Re: [squid-users] logging to syslog
Also its a bit Off-Topic, I think it's a good idea that another user grep the information out of the access.log instead of let the access.log direct "write" in the syslog. In my eyes its more secure. Best Regards Sebastian ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] logging to syslog
Hi Avraham, 1. Please do not contact me direct, use the Mailing List. I read the sentences you wrote to me again, do you really want that squid logs the things that would go in access.log to your /var/log/syslog (default debian path), or do you just want to see what is written in the access.log. For Changing the location/ way that squid log the access entries read 2. , if not the default path of the access log is /usr/local/squid/var/logs/access.log. 2. As you could see what Yuri Voinov wrote > # >#udpTo send each log line as text data to a UDP receiver. >#Place: The destination host name or IP and port. >#Place Format: //host:port ># >#tcpTo send each log line as text data to a TCP receiver. >#Lines may be accumulated before sending (see buffered_logs). >#Place: The destination host name or IP and port. >#Place Format: //host:port ># >#Default: >#access_log daemon:/var/log/squid/access.log squid >#Default: ># access_log daemon:/var/log/squid/access.log squid These is snipped from the squid configuration documents on squid page (http://www.squid-cache.org/Doc/config/access_log/). You could try ( I didn’t do it before) to use syslog as module and insert it in your squid.conf Best Regards Sebastian Von: Avraham Serour [mailto:tovm...@gmail.com] Gesendet: Mittwoch, 11. November 2015 11:48 An: Sebastian Kirschner Betreff: Re: [squid-users] logging to syslog I'm actually using rsyslog, it comes with ubuntu in any case my conf for now is: template(name="lesquid_accessFormat" type="string" string="programname=%programname% %msg%\n") action(type="omfile" dirCreateMode="0700" FileCreateMode="0644" File="/var/log/messages" template="lesquid_accessFormat") then I tail the /var/log/messages file and check what happens when I make a request using the proxy On Wed, Nov 11, 2015 at 12:09 PM, Avraham Serour wrote: so where should the symlink should be? what is the default unix socket path that squid tried to use? On Wed, Nov 11, 2015 at 10:11 AM, Sebastian Kirschner wrote: Hi Avraham, I think it wouldnt be a good idea to just create a symlink because squid (or the user under which squid runs) then must have access to the syslog, and if your squid instance get compromised the the syslog is open to read for these one. Best Regards Sebastian ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] logging to syslog
Hi Avraham, I think it wouldnt be a good idea to just create a symlink because squid (or the user under which squid runs) then must have access to the syslog, and if your squid instance get compromised the the syslog is open to read for these one. Best Regards Sebastian ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] SSL bumping without faked server certificates
Hi Stefan, I think it would be better to peek at step1 (Then you have the Client SNI) and at step2 you could bump or splice. Your config > My assumption is that I have to use in Squid's config: >https_port :3443 intercept ssl-bump cert= >key= >acl MYSITE ssl:server_name .mydomain.com >ssl_bump bump MYSITE >ssl_bump splice all A better way might be # acl step1 at_step SslBump1 # acl MYSITE ssl:server_name .mydomain.com # # ssl_bump peek step1 # ssl_bump bump MYSITE # ssl_bump splice all Best Regards Sebastian ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Ssl-Bump and revoked server certificates
Hi,
regarding my missing programming skills it is hard for me to understand the
code.
Regardless of that I have a suggestion that could be added to the code, hope it
would work.
These should add a "variable" SNI , these should be "called" from
cert_validate_message.h/.cc and appended as new line between host and
proto_version to the external validator.
The code between the ** ** is my suggestions.
if (Ssl::TheConfig.ssl_crt_validator) {
Ssl::CertValidationRequest validationRequest;
// WARNING: Currently we do not use any locking for any of the
// members of the Ssl::CertValidationRequest class. In this code the
// Ssl::CertValidationRequest object used only to pass data to
// Ssl::CertValidationHelper::submit method.
validationRequest.ssl = ssl;
validationRequest.domainName = request->GetHost();
** validationRequest.SNI = sniServer; **
public:
SSL *ssl;
CertErrors *errors; ///< The list of errors detected
std::string domainName; ///< The server name
** std::string SNI;///< The server name from SNI **
CertValidationRequest() : ssl(NULL), errors(NULL) {}
};
body.clear();
body += Ssl::CertValidationMsg::param_host + "=" +
vcert.domainName;
STACK_OF(X509) *peerCerts = static_cast(SSL_get_ex_data(vcert.ssl, ssl_ex_index_ssl_cert_chain));
** body += "\n" + Ssl::CertValidationMsg::param_SNI + "=" +
vcert.SNI **
if (const char *sslVersion = SSL_get_version(vcert.ssl))
body += "\n" +
Ssl::CertValidationMsg::param_proto_version + "=" + sslVersion;
Best Regards
Sebastian
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid: ERROR: Could not send signal 1 to process 4711: (1) Operation not permitted
Dear Cheikhou,
1. Please don’t reply to me direct , answer to the list.
2. Could you post the owner, group and access rights of the .pid file (like
with the command ls -l) ?
