Re: [squid-users] Squid typo fixes for 4.12
On 30/06/20 7:38 pm, L.P.H. van Belle wrote: > Hai, > > Sorry for not pushing this through git. > If you want some typo fixed, here you go. > > > Fixed typo's found by Lintian on Debian Buster. > --- a/src/ssl/crtd_message.cc > +++ b/src/ssl/crtd_message.cc > @@ -206,7 +206,7 @@ > i = map.find(Ssl::CrtdMessage::param_Sign); > if (i != map.end()) { > if ((certProperties.signAlgorithm = > Ssl::certSignAlgorithmId(i->second.c_str())) == Ssl::algSignEnd) { > -error = "Wrong signing algoritm: "; > +error = "Wrong signing algorithm: "; > error += i->second; > return false; > } > --- a/CREDITS > +++ b/CREDITS > @@ -1631,7 +1631,7 @@ > * (C) 2000 Antonino Iannella, Stellar-X Pty Ltd > * Released under GPL, see COPYING-2.0 for details. > > - * Released under GNU Public License > + * Released under GNU General Public License > * > * This program is free software; you can redistribute it and/or modify > * it under the terms of the GNU General Public License as published by FTR; License text is not subject to trivial re-writing. The third-party code being used by Squid was supplied with that particular wording for their license description and we must not change it without permission. ("GNU Public License" was an actual license back in the dawn of time). In absence of contact with the copyright holder we may only replace the code wholesale with an updated version from that author where they provide a different license text, or a cleanroom implementation from someone else. The rest of the patch is fine. Though please be aware that some of the error messages have translation texts which will be prevented from appearing when changed. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid kerberos auth, acl note group
On 7/21/20 10:41 AM, Klaus Brandl wrote: > we have a problem with the squid kerberos auth helper and the note acl > matching to user groups in an active directory. > First the user was in one group, which was configured via the groupSid base64 > string as a note acl, and this was working very well. > Then there was added a new group to the user, and the note acl was changed to > this new groupSid string, but now this group is not matching. We also do not > see this group string in the debug output from the auth helper like this: If the helper is not returning the new groupSid to Squid then the note ACL using that new groupSid should not match. Unfortunately, I do not know enough about that helper to tell you why it does not tell Squid about the new group. > /tmp/ports.squid-4.11pg0.AFNuqpKCuX/squid-4.11/src/auth/negotiate/kerberos/negot > iate_kerberos_auth.cc(806): pid=32868 :2020/07/21 14:34:54| > negotiate_kerberos_auth: DEBUG: Groups > group=AQUAAAUVMq9NXuhR/XHUeZSdjV0AAA== > group=AQUAAAUVMq9NXuhR/XHUeZSdAQIAAA== > group=AQUAAAUVMq9NXuhR/XHUeZSdIXIAAA== > group=AQUAAAUVMq9NXuhR/XHUeZSdkE8AAA== > group=AQUAAAUVMq9NXuhR/XHUeZSdKUMAAA== > group=AQUAAAUVMq9NXuhR/XHUeZSd2U== > group=AQUAAAUVMq9NXuhR/XHUeZSdh0wAAA== > group=AQUAAAUVMq9NXuhR/XHUeZSdZk4AAA== > group=AQUAAAUVMq9NXuhR/XHUeZSdFFsAAA== > group=AQUAAAUVMq9NXuhR/XHUeZSdH0cAAA== > group=AQUAAAUVMq9NXuhR/XHUeZSd+1QAAA== > group=AQUAAAUVMq9NXuhR/XHUeZSdDFEAAA== > group=AQUAAAUVMq9NXuhR/XHUeZSdWlIAAA== > group=AQUAAAUVMq9NXuhR/XHUeZSdOE== > group=AQUAAAUVMq9NXuhR/XHUeZSdPUMAAA== > group=AQUAAAUVMq9NXuhR/XHUeZSdJ3== > group=AQUAAAUVMq9NXuhR/XHUeZSdOMQAAA== group=AQEAABIB > > The config is like this: > > auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth > \ > -i -d -s GSS_C_NO_NAME > auth_param negotiate children 100 > auth_param negotiate keep_alive on > acl authenticated proxy_auth REQUIRED > acl surfen note group AQUAAAUVMq9NXuhR/XHUeZSdmZ0AAA== > http_access allow authenticated surfen > http_access deny all > > Any idea, what the problem could be? > Where are this groups from in the debug output, are they from the decoded > authentication token from the client, or from the kerberos connection to the > domain controller? The group membership info should be coming from the authentication service, not the client. > And why does the last group string looks like truncated? I could not find the source of the debug() function used by the helper, but I would not be surprised it that function has a fixed buffer that does not accommodate all the groups. It is also possible that there is not enough space in the helper buffers to store the actual groups -- I cannot tell whether that is the case from the debugging output you shared (and the source code has many conditional branches that allocate this space differently based on various factors AFAICT). A local developer or a very capable local admin should be able to answer this question by studying (and possibly adding more) helper debugging. Please also note that there are a couple of possibly related known bugs: * https://bugs.squid-cache.org/show_bug.cgi?id=5063 * https://bugs.squid-cache.org/show_bug.cgi?id=5063 Alex. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid doesn't fetch the intermediate certificate for some sites
