Re: [squid-users] Squid 3 SSL bump: Google drive application could not connect

[Chris Bennett]

Hi Jason,

 If you think the external acl method is too expensive to run, how do you
 expect to feed this NIDS data back into squid? I think you'd find you'd
 need an external acl check to do that bit anyway :-)

I should have been clearer - my use of the term feedback loop was
meant to imply that this was an out-of-band method of populating a
cache of valid HTTPS IP addresses (as well as the any SNI and even
'Application name') for HTTPS, and observed non-HTTPS traffic over 443
and any other ports.  This may compliment any active external acl
style checking.

Was just thinking out loud - probably a crazy idea if every seriously
considered :)

Regards,

Chris
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3 SSL bump: Google drive application could not connect

[Jason Haar]

On 08/01/15 18:41, Chris Bennett wrote:
 Interesting thread so far.  Has anyone thought of using Bro-IDS as a
 feedback loop for some of this advanced logic for bypassing bumping?

The external acl method mentioned earlier probably out-does using some
NIDS feedback loop. In my testing it causes squid to block that new
connection until it returns, and that means your external acl script can
simply attempt a SSL transaction against the end-server and in realtime
figure out that it's SSL or not. And then cache it, blah, blah blah.

The advantage is that it will do a lookup on new HTTPS sessions and
potentially have the answer immediately (ie it can bump on first
attempt), whereas a NIDS would only find out the answer after squid has
defaulted to passthrough/splice mode, so it would only work properly on
future connections to that site.

 I like the active external acl solution since it meets a need, but
 there is overhead.  I'm not quite sure what Bro logs for non-HTTPS
 443 traffic, but I thought I'd chime in with the above idea if anyone
 wants to expand on it further :)

If you think the external acl method is too expensive to run, how do you
expect to feed this NIDS data back into squid? I think you'd find you'd
need an external acl check to do that bit anyway :-)

-- 
Cheers

Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3 SSL bump: Google drive application could not connect

[Jason Haar]

On 06/01/15 05:28, Eliezer Croitoru wrote:
 In 3.5 there will be present a new feature which called peek and
 splice that can give an interface to squid and the admin which will
 allow the admin to know couple things about the connection from squid
 and specifically first the client TLS request.
Is there an example document showing just how to do this? Looking at the
current docs, I can't quite figure out how to layer them all together to
achieve what I'd imagine 99% of sysadmins wanting to do ssl-bump need to
do. Even squid-3.4 works very well without peek/splice - if you are
using it as a formal proxy. But it all falls apart with transparent tcp
443 - as squid only has the dst IP...

What I'd like to do is to use peek to grab the SSL server name the
client sends so that  it is available to acls (and external acl calls -
and logging?) as if the client had gone CONNECT server.name:443?

A quick sniff with wireshark shows Firefox (as an example) sends the
server name as a client SNI request in the first real packet (ie after
the 3-way), so that smells to my naive understanding as good for a
peek - and should allow squid to do an initial chat with the client,
get the SNI, then dupe with the real server, then decide if to splice or
bump the rest? Clients that don't support SNI will probably have to be
spliced - I don't care - I'm only interested in running AV scanners and
porn filters over HTTPS requests from web browsers - the 0.1% remaining
SSL traffic can slip through the cracks for all I care ;-)
 

-- 
Cheers

Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3 SSL bump: Google drive application could not connect

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
Sounds good,

but server world is not end on Linux. ;)

Now exists another *NIX systems. And will exists further.

Also. I have an idea, gents.

Do we can easy and quickly detect SSL Pinned destinations? And remember
it, for example, in database?

In another words - both problems is similar. Either non-HTTPS traffic
over 443 port, or pinned certs.

Can we detect both of them automatically and add to exclude list?

WBR, Yuri

05.01.2015 8:44, Eliezer Croitoru пишет:
 Hey Thread(Jason,Yuri,Douglas...),

 There are couple aspects about the ssl and connections in general and
 as we talk about ssl port I first would like to put couple things on
 the table.

 * Squid is a http caching proxy and there for every feature which is
 out of the http related scope should not be handled by squid at all.
 * Any squid operation is an application level and there for is limited
 by the software(kernel + squid).
 * There is a difference between servers taking a load of 1k requests
 per second to a SMB which handles about 50 requests per second.

 In general it's better to not intercept a connection which is not
 bump-able.
 The decision about if to DROP\REJECT or ACCEPT the connection should
 better not involve squid in general if possible.
 Squid offers a very nice interface but if you compare the Linux kernel
 forwarding capabilities compared to squid you would see that squid is
 very limited in the userspace.