Best Regards
Sebastian
-Ursprüngliche Nachricht-
Von: Cheikhou Dramé
Gesendet: Donnerstag, 29. Oktober 2015 16:01
An: Sebastian Kirschner
Betreff: Re: [squid-users] squid: ERROR: Could not send signal 1 to process
4711: (1) Operation not permitted
the file is /var/run/squid.pid
i change the owner from root to squid user but i still have the error
On 29.10.2015 14:23, Sebastian Kirschner wrote:
> Hi Cheikhou,
>
> sounds like wrong access right for the .pid file, the default is
> /usr/local/squid/var/run/${service_name}.pid , if you can't find it there
> have a look in your squid.conf maybe you set it to another location.
>
> Maybe I´m wrong but your PID file should be accessible from user squid
> because its running under squid.
>
>
> Best Regards
> Sebastian
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid: ERROR: Could not send signal 1 to process 4711: (1) Operation not permitted
Hi Cheikhou,
sounds like wrong access right for the .pid file, the default is
/usr/local/squid/var/run/${service_name}.pid ,
if you can't find it there have a look in your squid.conf maybe you set it to
another location.
Maybe I´m wrong but your PID file should be accessible from user squid because
its running under squid.
Best Regards
Sebastian
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Ssl-Bump and revoked server certificates
Hi Amos, > You may need to use key_extras feature for now to send the SNI logformat > value explicitly in a new key=value field. Could you give me a hint where I find informations about that ? I searched in Wiki and google but only find a possibility to sending key_extras for auth_param, also if it's possible how / where I could search for the "value" names like "sni-send-from-client". > Or you could look at making a patch to send the SNI instead of HTTP level > "domain" from the CONNECT. Any help getting these annoyances out > of the way is very welcome. Um , todo that I had to understand how it works at the moment and see the code. Could I find it on github ? Best Regards Sebastian ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Ssl-Bump and revoked server
Hi Amos, > You may need to use key_extras feature for now to send the SNI logformat > value explicitly in a new key=value field. Could you give me a hint where I find informations about that ? I searched in Wiki and google but only find a possibility to sending key_extras for auth_param, also if it's possible how / where I could search for the "value" names like "sni-send-from-client". > Or you could look at making a patch to send the SNI instead of HTTP level > "domain" from the CONNECT. Any help getting these annoyances out > of the way is very welcome. Um , todo that I had to understand how it works at the moment and see the code. Could I find it on github ? Best Regards Sebastian ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Ssl-Bump and revoked server certificates
e-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/pbi/squid-amd64/local/etc/squid/serverkey.pem capath=/usr/pbi/squid-amd64/local/share/certs/ http_port 127.0.0.1:3128 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/pbi/squid-amd64/local/etc/squid/serverkey.pem capath=/usr/pbi/squid-amd64/local/share/certs/ https_port 127.0.0.1:3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/pbi/squid-amd64/local/etc/squid/serverkey.pem capath=/usr/pbi/squid-amd64/local/share/certs/ icp_port 0 pid_filename /var/run/squid/squid.pid cache_effective_user proxy cache_effective_group proxy error_default_language de-de icon_directory /usr/pbi/squid-amd64/local/etc/squid/icons visible_hostname pfsense.onesty-tech.loc cache_mgr ad...@pfsense-onesty.loc access_log /var/squid/logs/access.log cache_log /var/squid/logs/cache.log netdb_filename /var/squid/logs/netdb.state pinger_enable on sslcrtd_program /usr/pbi/squid-amd64/local/libexec/squid/ssl_crtd -s /var/squid/lib/ssl_db -M 4MB -b 2048 sslcrtd_children 5 sslproxy_capath /usr/pbi/squid-amd64/local/share/certs/ logfile_rotate 7 debug_options rotate=7 shutdown_lifetime 3 seconds # Allow local network(s) on interface(s) acl localnet src 192.168.1.0/24 uri_whitespace strip # Setup some default acls # From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in. # acl localhost src 127.0.0.1/32 acl allsrc src all acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 3128 3127 1025-65535 acl sslports port 443 563 # From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in. #acl manager proto cache_object acl purge method PURGE acl connect method CONNECT # Define protocols used for redirects acl HTTP proto HTTP acl HTTPS proto HTTPS acl allowed_subnets src 192.168.1.0/24 http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !safeports http_access deny CONNECT !sslports # Always allow localhost connections # From 3.2 further configuration cleanups have been done to make things easier and safer. # The manager, localhost, and to_localhost ACL definitions are now built-in. # http_access allow localhost # Package Integration url_rewrite_program /usr/pbi/squidguard-amd64/bin/squidGuard -c /usr/pbi/squidguard-amd64/etc/squidGuard/squidGuard.conf url_rewrite_bypass off url_rewrite_children 16 startup=8 idle=4 concurrency=0 # Custom options before auth acl step1 at_step SslBump1 acl step2 at_step SslBump2 acl step3 at_step SslBump3 ssl_bump peek step1 ssl_bump bump all sslcrtvalidator_program cache=8192 ttl=240 /tmpfs/main.sh #sslcrtvalidator_children 12 startup=5 idle=1 concurrency=1 # Setup allowed acls # Allow local network(s) on interface(s) http_access allow allowed_subnets http_access allow localnet # Default block all to be sure http_access deny allsrc icap_enable on icap_send_client_ip on icap_send_client_username on icap_client_username_encode off icap_client_username_header X-Authenticated-User icap_preview_enable on icap_preview_size 1024 icap_service service_avi_req reqmod_precache icap://[::1]:1344/squid_clamav bypass=off adaptation_access service_avi_req allow all icap_service service_avi_resp respmod_precache icap://[::1]:1344/squid_clamav bypass=on adaptation_access service_avi_resp allow all Mit freundlichen Grüßen / Best Regards Sebastian Kirschner ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Ssl-Bump and revoked server certificates
Hi Amos , thanks for your reply. Maybe we got an misunderstanding or I have an "false" opinion of the sentence I quoted before. I thought you could say to me what for checks would definitely performed in "standard" installation with openssl, not only that you believe that the X.509 certificate syntax and properties would be checked in correctness and the signer. I´m sorry for these remark , but for me it's important to know what checks would performed to prevent another on the same thing and slow down the "process". Another question regarding the Options from "sslcrtvalidator_program", ttl " TTL in seconds for cached results. The default is 60 secs" Is the cached results referred to the sslhost ? For example , I configured that the TTL is 12 hours. A request from Client A is performed to https://www.google.com the validator report back to squid that the certificate is ok and the connection would be spliced/bumped, 1 hour later Client B perform a request again too https://www.google.com , would squid use the "cached" answer from the validator used ? And another question regarding the cache option. What from the response would be cached , the complete one or maybe only the sslhost and response code ? Would it be defined as byte in as the validator and speak ? -- Message: 4 Date: Thu, 22 Oct 2015 22:41:43 +1300 From: Amos Jeffries To: squid-users@lists.squid-cache.org Subject: Re: [squid-users] Ssl-Bump and revoked server certificates Message-ID: <5628af57.6060...@treenet.co.nz> Content-Type: text/plain; charset=utf-8 On 22/10/2015 7:22 p.m., Sebastian Kirschner wrote: > Hi, > > I have a question regarding the SSL Server Certificate Validator. > > In the Wiki is written: > "The helper will be optionally consulted after an internal OpenSSL validation > we do now, regardless of that validation results." > > What checks does the internal validation include ? The "internal" validation is done by OpenSSL library. So whatever it is doing based on the configuration you give it. I believe that includes X.509 certificate syntax validity, and X.509 properties validity in light of the TLS extensions negotiated on the connection, and a check the cert was signed by one of the system default Trusted-CA authorities (unless flags=NO_DEFAULT_CA was used) or a custom CA you loaded (with cafile=/capath= options). There may be more (or less) happening but that is the bulk of it. And all inside OpenSSL so we can't easily debug the what/when/how of it when the output messages are obscure. Amos -- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Rückruf: squid-users Digest, Vol 14, Issue 73
Sebastian Kirschner möchte die Nachricht "squid-users Digest, Vol 14, Issue 73" zurückrufen. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid-users Digest, Vol 14, Issue 73
Hi Amos , thanks for your reply. Maybe we got an misunderstanding or I have an "false" opinion of the sentence I quoted before. I thought you could say to me what for checks would definitely performed in "standard" installation with openssl, not only that you believe that the X.509 certificate syntax and properties would be checked in correctness and the signer. I´m sorry for these remark , but for me it's important to know what checks would performed to prevent another on the same thing and slow down the "process". Another question regarding the Options from "sslcrtvalidator_program", ttl " TTL in seconds for cached results. The default is 60 secs" Is the cached results referred to the sslhost ? For example , I configured that the TTL is 12 hours. A request from Client A is performed to https://www.google.com the validator report back to squid that the certificate is ok and the connection would be spliced/bumped, 1 hour later Client B perform a request again too https://www.google.com , would squid use the "cached" answer from the validator used ? And another question regarding the cache option. What from the response would be cached , the complete one or maybe only the sslhost and response code ? Would it be defined as byte in as the validator and speak ? -- Message: 4 Date: Thu, 22 Oct 2015 22:41:43 +1300 From: Amos Jeffries To: squid-users@lists.squid-cache.org Subject: Re: [squid-users] Ssl-Bump and revoked server certificates Message-ID: <5628af57.6060...