On 7/21/20 3:41 AM, Dieter Bloms wrote: > for some sites like https://mycase.cloudapps.cisco.com/ > squid doesn't fetch the intermediate certificate and returns > X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY The underlying problem is not specific to SslBump AFAICT. The combination of unfortunate OpenSSL design decisions and TLS v1.3 secrecy creates a serious problem for Squid. For details, please see https://bugs.squid-cache.org/show_bug.cgi?id=5067#c2 Alex. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] squid kerberos auth, acl note group
Hi there, we have a problem with the squid kerberos auth helper and the note acl matching to user groups in an active directory. First the user was in one group, which was configured via the groupSid base64 string as a note acl, and this was working very well. Then there was added a new group to the user, and the note acl was changed to this new groupSid string, but now this group is not matching. We also do not see this group string in the debug output from the auth helper like this: /tmp/ports.squid-4.11pg0.AFNuqpKCuX/squid-4.11/src/auth/negotiate/kerberos/negot iate_kerberos_auth.cc(806): pid=32868 :2020/07/21 14:34:54| negotiate_kerberos_a uth: DEBUG: Groups group=AQUAAAUVMq9NXuhR/XHUeZSdjV0AAA== group=AQUA AAUVMq9NXuhR/XHUeZSdAQIAAA== group=AQUAAAUVMq9NXuhR/XHUeZSdIXIAAA== group=AQUAAAUVMq9NXuhR/XHUeZSdkE8AAA== group=AQUAAAUVMq9NXuhR/XHUeZSdKUMAAA== group=AQUAAAUVMq9NXuhR/XHUeZSd2U== group=AQUAAAUVMq9NXuhR/XHUeZSdh0wAAA== group=AQUAAAUVMq9NXuhR/XHUeZSdZk4AAA== group=AQUAAAUVMq9NXuhR/XHUeZSdFFsAAA== group=AQUAAAUVMq9NXuhR/XHUeZSdH0cAAA== group=AQUAAAUVMq9NXuhR/XHUeZSd+1QAAA== group=AQUAAAUVMq9NXuhR/XHUeZSdDFEAAA== group=AQUAAAUVMq9NXuhR/XHUeZSdWlIAAA== group=AQUAAAUVMq9NXuhR/XHUeZSdOE== group=AQUAAAUVMq9NXuhR/XHUeZSdPUMAAA== group=AQUAAAUVMq9NXuhR/XHUeZSdJ3== group=AQUAAAUVMq9NXuhR/XHUeZSdOMQAAA== group=AQEAABIB The config is like this: auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth \ -i -d -s GSS_C_NO_NAME auth_param negotiate children 100 auth_param negotiate keep_alive on acl authenticated proxy_auth REQUIRED acl surfen note group AQUAAAUVMq9NXuhR/XHUeZSdmZ0AAA== http_access allow authenticated surfen http_access deny all Any idea, what the problem could be? Where are this groups from in the debug output, are they from the decoded authentication token from the client, or from the kerberos connection to the domain controller? And why does the last group string looks like truncated? Thanks for your help! Regards Klaus --- genua GmbH Domagkstrasse 7, 85551 Kirchheim bei Muenchen tel +49 89 991950-0, fax -999, www.genua.de Geschaeftsfuehrer: Matthias Ochs, Marc Tesch Amtsgericht Muenchen HRB 98238 genua ist ein Unternehmen der Bundesdruckerei-Gruppe. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid doesn't fetch the intermediate certificate for some sites
Hello Matus, thank you for your answer. On Tue, Jul 21, Matus UHLAR - fantomas wrote: > On 21.07.20 09:41, Dieter Bloms wrote: > > we use the sslbump feature and it works very well. > > But some sites can't be reached because of missing intermediate > > certificate. > > > > In squid.conf we have configured the following parameters: > > > > --snip-- > > # allow fetching of missing intermediate certificates > > acl fetch_intermediate_certificate transaction_initiator > > certificate-fetching > > http_access allow fetch_intermediate_certificate > > cache allow fetch_intermediate_certificate > > cache deny all > > --snip-- > > > > and fetching the intermediate certificate works for sites like: > > https://incomplete-chain.badssl.com/ > > > > but for some sites like https://mycase.cloudapps.cisco.com/ > > squid doesn't fetch the intermediate certificate and returns > > X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY > > > > In my eyes the certificate of mycase.cloudapps.cisco.com contains an AiA > > record. > > > > output of openssl on certificate of mycase.cloudapps.cisco.com > > --snip-- > >Authority Information Access: > >CA Issuers - URI:http://trust.quovadisglobal.com/hydsslg2.crt > >OCSP - URI:http://ocsp.quovadisglobal.com > > --snip-- > > > > so does anybody see what's the reason, why squid doesn't download the > > intermediate