 So in a case the helper only needs to know if the connection is
 bump-able there are other alternatives in the Linux kernel!!
 And if you need logs.. you can use the *helper*(which one you ever
 choose to work with) to log...

 So now for the real thing:
 My opinion about external_acl vs other solutions is that if squid with
 an external_acl works for you and you understand what it means from
 performance and security aspects try it, test it and then use it.

 But if your squid load is high and in the case squid slows down the
 bumped connections too much(compared to linux forwarding) I would try
 to use something like NFQUEUE to just test if the connection is
 bump-able or not by IP and DST PORT.

  * some information about NFQUEUE
 https://home.regit.org/netfilter-en/using-nfqueue-and-libnetfilter_queue/
 http://suricata-ids.org/

 * Some examples:

https://www.wzdftpd.net/redmine/projects/nfqueue-bindings/repository/entry/examples/rewrite.py
 http://danmcinerney.org/reliable-dns-spoofing-with-python-scapy-nfqueue/
 http://5d4a.wordpress.com/2011/08/25/having-fun-with-nfqueue-and-scapy/

 A squid helper is nice but... a NFQUEUE helper that can verify if to
 FORWARD or BUMP the connection would be a better suited solution to my
 opinion.

 All The Bests,
 Eliezer Croitoru

 On 01/05/2015 03:07 AM, Douglas Davenport wrote:
  Seems to me it would be more useful as an external ACL so that a
  decision could be made based on other factors eg src or dstdomain
  whether to deny or allow the un-bumpable connection.

 ___
 squid-users mailing list
 squid-users@lists.squid-cache.org
 http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBAgAGBQJUqk4WAAoJENNXIZxhPexGWNoH/Ak2w0TZ+fU2Jy1bIOgWP82V
P5UJmB3DDSRwrqi4Y/bfUDGT1V3Cbjn8/RRTqTl7lSbBwGpSd8wSLGSTua6mqMY6
OIedOB7oBrJ9p8d1F7//ZsBrvGHequnD7Zp1DvBXVcptcVvFi56oAeFNjhRk1tcN
8EX2mkvgrDye7o7RRXPw1ukxbAJ0883A+gO3XpSARMUQEhsXJFFoygHUo7OIjdr+
oBrv/aypN8VOFvkHj50vDwtt4Rq7PPDYJRtHms2cIGsjK4+P1Rt1lxhr0GC/qbtZ
rfqIvP5LRmkID/lvHFhWC38APdjsgCcTICuJoPgKGDPX9YMAWtKdznu2XYpHNfw=
=LZkA
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3 SSL bump: Google drive application could not connect

[James Harper]

 
 On 01/01/15 00:11, James Harper wrote:
  The helper connects to the IP:port and tries to obtain the certificate, and
 then caches the result (in an sqlite database). If it can't do so within a 
 fairly
 short time it returns failure (but keeps trying a bit longer and caches it for
 next time). Alternatively if the IP used to be SSL but is now timing out it
 returns the previously cached value. Negative results are cached for an
 increasing amount of time each time it fails, on the basis that it probably 
 isn't
 SSL.
 That sounds great James! I'd certainly like to take a look at it too
 
 However, you say SSL  - did you mean HTTPS? ie discovering a ip:port
 is a IMAPS server doesn't really help squid talk to it - surely you want
 to discover HTTPS servers - and everything else should be
 pass-through/splice?
 

Yes. That would be required for completeness, although maybe the certificate 
info would still be useful even if the underlying protocol wasn't http...

James
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3 SSL bump: Google drive application could not connect

[Marcus Kool]

Much of the discussion so far has been about bumping traffic on port 443,
bumping SSL-encapsulated HTTP traffic and not bumping (allowing)
other traffic.  Since port 443 is used for many protocols, it is in many
cases dangerous to allow non-bumpable traffic: SSH tunnels using port 443
are common, so are VPNs.  Do you know a security officer who does not want
to block an SSH tunnel, or an app that can share corporate documents
on public websites?  If there is not more attention to these kinds of
applications that use port 443 to circumvent corporate firewalls,
Squid will be doomed to be used only in environments where the priority
for security is low to non-existent.  Just type punching holes in corporate
firewalls or ssh tunnel proxy in Google to see how easy it is to use an
SSH tunnel.