@treenet.co.nz> Content-Type: text/plain; charset=utf-8 On 22/10/2015 7:22 p.m., Sebastian Kirschner wrote: > Hi, > > I have a question regarding the SSL Server Certificate Validator. > > In the Wiki is written: > "The helper will be optionally consulted after an internal OpenSSL validation > we do now, regardless of that validation results." > > What checks does the internal validation include ? The "internal" validation is done by OpenSSL library. So whatever it is doing based on the configuration you give it. I believe that includes X.509 certificate syntax validity, and X.509 properties validity in light of the TLS extensions negotiated on the connection, and a check the cert was signed by one of the system default Trusted-CA authorities (unless flags=NO_DEFAULT_CA was used) or a custom CA you loaded (with cafile=/capath= options). There may be more (or less) happening but that is the bulk of it. And all inside OpenSSL so we can't easily debug the what/when/how of it when the output messages are obscure. Amos -- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Ssl-Bump and revoked server certificates
Hi, I have a question regarding the SSL Server Certificate Validator. In the Wiki is written: "The helper will be optionally consulted after an internal OpenSSL validation we do now, regardless of that validation results." What checks does the internal validation include ? Couldn't find any information's about that. Best Regards Sebastian Kirschner ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Ssl-Bump and revoked server certificates
Hi Walter, do you have an update regarding your correct certificate validator ? Mit freundlichen Grüßen / Best Regards Sebastian Kirschner ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid ignores crlfile options
Thanks Amos for the reply , I will trim the config with your recommendations but a few questions exists on my side. " If you mean it to be used to verify the *server* certificates then you need to configure sslproxy_crlfile instead." I guess that was what im looking for :-) , but I couldn’t find something about that configuration directives on the squid doc configuration site and my squid ignores the options because its unrecognized. "> request_body_max_size 0 KB Seriously? POST and PUT are forbidden to send data anywhere?" Should the value be ignored because it’s a zero ? Here the part of the Squid configuration document "If you set this parameter to a zero (the default), there will be no limit imposed." " build-info requires a string. Whoever provided this package needs to fix that." I was the builder :-) , could you give me a hint about that ? Mit freundlichen Grüßen / Best Regards Sebastian Message: 4 Date: Fri, 2 Oct 2015 02:51:56 +1300 From: Amos Jeffries To: squid-users@lists.squid-cache.org Subject: Re: [squid-users] Squid ignores crlfile options Message-ID: <560d3a7c.2020...@treenet.co.nz> Content-Type: text/plain; charset=utf-8 On 1/10/2015 11:54 p.m., Sebastian Kirschner wrote: > Hi > > I´m using squid (3.5.9) as transparent https proxy with build options (see > below) and config (see below , I removed some uninteresting things from the > config like caching). > > To get the system more secure I would like to add crl checking (at the moment > static , later maybe dynamic if it's possible with my skills :-) ) and ocsp > (later) . > I´m using the site https://revoked.grc.com/ to test my config. > To do it I downloaded the certificate from the site , checked if a CRL URI is > available and downloaded the crl. > Converted the format of the crl from DER to pem and inserted it my squid.conf > "crlfile=/tmp/crl/glob.pem sslflags=VERIFY_CRL". > > I tested the "crl.pem" with openssl and the site https://revoked.grc.com/ is > revoked in the crl. > > But why squid seems to ignore the crlfile option / file ? Because it is only relevant on http(s)_port when there is TLS client certificate authentication being verified. You do not have that configured. > Also I tested to use the crl in DER format but it still wouldn’t work , even > didn’t saw an error in the log when the file isn’t available. It is not even loaded unless the clientca= is configured. Which turns on client cert authentication. If you mean it to be used to verify the *server* certificates then you need to configure sslproxy_crlfile instead. > #config > http_port local.ip.adress:3128 ssl-bump generate-host-certificates=on > dynamic_cert_mem_cache_size=10MB > cert=/usr/pbi/squid-amd64/local/etc/squid/serverkey.pem > capath=/usr/pbi/squid-amd64/local/share/certs/ > crlfile=/tmp/crl/glob.pem sslflags=VERIFY_CRL > > http_port 127.0.0.1:3128 intercept ssl-bump > generate-host-certificates=on dynamic_cert_mem_cache_size=10MB > cert=/usr/pbi/squid-amd64/local/etc/squid/serverkey.pem > capath=/usr/pbi/squid-amd64/local/share/certs/ > crlfile=/tmp/crl/glob.pem sslflags=VERIFY_CRL > > https_port 127.0.0.1:3129 intercept ssl-bump > generate-host-certificates=on dynamic_cert_mem_cache_size=10MB > cert=/usr/pbi/squid-amd64/local/etc/squid/serverkey.pem > capath=/usr/pbi/squid-amd64/local/share/certs/ > crlfile=/tmp/crl/glob.pem sslflags=VERIFY_CRL > > icp_port 0 This is a default, remove the icp_port line. > dns_v4_first on > pid_filename /var/run/squid/squid.pid This is a default, remove the pid_filename line. > cache_effective_user proxy > cache_effective_group proxy Check your build options (squid -v), your proxy is built to use the account 'squid'. It is usually a good idea to stick with the > error_default_language de-de > icon_directory /usr/pbi/squid-amd64/local/etc/squid/icons > visible_hostname pfsense visible_hostname needs to be FQDN and publicly resolvable. It is the DNS hostname people use to access your proxy for thise icons you configured (amongst other things). > cache_mgr ad...@pfsense-onesty.loc > access_log /var/squid/logs/access.log > cache_log /var/squid/logs/cache.log > cache_store_log none This is a default, remove the cache_store_log line. > netdb_filename /var/squid/logs/netdb.state pinger_enable on > pinger_program /usr/pbi/squid-amd64/local/libexec/squid/pinger This is probably a default too, if so remove the pinger lines. It will run unless disabled. > sslcrtd_program /usr/pbi/squid-amd64/local/libexec/squid/ssl_crtd -s > /var/squid/lib/ssl_db -M 4MB -b 2048 sslcrtd_children 5 > > logfile_rotate 7 > debug_options rotate=7 > s
[squid-users] Squid ignores crlfile options
Hi I´m using squid (3.5.9) as transparent https proxy with build options (see below) and config (see below , I removed some uninteresting things from the config like caching). To get the system more secure I would like to add crl checking (at the moment static , later maybe dynamic if it's possible with my skills :-) ) and ocsp (later) . I´m using the site https://revoked.grc.com/ to test my config. To do it I downloaded the certificate from the site , checked if a CRL URI is available and downloaded the crl. Converted the format of the crl from DER to pem and inserted it my squid.conf "crlfile=/tmp/crl/glob.pem sslflags=VERIFY_CRL". I tested the "crl.pem" with openssl and the site https://revoked.grc.com/ is revoked in the crl. But why squid seems to ignore the crlfile option / file ? Also I tested to use the crl in DER format but it still wouldn’t work , even didn’t saw an error in the log when the file isn’t available. #logfile 2015/10/01 12:40:45.015 kid1| 83,3| client_side_request.cc(1684) doCallouts: Doing calloutContext->hostHeaderVerify() 2015/10/01 12:40:45.015 kid1| 83,3| client_side_request.cc(1691) doCallouts: Doing calloutContext->clientAccessCheck() 2015/10/01 12:40:45.017 kid1| 83,3| client_side_request.cc(1712) doCallouts: Doing calloutContext->clientRedirectStart() 2015/10/01 12:40:45.018 kid1| 83,3| client_side_request.cc(1720) doCallouts: Doing calloutContext->clientAccessCheck2() 2015/10/01 12:40:45.018 kid1| 83,3| client_side_request.cc(1739) doCallouts: Doing clientInterpretRequestHeaders() 2015/10/01 12:40:45.018 kid1| 83,3| client_side_request.cc(1748) doCallouts: Doing calloutContext->checkNoCache() 2015/10/01 12:40:45.018 kid1| 83,3| client_side_request.cc(1528) sslBumpNeed: sslBump required: peek 2015/10/01 12:40:45.018 kid1| 83,3| client_side_request.cc(1830) doCallouts: calling processRequest() 2015/10/01 12:40:45.025 kid1| 83,5| bio.cc(576) squid_bio_ctrl: 0x80771c7b0 104(6000, 0x7fffe51c) 2015/10/01 12:40:45.026 kid1| 83,5| client_side.cc(4267) clientPeekAndSpliceSSL: Start peek and splice on FD 10 2015/10/01 12:40:45.026 kid1| 83,5| bio.cc(118) read: FD 10 read 11 <= 11 2015/10/01 12:40:45.026 kid1| 83,5| bio.cc(144) readAndBuffer: read 11 out of 11 bytes 2015/10/01 12:40:45.026 kid1| 83,5| bio.cc(148) readAndBuffer: recorded 11 bytes of TLS client Hello 2015/10/01 12:40:45.026 kid1| 83,2| client_side.cc(4270) clientPeekAndSpliceSSL: SSL_accept failed. 2015/10/01 12:40:45.040 kid1| 83,5| client_side.cc(4267) clientPeekAndSpliceSSL: Start peek and splice on FD 10 2015/10/01 12:40:45.040 kid1| 83,5| bio.cc(118) read: FD 10 read 11 <= 11 2015/10/01 12:40:45.040 kid1| 83,5| bio.cc(144) readAndBuffer: read 11 out of 11 bytes 2015/10/01 12:40:45.040 kid1| 83,5| bio.cc(148) readAndBuffer: recorded 11 bytes of TLS client Hello 2015/10/01 12:40:45.041 kid1| 83,2| client_side.cc(4270) clientPeekAndSpliceSSL: SSL_accept failed. 2015/10/01 12:40:45.041 kid1| 83,5| client_side.cc(4284) clientPeekAndSpliceSSL: I got hello. Start forwarding the request!!! 