Re: [squid-users] SSL_Bump not working correctly for IP destiantions like https:/1.1.1.1/
Hello Alex, thank yout for the fast response. On Thu, May 20, Alex Rousskov wrote: > On 5/20/21 8:12 AM, Dieter Bloms wrote: > > > I've a working setup with squid 4.14 and enabled sslbump under debian > > buster. > > But when I try destinations like https://1.1.1.1/ I get an error > > ERR_CERT_COMMON_NAME_INVALID > > > > The alternate DNS Names in the certificate of the original webserver is: > > > > X509v3 Subject Alternative Name: > > DNS:cloudflare-dns.com, DNS:*.cloudflare-dns.com, DNS:one.one.one.one, > > IP Address:1.1.1.1, IP Address:1.0.0.1, IP Address:162.159.36.1, IP > > Address:162.159.46.1, IP Address:2606:4700:4700:0:0:0:0:, IP > > Address:2606:4700:4700:0:0:0:0:1001, IP Address:2606:4700:4700:0:0:0:0:64, > > IP Address:2606:4700:4700:0:0:0:0:6400 > > > > for the client using the proxy with sslbump it looks like: > > > > X509v3 Subject Alternative Name: > > DNS:1.1.1.1 > > > > so the SAN is a DNS and not an IP Address one. > > I think is has to be something like this: > > > > X509v3 Subject Alternative Name: > > IP Address:1.1.1.1 > > > > Can someone confirm this, or may I have a mistake in my squid configuration. > > If this happens on an otherwise successful HTTP response (not an error > page), then I would suspect a Squid bug (or insufficient support for > X509v3 extensions). The chrome browser shows me this error page, but you are right it is an error page of squid with SQUID_X509_V_ERR_DOMAIN_MISMATCH. So it looks like insufficient support for X509v3 extensions I filled a bug report https://bugs.squid-cache.org/show_bug.cgi?id=5130 > > Here some sslbum related details of my config: > > > > http_port MYIP:8080 ssl-bump generate-host-certificates=on > > dynamic_cert_mem_cache_size=32MB cert=/etc/squid/cert.pem > > key=/etc/squid/key.pem tls-dh=/etc/squid/dhparams.pem > > http_port MYIP:8880 ssl-bump generate-host-certificates=on > > dynamic_cert_mem_cache_size=32MB cert=/etc/squid/cert.pem > > key=/etc/squid/key.pem tls-dh=/etc/squid/dhparams.pem > > sslcrtd_program /usr/sbin/security_file_certgen -s > > /var/cache/squid/sslcert_db -M 32MB > > sslcrtd_children 32 startup=10 idle=3 > > tls_outgoing_options capath=/etc/ssl/certs min-version=1.2 > > ssl_bump peek step1 > > ssl_bump stare all > > ssl_bump bump all > > > > > > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users -- Gruß Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] SSL_Bump not working correctly for IP destiantions like https:/1.1.1.1/
Hello, I've a working setup with squid 4.14 and enabled sslbump under debian buster. But when I try destinations like https://1.1.1.1/ I get an error ERR_CERT_COMMON_NAME_INVALID The alternate DNS Names in the certificate of the original webserver is: X509v3 Subject Alternative Name: DNS:cloudflare-dns.com, DNS:*.cloudflare-dns.com, DNS:one.one.one.one, IP Address:1.1.1.1, IP Address:1.0.0.1, IP Address:162.159.36.1, IP Address:162.159.46.1, IP Address:2606:4700:4700:0:0:0:0:, IP Address:2606:4700:4700:0:0:0:0:1001, IP Address:2606:4700:4700:0:0:0:0:64, IP Address:2606:4700:4700:0:0:0:0:6400 for the client using the proxy with sslbump it looks like: X509v3 Subject Alternative Name: DNS:1.1.1.1 so the SAN is a DNS and not an IP Address one. I think is has to be something like this: X509v3 Subject Alternative Name: IP Address:1.1.1.1 Can someone confirm this, or may I have a mistake in my squid configuration. Here some sslbum related details of my config: http_port MYIP:8080 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=32MB cert=/etc/squid/cert.pem key=/etc/squid/key.pem tls-dh=/etc/squid/dhparams.pem http_port MYIP:8880 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=32MB cert=/etc/squid/cert.pem key=/etc/squid/key.pem tls-dh=/etc/squid/dhparams.pem sslcrtd_program /usr/sbin/security_file_certgen -s /var/cache/squid/sslcert_db -M 32MB sslcrtd_children 32 startup=10 idle=3 tls_outgoing_options capath=/etc/ssl/certs min-version=1.2 ssl_bump peek step1 ssl_bump stare all ssl_bump bump all -- Regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] SSL_Bump not working correctly for IP destiantions like https:/1.1.1.1/
On 5/20/21 8:12 AM, Dieter Bloms wrote: > I've a working setup with squid 4.14 and enabled sslbump under debian buster. > But when I try destinations like https://1.1.1.1/ I get an error > ERR_CERT_COMMON_NAME_INVALID > > The alternate DNS Names in the certificate of the original webserver is: > > X509v3 Subject Alternative Name: > DNS:cloudflare-dns.com, DNS:*.cloudflare-dns.com, DNS:one.one.one.one, IP > Address:1.1.1.1, IP Address:1.0.0.1, IP Address:162.159.36.1, IP > Address:162.159.46.1, IP Address:2606:4700:4700:0:0:0:0:, IP > Address:2606:4700:4700:0:0:0:0:1001, IP Address:2606:4700:4700:0:0:0:0:64, IP > Address:2606:4700:4700:0:0:0:0:6400 > > for the client using the proxy with sslbump it looks like: > > X509v3 Subject Alternative Name: > DNS:1.1.1.1 > > so the SAN is a DNS and not an IP Address one. > I think is has to be something like this: > > X509v3 Subject Alternative Name: > IP Address:1.1.1.1 > > Can someone confirm this, or may I have a mistake in my squid configuration. If this happens on an otherwise successful HTTP response (not an error page), then I would suspect a Squid bug (or insufficient support for X509v3 extensions). Alex. > Here some sslbum related details of my config: > > http_port MYIP:8080 ssl-bump generate-host-certificates=on > dynamic_cert_mem_cache_size=32MB cert=/etc/squid/cert.pem > key=/etc/squid/key.pem tls-dh=/etc/squid/dhparams.pem > http_port MYIP:8880 ssl-bump generate-host-certificates=on > dynamic_cert_mem_cache_size=32MB cert=/etc/squid/cert.pem > key=/etc/squid/key.pem tls-dh=/etc/squid/dhparams.pem > sslcrtd_program /usr/sbin/security_file_certgen -s > /var/cache/squid/sslcert_db -M 32MB > sslcrtd_children 32 startup=10 idle=3 > tls_outgoing_options capath=/etc/ssl/certs min-version=1.2 > ssl_bump peek step1 > ssl_bump stare all > ssl_bump bump all > > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
