Re: [squid-users] generate-host-certificates=on fails to generate certificates for _some_ hosts

2021-01-13 Thread Greg Hulands 
Hi Alex,
Thanks for the help. Comments inline.


> On Jan 13, 2021, at 2:23 PM, Alex Rousskov  
> wrote:
> 
> On 1/13/21 4:33 PM, Greg Hulands wrote:
> 
>> I am setting up squid 5.0.3 and during testing I have found some 
>> websites fail to have their certificates generated correctly. I am
>> able to go to sites like YouTube.com and have the certificates for
>> that be generated correctly, but when I try to go to some others,
>> like arstechnica.com, they fail to generate and return the CA cert
>> that squid is using to sign certificates with.
> 
> Just to double check: Are you sure that the certificate the client gets
> is the configured CA certificate? For example, do the two certificates
> have the same fingerprint?

Yes, I verified it’s the same certificate - fingerprints are a match.

> 
>> I turned the logging up on certificate stuff to 5 and have the cache log
>> from trying to make a request
>> here: https://gist.github.com/ghulands/f89b49bf180bfac86c98c46c4260f1eb
> 
> The posted snippet shows successful TLS negotiation with the origin
> server (FD 23) and a subsequently failed negotiation with the client (FD
> 21). The latter may have failed because the client did not like the
> certificate generated by Squid, but I did not check the exact failure
> reason carefully.
> 
> The snippet has no information about Squid sending the (generated)
> certificates to the client, but Squid appears to receive some generated
> certificate from the helper (crtGenRq3180846).
> 
> * If you are sure that the client gets a wrong certificate from Squid,
> then I recommend posting an ALL,9 log of the problematic transaction.
> With some luck, we may be able to see what went wrong with certificate
> generation (or virgin certificate validation??).

I have put the ALL,9 log here 
https://gist.github.com/ghulands/4a689db93fc87f9e7f69174f292f1914 


I can see it generates the certificate correctly, but couldn’t identify why it 
didn’t return the cert to the client.

> 
> * Otherwise, I recommend double checking what certificate the client
> gets. If the client gets the correct generated certificate, then the
> problem is not in certificate validation or generation.
> 
> Posting the certificate that the client actually gets may help a lot
> with the triage as well.

The certificate that gets returned is in the logs as it’s the CA cert.

Thanks,
Greg

> 
> 
> HTH,
> 
> Alex.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] WARNING: no_suid: setuid(0): (1) Operation not permitted

2021-01-13 Thread Amos Jeffries 

On 14/01/21 3:17 am, David Touzeau wrote:


Hi

This error is generated every 15 minutes when using any authenticator 
helper (ntlm, kerberos...)


Is there a way to investigate on this issue ?

kidxx| WARNING: no_suid: setuid(0): (1) Operation not permitted



This looks like 


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Incomplete Certificate Chain for wiki.squid-cache.org

2021-01-13 Thread Amos Jeffries 

On 13/01/21 11:27 pm, Dieter Bloms wrote:

Hello,

the wiki of squid cache project (wiki.squid-cache.org) has an incomplete
certificate chain.
I can't access the website with enabled sslbump and tlsv1.3 support,
because squid isn't able to download the missing intermediate
certificate on its own.



What version of Squid are you using?

These certificates generated by LetsEncrypt use the AIA mechanism which 
latest Squid versions should be downloading intermediate certs as-needed.


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] generate-host-certificates=on fails to generate certificates for _some_ hosts

2021-01-13 Thread Alex Rousskov 
On 1/13/21 9:47 PM, Greg Hulands wrote:
> I have put the ALL,9 log
> here https://gist.github.com/ghulands/4a689db93fc87f9e7f69174f292f1914

> I can see it generates the certificate correctly,

Agreed. Squid receives (from the helper) a generated certificate with
the right wildcard CN, not a CA certificate.


> but couldn’t identify why it didn’t return the cert to the client.

Yeah... Squid is calling the code that should set the certificate for
the client connection. Unfortunately, I cannot easily tell whether that
code is using the right certificate -- the existing debugging may not
even reveal that detail.

If you see a different certificate received by the client -- something I
cannot verify from the logs -- then perhaps Squid incorrectly switched
the right certificate to a different one or Squid failed to set the
right certificate but forgot to report the problem (and the CA
certificate from the related context was used?). These are just wild
guesses.

If you do not get better suggestions for going forward, consider these
last-straw ideas:

* Testing with a client like openssl, try disabling TLS v1.3. It is
being used by the client in your logs. Perhaps there is something in TLS
v1.3 that requires special handing when talking to the client. I know
that Squid has problems with TLS v1.3 on the Squid-to-server
connections... (In your case, the Squid-to-server connection is TLS v1.2
AFAICT).

* Upgrade to the latest v5 or even v6. I see no relevant fixes in v5 but
I could miss them.