2015/10/01 12:40:45.220 kid1| 83,5| bio.cc(576) squid_bio_ctrl: 0x8077e5eb0 104(6001, 0x7fffe4bc) 2015/10/01 12:40:45.220 kid1| 83,5| bio.cc(95) write: FD 15 wrote 357 <= 357 2015/10/01 12:40:45.220 kid1| 83,5| bio.cc(118) read: FD 15 read -1 <= 7 2015/10/01 12:40:45.220 kid1| 83,5| bio.cc(123) read: error: 35 ignored: 1 2015/10/01 12:40:45.408 kid1| 83,5| bio.cc(118) read: FD 15 read 7 <= 7 2015/10/01 12:40:45.408 kid1| 83,5| bio.cc(576) squid_bio_ctrl: 0x8077e5eb0 6(0, 0x8077e5f90) 2015/10/01 12:40:45.408 kid1| 83,5| bio.cc(118) read: FD 15 read 1453 <= 4368 2015/10/01 12:40:45.408 kid1| 83,5| bio.cc(118) read: FD 15 read -1 <= 2915 2015/10/01 12:40:45.408 kid1| 83,5| bio.cc(123) read: error: 35 ignored: 1 2015/10/01 12:40:45.408 kid1| 83,5| bio.cc(118) read: FD 15 read 1460 <= 2915 2015/10/01 12:40:45.408 kid1| 83,5| bio.cc(118) read: FD 15 read -1 <= 1455 2015/10/01 12:40:45.408 kid1| 83,5| bio.cc(123) read: error: 35 ignored: 1 2015/10/01 12:40:45.586 kid1| 83,5| bio.cc(118) read: FD 15 read 1455 <= 1455 2015/10/01 12:40:45.587 kid1| 83,5| support.cc(257) ssl_verify_cb: SSL Certificate signature OK: /C=US/OU=Domain Control Validated/CN=revoked.grc.com 2015/10/01 12:40:45.587 kid1| 83,5| support.cc(257) ssl_verify_cb: SSL Certificate signature OK: /C=US/OU=Domain Control Validated/CN=revoked.grc.com 2015/10/01 12:40:45.588 kid1| 83,5| support.cc(257) ssl_verify_cb: SSL Certificate signature OK: /C=US/OU=Domain Control Validated/CN=revoked.grc.com 2015/10/01 12:40:45.588 kid1| 83,4| support.cc(211) check_domain: Verifying server domain revoked.grc.com to certificate name/subjectAltName revoked.grc.com 2015/10/01 12:40:45.593 kid1| 83,5| bio.cc(95) write: FD 15 wrote 182 <= 182 2015/10/01 12:40:45.593 kid1| 83,5| bio.cc(576) squid_bio_ctrl: 0x8077e5eb0 11(0, 0x0) 2015/10/01 12:40:45.593 kid1| 83,5| bio.cc(118) read: FD 15 read -1 <= 5 2015/10/01 12:40:45.593 kid1| 83,5| bio.cc(123) rea
Re: [squid-users] after changed from 3.4.13 to 3.5.8 sslbump doesn't work for the site https://banking.postbank.de/
.15:443 remote=client.ip.adress:57125 flags=33 2015/09/28 14:25:28.966 kid1| 33,4| ServerBump.cc(44) ~ServerBump: destroying 2015/09/28 14:25:28.966 kid1| 33,4| ServerBump.cc(46) ~ServerBump: e:=sp2XDIV/0x804ba8180*1 2015/09/28 14:25:28.967 kid1| 93,5| AsyncJob.cc(40) ~AsyncJob: AsyncJob destructed, this=0x804b6e960 type=Http::Server [job6] 2015/09/28 14:25:28.967 kid1| 33,5| AsyncCallQueue.cc(57) fireNext: leaving ConnStateData::connStateClosed(FD -1, data=0x804b6e798) 2015/09/28 14:25:28.967 kid1| 5,4| AsyncCallQueue.cc(55) fireNext: entering comm_close_complete(FD 11) 2015/09/28 14:25:28.967 kid1| 5,4| AsyncCall.cc(38) make: make call comm_close_complete [call187] 2015/09/28 14:25:28.968 kid1| 51,3| fd.cc(93) fd_close: fd_close FD 11 client https start 2015/09/28 14:25:28.968 kid1| 5,5| ModPoll.cc(131) SetSelect: FD 11, type=1, handler=0, client_data=0x0, timeout=0 2015/09/28 14:25:28.968 kid1| 5,5| ModPoll.cc(131) SetSelect: FD 11, type=2, handler=0, client_data=0x0, timeout=0 2015/09/28 14:25:28.968 kid1| 5,5| AcceptLimiter.cc(55) kick: size=0 2015/09/28 14:25:28.968 kid1| 5,4| AsyncCallQueue.cc(57) fireNext: leaving comm_close_complete(FD 11) 2015/09/28 14:25:29.030 kid1| 5,5| ModPoll.cc(435) DoSelect: comm_poll: 1+0 FDs ready 2015/09/28 14:25:29.031 kid1| 5,3| Read.cc(144) HandleRead: FD 7, size 4095, retval 4095, errno 0 2015/09/28 14:25:29.031 kid1| 5,3| IoCallback.cc(116) finish: called for local=[::] remote=[::] FD 7 flags=1 (0, 0) 2015/09/28 14:25:29.031 kid1| 5,4| AsyncCall.cc(93) ScheduleCall: IoCallback.cc(135) will call helperHandleRead(local=[::] remote=[::] FD 7 flags=1, data=0x804bc2718, size=4095, buf=0x804c0b000) [call3] 2015/09/28 14:25:29.031 kid1| 5,4| AsyncCallQueue.cc(55) fireNext: entering helperHandleRead(local=[::] remote=[::] FD 7 flags=1, data=0x804bc2718, size=4095, buf=0x804c0b000) 2015/09/28 14:25:29.031 kid1| 5,4| AsyncCall.cc(38) make: make call helperHandleRead [call3] 2015/09/28 14:25:29.031 kid1| 84,5| helper.cc(866) helperHandleRead: helperHandleRead: 4095 bytes from ssl_crtd #Hlpr1 2015/09/28 14:25:29.031 kid1| 84,3| helper.cc(924) helperHandleRead: Grew read buffer to 8192 2015/09/28 14:25:29.031 kid1| 5,4| AsyncCall.cc(26) AsyncCall: The AsyncCall helperHandleRead constructed, this=0x8076eb600 [call188] 2015/09/28 14:25:29.031 kid1| 5,5| Read.cc(58) comm_read_base: comm_read, queueing read for local=[::] remote=[::] FD 7 flags=1; asynCall 0x8076eb600*1 2015/09/28 14:25:29.031 kid1| 5,5| ModPoll.cc(131) SetSelect: FD 7, type=1, handler=1, client_data=0x8068003c0, timeout=0 2015/09/28 14:25:29.031 kid1| 5,4| AsyncCallQueue.cc(57) fireNext: leaving helperHandleRead(local=[::] remote=[::] FD 7 flags=1, data=0x804bc2718, size=4095, buf=0x804c0b000) 2015/09/28 14:25:29.031 kid1| 5,5| ModPoll.cc(435) DoSelect: comm_poll: 1+0 FDs ready 2015/09/28 14:25:29.031 kid1| 5,3| Read.cc(144) HandleRead: FD 7, size 4096, retval 1540, errno 0 2015/09/28 14:25:29.031 kid1| 5,3| IoCallback.cc(116) finish: called for local=[::] remote=[::] FD 7 flags=1 (0, 0) 2015/09/28 14:25:29.031 kid1| 5,4| AsyncCall.cc(93) ScheduleCall: