[squid-users] sslBump and intercept
Hi. This question is unrelated directly to my yesterday's one. I decided to intercept the HTTPS traffic on my production squids from proxy-unware clients to be able to tell them there's a proxy and they should configure one. So I'm doing it like (the process of forwarding using FreeBSD pf is not shown here): ===Cut=== acl unauthorized proxy_auth stringthatwillnevermatch acl step1 at_step sslBump1 https_port 127.0.0.1:3131 intercept ssl-bump cert=/usr/local/etc/squid/certs/squid.cert.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB dhparams=/usr/local/etc/squid/certs/dhparam.pem https_port [::1]:3131 intercept ssl-bump cert=/usr/local/etc/squid/certs/squid.cert.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB dhparams=/usr/local/etc/squid/certs/dhparam.pem ssl_bump peek step1 ssl_bump bump unauthorized ssl_bump splice all ===Cut=== Almost everything works, except that squid for some reason is generating certificates in this case for IP addresses, not names, so the browser shows a warning abount certificate being valid only for IP, and not name. Am I doing something wrong ? Thanks. Eugene. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] sslBump and intercept
On 13/11/2015 1:04 a.m., Steve Hill wrote: > On 12/11/15 09:04, Eugene M. Zheganin wrote: > >> I decided to intercept the HTTPS traffic on my production squids from >> proxy-unware clients to be able to tell them there's a proxy and they >> should configure one. >> So I'm doing it like (the process of forwarding using FreeBSD pf is not >> shown here): >> >> ===Cut=== >> acl unauthorized proxy_auth stringthatwillnevermatch >> acl step1 at_step sslBump1 >> >> https_port 127.0.0.1:3131 intercept ssl-bump >> cert=/usr/local/etc/squid/certs/squid.cert.pem >> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB >> dhparams=/usr/local/etc/squid/certs/dhparam.pem >> https_port [::1]:3131 intercept ssl-bump >> cert=/usr/local/etc/squid/certs/squid.cert.pem >> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB >> dhparams=/usr/local/etc/squid/certs/dhparam.pem >> >> ssl_bump peek step1 >> ssl_bump bump unauthorized >> ssl_bump splice all >> ===Cut=== >> >> Almost everything works, except that squid for some reason is generating >> certificates in this case for IP addresses, not names, so the browser >> shows a warning abount certificate being valid only for IP, and not name. > > proxy_auth won't work on intercepted traffic and will therefore always > return false, so as far as I can see you're always going to peek and > then splice. i.e. you're never going to bump, so squid should never be > generating a forged certificate. > > You say that Squid _is_ generating a forged certificate, so something > else is going on to cause it to do that. My first guess is that Squid > is generating some kind of error page due to some http_access rules > which you haven't listed, and is therefore bumping. > > Two possibilities spring to mind for the certificate being for the IP > address rather than for the name: > 1. The browser isn't bothering to include an SNI in the SSL handshake > (use wireshark to confirm). In this case, Squid has no way to know what > name to stick in the cert, so will just use the IP instead. > 2. The bumping is happening in step 1 instead of step 2 for some reason. > See: http://bugs.squid-cache.org/show_bug.cgi?id=4327 > Use "debug_options ALL,0 33,5" to see what the ssl_bump access checks and related parts are doing. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] sslBump and intercept
On 13/11/2015 3:00 a.m., Yuri Voinov wrote: > > Read carefully - this is not complete fix. Just dirty hack. And will not > guarantee fixed on _all_ platforms. That bug is only relevant to Solaris. It is a hack, but a hack that all non-Solaris OS have been using for several decades without issues. > > 12.11.15 19:44, Eugene M. Zheganin пишет: >> Hi, > >> On 12.11.2015 17:48, Yuri Voinov wrote: > >>> More probably this is bug >>> http://bugs.squid-cache.org/show_bug.cgi?id=4188. >>> >> Page said it's fixed, and applied to 3.5. If it's already in 3.5.11, >> then it's not it - I just tested 3.5.11, and the behavior is the same. > Yes that bug was fixed in 3.5.11. At least as far as making Solaris act the same was all other OS do at the lowest I/O levels. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] sslBump and intercept