* If you are a developer, add more debugging or use gdb to find out what
happens with the Squid-to-client certificate. Otherwise, find a
developer who can do that for you.

Sorry I cannot think of any good options here.

Alex.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] generate-host-certificates=on fails to generate certificates for _some_ hosts

2021-01-13 Thread Greg Hulands 
Hi,
I am setting up squid 5.0.3 and during testing I have found some websites fail 
to have their certificates generated correctly. I am able to go to sites like 
YouTube.com  and have the certificates for that be 
generated correctly, but when I try to go to some others, like arstechnica.com 
, they fail to generate and return the CA cert that 
squid is using to sign certificates with.

I turned the logging up on certificate stuff to 5 and have the cache log from 
trying to make a request here: 
https://gist.github.com/ghulands/f89b49bf180bfac86c98c46c4260f1eb 


My ssl-bump config is 

ssl_bump peek step1
ssl_bump bump all

Does anyone have any suggestions or insight on what might the problem be?

Thanks,
Greg


$ squid --version
Squid Cache: Version 5.0.3
Service Name: squid

This binary uses OpenSSL 1.1.1i  8 Dec 2020. For legal restrictions on 
distribution see https://www.openssl.org/source/license.html 


configure options:  '--with-default-user=squid' '--bindir=/usr/local/sbin' 
'--sbindir=/usr/local/sbin' '--datadir=/usr/local/etc/squid' 
'--libexecdir=/usr/local/libexec/squid' '--localstatedir=/var' 
'--sysconfdir=/usr/local/etc/squid' '--with-logdir=/var/log/squid' 
'--with-pidfile=/var/run/squid/squid.pid' '--with-swapdir=/var/squid/cache' 
'--without-gnutls' '--with-included-ltdl' '--enable-auth' '--enable-zph-qos' 
'--enable-build-info' '--enable-loadable-modules' 
'--enable-removal-policies=lru heap' '--disable-epoll' 
'--disable-linux-netfilter' '--disable-linux-tproxy' '--disable-translation' 
'--disable-arch-native' '--disable-strict-error-checking' '--enable-eui' 
'--enable-cache-digests' '--enable-delay-pools' '--disable-ecap' 
'--disable-esi' '--enable-follow-x-forwarded-for' '--with-mit-krb5=/usr/local' 
'CFLAGS=-I/usr/local/include -O2 -pipe  -fstack-protector-strong 
-fno-strict-aliasing ' 'LDFLAGS=-L/usr/local/lib  -pthread -L/usr/local/lib 
-lpcreposix -lpcre -Wl,-rpath,/usr/local/lib:/usr/lib -Wl,-rpath,/usr/local/lib 
-fstack-protector-strong ' 'LIBS=-lkrb5 -lgssapi_krb5 ' 
'KRB5CONFIG=/usr/local/bin/krb5-config' 
'krb5_config=/usr/local/bin/krb5-config' '--enable-htcp' '--enable-icap-client' 
'--enable-icmp' '--enable-ident-lookups' '--enable-ipv6' '--enable-kqueue' 
'--with-large-files' '--enable-http-violations' '--without-nettle' 
'--enable-snmp' '--enable-ssl' '--with-openssl=/usr/local' 
'--enable-security-cert-generators=file' 
'LIBOPENSSL_CFLAGS=-I/usr/local/include' 'LIBOPENSSL_LIBS=-lcrypto -lssl' 
'--enable-ssl-crtd' '--disable-stacktraces' '--disable-tdb' 
'--disable-ipf-transparent' '--enable-ipfw-transparent' 
'--disable-pf-transparent' '--without-nat-devpf' '--enable-forw-via-db' 
'--enable-wccp' '--enable-wccpv2' '--enable-auth-basic=DB SMB_LM NCSA PAM POP3 
RADIUS fake getpwnam NIS' '--enable-auth-digest=file' 
'--enable-external-acl-helpers=file_userip unix_group delayer' 
'--enable-auth-negotiate=kerberos wrapper' '--enable-auth-ntlm=fake SMB_LM' 
'--enable-storeio=aufs diskd rock ufs' '--enable-disk-io=DiskThreads DiskDaemon 
AIO Blocking IpcIo Mmapped' '--enable-log-daemon-helpers=file DB' 
'--enable-url-rewrite-helpers=fake LFS' '--enable-storeid-rewrite-helpers=file' 
'--enable-security-cert-validators=fake' '--prefix=/usr/local' 
'--mandir=/usr/local/man' '--disable-silent-rules' 
'--infodir=/usr/local/share/info/' '--build=amd64-portbld-freebsd12.2' 
'build_alias=amd64-portbld-freebsd12.2' 'CC=cc' 'CPPFLAGS=-I/usr/local/include' 
'CXX=c++' 'CXXFLAGS=-O2 -pipe -fstack-protector-strong -fno-strict-aliasing  ' 
'CPP=cpp' --enable-ltdl-convenience___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] generate-host-certificates=on fails to generate certificates for _some_ hosts

2021-01-13 Thread Alex Rousskov 
On 1/13/21 4:33 PM, Greg Hulands wrote:

> I am setting up squid 5.0.3 and during testing I have found some 
> websites fail to have their certificates generated correctly. I am
> able to go to sites like YouTube.com and have the certificates for
> that be generated correctly, but when I try to go to some others,
> like arstechnica.com, they fail to generate and return the CA cert
> that squid is using to sign certificates with.

