid in transparent mode . Everything working fine in 
Firefox and IE after i have imported the certificate in both the 
browser  , but in Chrome 67 version on Windows 10 i am facing the below 
issue


NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM

When i open https://facebook.com , https://linkedin.com etc .

I am clueless on the same now .

Amit


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Trust a particular CA only for a limited domain

[Ahmad, Sarfaraz]

I need to provide access to my clients to a service on the internet that is 
using a private CA.
I do not want to trust that CA outside the scope of that destination domain.  
(The thought is to not just blindly trust a random CA, rather if we have to, we 
limit it to the particular domain.)
Can something like this be achieved without toying with the squid's code ?

BR,
Sarfaraz

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Splice using SubjectCN/SAN from remote server certificate

[Amos Jeffries]

On 26/06/18 17:42, Ahmad, Sarfaraz wrote:
> I realize that unlike other proprietary MITM appliances, Squid doesn't fiddle 
> with the original client hello.

That is not strictly true. It depends on what you have configured Squid
to do.

Squid does adjust the TLS extensions to only allow features that are
supported (ie ALPN to remove HTTP/2, etc which is not yet supported by
Squid).


> I think this magnifies into the fact that we cannot look at the SubjectCN/SAN 
> in the remote server certificate and then decide whether we want to splice or 
> bump. (peeking at step 2 really restricts our options)
> Is my understanding correct ?

No. Peeking at the client Hello does not impact the final decision,
whether you peek or stare at the server Hello is what does that.


> Or is there a way to accomplish this ?

If the client and proxy capabilities and OpenSSL config are identical
(or nearly so) then theoretically Squid can still splice after a stare
action. But whether the current SSL-Bump implementation is smart enough
to detect that case I'm not sure.

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users