certificate for mycase.cloudapps.cisco.com ? > > squid can't download certificates other than the website provides. that's not true: from site: https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit "Squid-4 is capable of downloading missing intermediate CA certificates, like popular browsers do." > if a website does not provide valid certificate chain, it's up to the client > to produce an error. With browser, you can allow the certificate explicitly. with ssbump the browser doesn't see the origin webserver certificate, but sees the squid created one. > It is also possible that browser has the intermediace certificate > remembered. as I already wrote, we use sslbump. > testing certificate for mycase.cloudapps.cisco.com shows only one > certificate I can see: > > Certificate chain > 0 s:C = US, ST = California, L = San Jose, O = "Cisco Systems, Inc.", CN = > mycase.cloudapps.cisco.com > i:C = US, O = HydrantID (Avalanche Cloud Corporation), CN = HydrantID SSL > ICA G2 > > the HydrantID SSL ICA G2 certificate seems to be missing here. > > > > -- > Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > Windows 2000: 640 MB ought to be enough for anybody > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users -- Gruß Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] squid doesn't fetch the intermediate certificate for some sites
Hello, we use the sslbump feature and it works very well. But some sites can't be reached because of missing intermediate certificate. In squid.conf we have configured the following parameters: --snip-- # allow fetching of missing intermediate certificates acl fetch_intermediate_certificate transaction_initiator certificate-fetching http_access allow fetch_intermediate_certificate cache allow fetch_intermediate_certificate cache deny all --snip-- and fetching the intermediate certificate works for sites like: https://incomplete-chain.badssl.com/ but for some sites like https://mycase.cloudapps.cisco.com/ squid doesn't fetch the intermediate certificate and returns X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY In my eyes the certificate of mycase.cloudapps.cisco.com contains an AiA record. output of openssl on certificate of mycase.cloudapps.cisco.com --snip-- Authority Information Access: CA Issuers - URI:http://trust.quovadisglobal.com/hydsslg2.crt OCSP - URI:http://ocsp.quovadisglobal.com --snip-- so does anybody see what's the reason, why squid doesn't download the intermediate certificate for mycase.cloudapps.cisco.com ? -- Regards Dieter Bloms -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid doesn't fetch the intermediate certificate for some sites
On 21.07.20 09:41, Dieter Bloms wrote: we use the sslbump feature and it works very well. But some sites can't be reached because of missing intermediate certificate. In squid.conf we have configured the following parameters: --snip-- # allow fetching of missing intermediate certificates acl fetch_intermediate_certificate transaction_initiator certificate-fetching http_access allow fetch_intermediate_certificate cache allow fetch_intermediate_certificate cache deny all --snip-- and fetching the intermediate certificate works for sites like: https://incomplete-chain.badssl.com/ but for some sites like https://mycase.cloudapps.cisco.com/ squid doesn't fetch the intermediate certificate and returns X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY In my eyes the certificate of mycase.cloudapps.cisco.com contains an AiA record. output of openssl on certificate of mycase.cloudapps.cisco.com --snip-- Authority Information Access: CA Issuers - URI:http://trust.quovadisglobal.com/hydsslg2.crt OCSP - URI:http://ocsp.quovadisglobal.com --snip-- so does anybody see what's the reason, why squid doesn't download the intermediate certificate for mycase.cloudapps.cisco.com ? squid can't download certificates other than the website provides. if a website does not provide valid certificate chain, it's up to the client to produce an error. With browser, you can allow the certificate explicitly. It is also possible that browser has the intermediace certificate remembered. testing certificate for mycase.cloudapps.cisco.com shows only one certificate I can see: Certificate chain 0 s:C = US, ST = California, L = San Jose, O = "Cisco Systems, Inc.", CN = mycase.cloudapps.cisco.com i:C = US, O = HydrantID (Avalanche Cloud Corporation), CN = HydrantID SSL ICA G2 the HydrantID SSL ICA G2 certificate seems to be missing here. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Windows 2000: 640 MB ought to be enough for anybody ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users