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 More probably this is bug http://bugs.squid-cache.org/show_bug.cgi?id=4188. 12.11.15 18:04, Steve Hill пишет: > On 12/11/15 09:04, Eugene M. Zheganin wrote: > >> I decided to intercept the HTTPS traffic on my production squids from >> proxy-unware clients to be able to tell them there's a proxy and they >> should configure one. >> So I'm doing it like (the process of forwarding using FreeBSD pf is not >> shown here): >> >> ===Cut=== >> acl unauthorized proxy_auth stringthatwillnevermatch >> acl step1 at_step sslBump1 >> >> https_port 127.0.0.1:3131 intercept ssl-bump >> cert=/usr/local/etc/squid/certs/squid.cert.pem >> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB >> dhparams=/usr/local/etc/squid/certs/dhparam.pem >> https_port [::1]:3131 intercept ssl-bump >> cert=/usr/local/etc/squid/certs/squid.cert.pem >> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB >> dhparams=/usr/local/etc/squid/certs/dhparam.pem >> >> ssl_bump peek step1 >> ssl_bump bump unauthorized >> ssl_bump splice all >> ===Cut=== >> >> Almost everything works, except that squid for some reason is generating >> certificates in this case for IP addresses, not names, so the browser >> shows a warning abount certificate being valid only for IP, and not name. > > proxy_auth won't work on intercepted traffic and will therefore always return false, so as far as I can see you're always going to peek and then splice. i.e. you're never going to bump, so squid should never be generating a forged certificate. > > You say that Squid _is_ generating a forged certificate, so something else is going on to cause it to do that. My first guess is that Squid is generating some kind of error page due to some http_access rules which you haven't listed, and is therefore bumping. > > Two possibilities spring to mind for the certificate being for the IP address rather than for the name: > 1. The browser isn't bothering to include an SNI in the SSL handshake (use wireshark to confirm). In this case, Squid has no way to know what name to stick in the cert, so will just use the IP instead. > 2. The bumping is happening in step 1 instead of step 2 for some reason. See: http://bugs.squid-cache.org/show_bug.cgi?id=4327 > > > > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJWRIqmAAoJENNXIZxhPexGNGYIAIjJEGvbSa5WovjyrdzsBM+/ f3ucdM4x8e4CZtNxOhOoLlLOZdsG0vr6aiHDDOcKhPGL9wg0goQnvToaZguqtcDG JcSLA3iwR/GI8RmTmmODsqDOyxLAVQx6JjWQKQIkYE5nvCOh7orSnh2oaUHqkG2P 0bxMI2NR6RB977rQPiZlN89yp1wdd0C99iBvEs6chifoTMrSQzKstEs31k8zt1Ae ZTM/aEMnqXf0GiDbayXcPMYoQ6w9/fEpQ5wA/mCQSE4ZH71zPsChPqCcA2jp8gU5 VR4+ZQeLklSEiGweun8Yk1LAupTf7APRV+H2yX/m6ElXXkMMDFu5OM9plMQHFKo= =LXF6 -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] sslBump and intercept
On 12/11/15 09:04, Eugene M. Zheganin wrote: I decided to intercept the HTTPS traffic on my production squids from proxy-unware clients to be able to tell them there's a proxy and they should configure one. So I'm doing it like (the process of forwarding using FreeBSD pf is not shown here): ===Cut=== acl unauthorized proxy_auth stringthatwillnevermatch acl step1 at_step sslBump1 https_port 127.0.0.1:3131 intercept ssl-bump cert=/usr/local/etc/squid/certs/squid.cert.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB dhparams=/usr/local/etc/squid/certs/dhparam.pem https_port [::1]:3131 intercept ssl-bump cert=/usr/local/etc/squid/certs/squid.cert.