Just to double check: Are you sure that the certificate the client gets
is the configured CA certificate? For example, do the two certificates
have the same fingerprint?


> I turned the logging up on certificate stuff to 5 and have the cache log
> from trying to make a request
> here: https://gist.github.com/ghulands/f89b49bf180bfac86c98c46c4260f1eb

The posted snippet shows successful TLS negotiation with the origin
server (FD 23) and a subsequently failed negotiation with the client (FD
21). The latter may have failed because the client did not like the
certificate generated by Squid, but I did not check the exact failure
reason carefully.

The snippet has no information about Squid sending the (generated)
certificates to the client, but Squid appears to receive some generated
certificate from the helper (crtGenRq3180846).

* If you are sure that the client gets a wrong certificate from Squid,
then I recommend posting an ALL,9 log of the problematic transaction.
With some luck, we may be able to see what went wrong with certificate
generation (or virgin certificate validation??).

* Otherwise, I recommend double checking what certificate the client
gets. If the client gets the correct generated certificate, then the
problem is not in certificate validation or generation.

Posting the certificate that the client actually gets may help a lot
with the triage as well.


HTH,

Alex.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] WARNING: no_suid: setuid(0): (1) Operation not permitted

2021-01-13 Thread Eliezer Croitoru 
squid -v

 

output might help to understand a bit.

I do not know if the helper is the one that does that but it’s a matter of 
permissions or FD limits.
This is as far as I know.

If you or anyone have the option to create a full kerberos lab it might help to 
re-create this issue.

 

I can create the basic Debian machine but not the whole Kerberos setup in a sec.

 

Eliezer

 



Eliezer Croitoru

Tech Support

Mobile: +972-5-28704261

Email:   ngtech1...@gmail.com

Zoom: Coming soon

 

 

From: squid-users  On Behalf Of 
David Touzeau
Sent: Wednesday, January 13, 2021 4:17 PM
To: 'Squid Users' 
Subject: [squid-users] WARNING: no_suid: setuid(0): (1) Operation not permitted

 


Hi 

This error is generated every 15 minutes when using any authenticator helper 
(ntlm, kerberos...) 

Is there a way to investigate on this issue ?

kidxx| WARNING: no_suid: setuid(0): (1) Operation not permitted

Sometimes, after rebooting the system, issue is fixed for an undetermined 
period.

Using squid 4.13 on Debian 10 Intel 64 bits.

regards



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid vs. Telegram

2021-01-13 Thread Ralf Hildebrandt 
Recently I'm having issues connecting to Telegram (or rather keeping
a connection).

My log is filled with lots of

TCP_MISS/502 3925 POST http://149.154.167.92/api - HIER_DIRECT/149.154.167.92 
text/html

and

TCP_MISS_ABORTED/000 0 POST http://149.154.167.92/api - 
HIER_DIRECT/149.154.167.92

alike. I know Telegram has a huge influx of new users, probably due
to the recent changes in WhatsApp. But is what I'm seeing normal?

---
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk

Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
Hindenburgdamm 30 | D-12203 Berlin

Tel. +49 30 450 570 155
ralf.hildebra...@charite.de
https://www.charite.de
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Incomplete Certificate Chain for wiki.squid-cache.org

2021-01-13 Thread Dieter Bloms 
Hello,

the wiki of squid cache project (wiki.squid-cache.org) has an incomplete
certificate chain.
I can't access the website with enabled sslbump and tlsv1.3 support,
because squid isn't able to download the missing intermediate
certificate on its own.

The administrator of that website should add the intermediate
certificate.

More infos can be see here: 
https://www.ssllabs.com/ssltest/analyze.html?d=wiki.squid%2dcache.org


-- 
Regards

  Dieter Bloms

--
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
From field.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] WARNING: no_suid: setuid(0): (1) Operation not permitted

2021-01-13 Thread David Touzeau 


Hi

This error is generated every 15 minutes when using any authenticator 
helper (ntlm, kerberos...)


Is there a way to investigate on this issue ?

kidxx| WARNING: no_suid: setuid(0): (1) Operation not permitted

Sometimes, after rebooting the system, issue is fixed for an 
undetermined period.


Using squid 4.13 on Debian 10 Intel 64 bits.

regards


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users