IoCallback.cc(135) will call helperHandleRead(local=[::] remote=[::] FD 7 flags=1, data=0x804bc2718, size=1540, buf=0x804bfbfff) [call188] 2015/09/28 14:25:29.031 kid1| 5,4| AsyncCallQueue.cc(55) fireNext: entering helperHandleRead(local=[::] remote=[::] FD 7 flags=1, data=0x804bc2718, size=1540, buf=0x804bfbfff) 2015/09/28 14:25:29.031 kid1| 5,4| AsyncCall.cc(38) make: make call helperHandleRead [call188] 2015/09/28 14:25:29.032 kid1| 84,5| helper.cc(866) helperHandleRead: helperHandleRead: 1540 bytes from ssl_crtd #Hlpr1 2015/09/28 14:25:29.032 kid1| 84,3| helper.cc(892) helperHandleRead: helperHandleRead: end of reply found 2015/09/28 14:25:29.032 kid1| 84,5| helper.cc(1167) GetFirstAvailable: GetFirstAvailable: Running servers 5 2015/09/28 14:25:29.032 kid1| 5,4| AsyncCall.cc(26) AsyncCall: The AsyncCall helperHandleRead constructed, this=0x804960080 [call189] 2015/09/28 14:25:29.032 kid1| 5,5| Read.cc(58) comm_read_base: comm_read, queueing read for local=[::] remote=[::] FD 7 flags=1; asynCall 0x804960080*1 2015/09/28 14:25:29.032 kid1| 5,5| ModPoll.cc(131) SetSelect: FD 7, type=1, handler=1, client_data=0x8068003c0, timeout=0 2015/09/28 14:25:29.032 kid1| 5,4| AsyncCallQueue.cc(57) fireNext: leaving helperHandleRead(local=[::] remote=[::] FD 7 flags=1, data=0x804bc2718, size=1540, buf=0x804bfbfff) Mit freundlichen Grüßen / Best Regards Sebastian Kirschner ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] RE Peek and Splice error SSL_accept failed
>Is that all sites or just a few special sites? >James I tested a few sites like google , youtube , sparkasse, sparklabs, all with the same issue. Mit freundlichen Grüßen / Best Regards Sebastian ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] RE Peek and Splice error SSL_accept failed
Hi , I minimized the configuration a little bit(you could see it at the bottom of these message). Also I still try to understand why these error happen , I increased the Debug level and saw that squid tried 48 times to peek but failed. At the end It says that it got an "Hello", does it mean that squid received after 48 tries the "Hello" ? If yes why it does need so many tries ? -> Part of debug log <- 2015/07/24 11:05:42.866 kid1| client_side.cc(4242) clientPeekAndSpliceSSL: Start peek and splice on FD 11 2015/07/24 11:05:42.866 kid1| bio.cc(120) read: FD 11 read 11 <= 11 2015/07/24 11:05:42.866 kid1| bio.cc(146) readAndBuffer: read 11 out of 11 bytes 2015/07/24 11:05:42.866 kid1| bio.cc(150) readAndBuffer: recorded 11 bytes of TLS client Hello 2015/07/24 11:05:42.866 kid1| ModEpoll.cc(116) SetSelect: FD 11, type=1, handler=1, client_data=0x7effbd078458, timeout=0 2015/07/24 11:05:42.866 kid1| client_side.cc(4245) clientPeekAndSpliceSSL: SSL_accept failed. . . . 2015/07/24 11:05:42.874 kid1| client_side.cc(4242) clientPeekAndSpliceSSL: Start peek and splice on FD 11 2015/07/24 11:05:42.874 kid1| bio.cc(120) read: FD 11 read 6 <= 11 2015/07/24 11:05:42.874 kid1| bio.cc(146) readAndBuffer: read 6 out of 11 bytes 2015/07/24 11:05:42.874 kid1| bio.cc(150) readAndBuffer: recorded 6 bytes of TLS client Hello 2015/07/24 11:05:42.875 kid1| SBuf.cc(152) assign: SBuf2040 from c-string, n=0) 2015/07/24 11:05:42.875 kid1| SBuf.cc(152) assign: SBuf2038 from c-string, n=13) 2015/07/24 11:05:42.875 kid1| ModEpoll.cc(116) SetSelect: FD 11, type=1, handler=1, client_data=0x7effbd078458, timeout=0 2015/07/24 11:05:42.875 kid1| client_side.cc(4245) clientPeekAndSpliceSSL: SSL_accept failed. 2015/07/24 11:05:42.875 kid1| SBuf.cc(152) assign: SBuf2025 from c-string, n=4294967295) 2015/07/24 11:05:42.875 kid1| client_side.cc(4259) clientPeekAndSpliceSSL: I got hello. Start forwarding the request!!! -> new configuration <- acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager http_access allow localnet http_access allow localhost http_access deny all # Listening Ports http_port 127.0.0.1:3120 http_port 192.168.1.104:3128 intercept https_port 192.168.1.104:3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/etc/squid3/ssl_cert/myCA.pem # some configuration options cache_effective_user proxy cache_effective_group proxy access_log /var/squid/logs/access.log cache_log /var/squid/logs/cache.log pinger_enable on pinger_program /lib/squid3/pinger sslproxy_capath /etc/ssl/certs sslcrtd_program /lib/squid3/ssl_crtd -s /var/squid/certs -M 4MB -b 2048 #ACLs acl step1 at_step SslBump1 acl step2 at_step SslBump2 acl step3 at_step SslBump3 acl bypass ssl::server_name www.google.de ssl_bump peek step1 ssl_bump splice bypass step2 ssl_bump bump all # Debugging if needeed debug_options all,6 6,0 16,0 18,0 19,0 20,0 32,0 47,0 79,0 90,0 92,0 # Leave coredumps in the first cache dir coredump_dir /var/spool/squid3 # # Add any of your own refresh_pattern entries above these. # refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 Mit freundlichen Grüßen / Best Regards Sebastian ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Peek and Splice error SSL_accept failed
Hi I´m using squid with version 3.5.6 in an debian test system.