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB dhparams=/usr/local/etc/squid/certs/dhparam.pem ssl_bump peek step1 ssl_bump bump unauthorized ssl_bump splice all ===Cut=== Almost everything works, except that squid for some reason is generating certificates in this case for IP addresses, not names, so the browser shows a warning abount certificate being valid only for IP, and not name. proxy_auth won't work on intercepted traffic and will therefore always return false, so as far as I can see you're always going to peek and then splice. i.e. you're never going to bump, so squid should never be generating a forged certificate. You say that Squid _is_ generating a forged certificate, so something else is going on to cause it to do that. My first guess is that Squid is generating some kind of error page due to some http_access rules which you haven't listed, and is therefore bumping. Two possibilities spring to mind for the certificate being for the IP address rather than for the name: 1. The browser isn't bothering to include an SNI in the SSL handshake (use wireshark to confirm). In this case, Squid has no way to know what name to stick in the cert, so will just use the IP instead. 2. The bumping is happening in step 1 instead of step 2 for some reason. See: http://bugs.squid-cache.org/show_bug.cgi?id=4327 -- - Steve Hill Technical Director Opendium Limited http://www.opendium.com Direct contacts: Instant messager: xmpp:st...@opendium.com Email:st...@opendium.com Phone:sip:st...@opendium.com Sales / enquiries contacts: Email:sa...@opendium.com Phone:+44-1792-824568 / sip:sa...@opendium.com Support contacts: Email:supp...@opendium.com Phone:+44-1792-825748 / sip:supp...@opendium.com <>___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] sslBump and intercept
Hi. On 12.11.2015 17:04, Steve Hill wrote: > > proxy_auth won't work on intercepted traffic and will therefore always > return false, so as far as I can see you're always going to peek and > then splice. i.e. you're never going to bump, so squid should never > be generating a forged certificate. Yup, I know that, and my fault is that I forgot to mention it, and to explain that this sample config contains parts that handle user authentication. So, yes, I'm aware that intercepted SSL traffic will look to squid like anonymous, and that's the idea. > > You say that Squid _is_ generating a forged certificate, so something > else is going on to cause it to do that. My first guess is that Squid > is generating some kind of error page due to some http_access rules > which you haven't listed, and is therefore bumping. This is exactly what's happening. > > Two possibilities spring to mind for the certificate being for the IP > address rather than for the name: > 1. The browser isn't bothering to include an SNI in the SSL handshake > (use wireshark to confirm). In this case, Squid has no way to know > what name to stick in the cert, so will just use the IP instead. > 2. The bumping is happening in step 1 instead of step 2 for some > reason. See: http://bugs.squid-cache.org/show_bug.cgi?id=4327 Thanks, I'll try to investigate. Eugene. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] sslBump and intercept
Hi, On 12.11.2015 17:48, Yuri Voinov wrote: > More probably this is bug > http://bugs.squid-cache.org/show_bug.cgi?id=4188. > Page said it's fixed, and applied to 3.5. If it's already in 3.5.11, then it's not it - I just tested 3.5.11, and the behavior is the same. Thanks. Eugene. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] sslBump and intercept
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Read carefully - this is not complete fix. Just dirty hack. And will not guarantee fixed on _all_ platforms. 12.11.15 19:44, Eugene M. Zheganin пишет: > Hi, > > On 12.11.2015 17:48, Yuri Voinov wrote: > >> More probably this is bug >> http://bugs.squid-cache.org/show_bug.cgi?id=4188. >> > Page said it's fixed, and applied to 3.5. If it's already in 3.5.11, > then it's not it - I just tested 3.5.11, and the behavior is the same. > > Thanks. > Eugene. > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJWRJuLAAoJENNXIZxhPexGHjEIAMKK9YiOUAqCEnATsRxGsyza 65U6xxlkIDEY9QC+ax2h5tDTFv+Gm91Mps6NPzmcRrH2QZ9sIr9ZE1XG5fSgZCvZ 3RHkhTv1Z2Szr3xOMp8Wn9uF0JQjdQWc+5NHD+nOqTwGQ5MvSwttSRAzFRb+jJzF bFhuIL/xdn+iNdWMRv9fibbdwtn8z/YscjeBSjpgPyBw1rkwMd9ZGhSBTMqRx+c0 Zn0CAL+e0lGH60vt1hgSPKXjYAcWFKgxsWW3rQ8PaDSedKHqWFDaOcZWLYiiXWDt lbPlx6KRpjPawTxy71IdYHz2zfLc+Z9OfP2m2PkLBsUEArvFS4QrqcXib+SfRTk= =PLyH -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users