I try to bypass some sites using the "ssl::server_name" acl , to do that I need
to peek the connection first to decide if should be spliced or bumped.
But if I use peek at Step 1 , errors "client_side.cc(4245)
clientPeekAndSpliceSSL: SSL_accept failed." errors appear in the cache.log
Squid was built with following options
./configure --build=x86_64-linux-gnu \
--prefix=/usr \
--includedir=${prefix}/include \
--mandir=${prefix}/share/man \
--infodir=${prefix}/share/info \
--sysconfdir=/etc \
--localstatedir=/var \
--libexecdir=${prefix}/lib/squid3 \
--srcdir=. \
--disable-maintainer-mode \
--disable-dependency-tracking \
--disable-silent-rules \
--datadir=/usr/share/squid3 \
--sysconfdir=/etc/squid3 \
--mandir=/usr/share/man \
--enable-inline \
--disable-arch-native \
--enable-async-io=8 \
--enable-storeio=ufs,aufs,diskd,rock \
--enable-removal-policies=lru,heap \
--enable-delay-pools \
--enable-cache-digests \
--enable-icap-client \
--enable-follow-x-forwarded-for \
--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB \
--enable-auth-digest=file,LDAP \
--enable-auth-negotiate=kerberos,wrapper \
--enable-auth-ntlm=fake,smb_lm \
--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,unix_group,wbinfo_group
\
--enable-url-rewrite-helpers=fake \
--enable-eui \
--enable-esi \
--enable-icmp \
--enable-zph-qos \
--enable-ecap \
--disable-translation \
--with-swapdir=/var/spool/squid3 \
--with-logdir=/var/squid/logs \
--with-pidfile=/var/run/squid3.pid \
--with-filedescriptors=65536 \
--with-large-files \
--with-default-user=proxy \
--with-openssl \
--with-open-ssl=/etc/ssl/openssl.cnf \
--enable-ssl-crtd \
--enable-linux-netfilter \
'CFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security
-Wall' \
'LDFLAGS=-fPIE -pie -Wl,-z,relro -Wl,-z,now' \
'CPPFLAGS=-D_FORTIFY_SOURCE=2' \
'CXXFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat
-Werror=format-security'
The squid.conf
http_port 192.168.1.104:3128 intercept
https_port 192.168.1.104:3129 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=10MB cert=/etc/squid3/ssl_cert/myCA.pem
http_port 127.0.0.1:3120
icp_port 0
dns_v4_first on
pid_filename /var/run/squid/squid.pid
cache_effective_user proxy
cache_effective_group proxy
error_default_language de-de
visible_hostname pfsense
cache_mgr admin@test
access_log /var/squid/logs/access.log
cache_log /var/squid/logs/cache.log
cache_store_log none
netdb_filename /var/squid/logs/netdb.state
pinger_enable on
pinger_program /lib/squid3/pinger
sslproxy_capath /etc/ssl/certs
sslcrtd_program /lib/squid3/ssl_crtd -s /var/squid/certs -M 4MB -b 2048
sslproxy_cert_error allow all
logfile_rotate 7
debug_options rotate=7
shutdown_lifetime 3 seconds
# Allow local network(s) on interface(s)
acl localnet src 192.168.1.0/24
forwarded_for on
uri_whitespace strip
cache_mem 30 MB
maximum_object_size_in_memory 128 KB
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
cache_dir ufs /var/squid/cache 100 16 256
minimum_object_size 0 KB
maximum_object_size 400 KB
offline_mode off
cache_swap_low 90
cache_swap_high 95
cache allow all
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 144020% 10080
refresh_pattern ^gopher:14400% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
# Setup some default acls
# From 3.2 further configuration cleanups have been done to make things easier
and safer. The manager, localhost, and to_localhost ACL definitions are now
built-in.
# acl localhost src 127.0.0.1/32
acl allsrc src all
acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 3128 3127
1025-65535
acl sslports port 443 563
acl purge method PURGE
acl connect method CONNECT
# Define protocols used for redirects
acl HTTP proto HTTP
acl HTTPS proto HTTPS
acl allowed_subnets src 192.168.1.0/24
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !safeports
http_access deny CONNECT !sslports
request_body_max_size 0 KB
delay_pools 1
delay_class 1 2
delay_parameters 1 -1/-1 -1/-1
delay_initial_bucket_level 100
delay_access 1 allow allsrc
# Debugging if needeed
debug_options all,2 16,0 18,0 19,0 22,0 47,0 79,0
# Setup allowed acls
# Allow local network(s) on interface(s)
http_access allow allowed_subnets
http_access allow localnet
# Default block all to be sure
http_access deny allsrc
acl step1 at_step SslBump1
acl step3 at_step SslBump3
acl bypass ssl::server_name .sparkasse.de, .internet-filiale.net
ssl_bump peek step1
ssl_bump splice bypass
ssl_bump bump step3
always_direct allow all
ssl_bump bump all
ssl_bump server-first
Mit freundlichen Grüßen / Best Regards
Sebastian
___
squid-users