I am the author of ufdbGuard, a filter for Squid and besides filtering
based on URLs, ufdbGuard also probes port 443 to see what kind of traffic
the server is expecting.  By using probes, ufdbGuard can detect SSH tunnels,
popular chat protocols, etc. but it is not a 100% guaranteed solution
because ufdbGuard cannot not see the traffic that flows through the proxy,
i.e. there is not yet an interface for this type of traffic inspection.

Marcus


On 01/05/2015 07:59 AM, Eliezer Croitoru wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hey Yuri,

Indeed there are other *NIX systems and for each and every one of them
there is a solution in need.

SSL Pinned destinations cannot be identified automatically since the
are pinned inside a software and the certificate will not show
anything about that.
The basic tests we can do are:
- - The host is using ssl or tls or not at all(based on the selective
answer of the service)
- -
- - If the connection is using tls\ssl then inspect the components of
the certificate(such as rootCA validation against the local machine
certificates DB)

Depend on the goal of the certificate validation the decision will be
made to either allow the connection uninspected or to bump it as
is without any smart identification.

If indeed there is a database
sqlite3\mysql\postgres\redis\memcached\others it can be used in the
iptables level.
Also a point in this DB and this cache is that it will be persistent
so what so ever the *NIX system is there is an option once the IP +
port was tagged as non-bump-able it is better be in the FIREWALL level
override better then squid external_acl.
Reason: If the kernel does what it needs to do then squid should not
touch the packets.
It's not always right but it's a point in the issue.
I still do not know how to work with NFQUEUE and I am sure that there
is an option to make a fast decision and if not then let the
connection be BUMPED.

I have written a small golang script that can check couple things
about the ssl session at:
http://www1.ngtech.co.il/squid/ssl_helpers/ssl_validator.go

Besides this helper there is another script which do couple things in
another level.

##
If any thing will be decided for squid internals it will be after a
proof of concept that we can implement together.
Can we take this thread to storm and put on the table a proof of
concept logic for ssl inspection\bumping and bypassing?

Eliezer

On 01/05/2015 10:40 AM, Yuri Voinov wrote:

Sounds good,

but server world is not end on Linux. ;)

Now exists another *NIX systems. And will exists further.

Also. I have an idea, gents.

Do we can easy and quickly detect SSL Pinned destinations? And
remember it, for example, in database?

In another words - both problems is similar. Either non-HTTPS
traffic over 443 port, or pinned certs.

Can we detect both of them automatically and add to exclude list?

WBR, Yuri


-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEcBAEBAgAGBQJUqmB0AAoJENxnfXtQ8ZQUPKkH/RQmpV8bVcQ1HKMWYLgzDIY1
qcW5AtSsiuuSQsDjew336/jE6WajfT3e5jKvvEKnLc993klJJcxlpETMRfqA+ekK
nMnycoMGSX66bgnKb/TX2PBdUNqYj3WsC5ujDyQ/37VBYY7NNIc95VR5W460jj+F
X9/sErTOsgy2/cYJ3Mz1+sHzH/IleehnosAtWaPBqXPCvi8Q4ud+SUFa8O3xgTPG
7BMM26prgMT0C8mpC/GRnMydEn4Pir3E5FEgkNZmMB7ZeQuHp0ZVKwUzvHqW/WP3
7pUydl3JKn1KP4bo1gXNO5m1Bf+X3xa9OiUTbzZ7VFrVPxXa7gOVKgZdCWpktcg=
=K9bZ
-END PGP SIGNATURE-
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3 SSL bump: Google drive application could not connect

[Marcus Kool]

On 01/05/2015 11:11 AM, Yuri Voinov wrote:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

And also:

don't forget about bogus homebrew internet-bankings. Which is uses bogus 
SSL-certs with bogus GOST realisations. And bogus Java-based clients. All of 
them also uses 443 port. And often HTTPS with
homebrew bogus features.

We don't know, how to bump it.

What about it? Pass-through? Pass-through.

This is clean exclusion.

So don't worry about SSH/Tor. To block them we will be use another solutions. 
DPI. And not always technical. Revoke administrative rights from clients is 
basics of security, like physical access to
infrastructure. If they can't install Tor/SSH - why we can worry about this 
traffic?

We have (and can solve) two simple problems. HTTP over 443 port. And SSL 
Pinning. That's all, folks.


It is clear what *you* want.
You prefer  Squid + HTTP filter + Cisco/DPI + tcputils + sniffer + manual 
maintenance of ACLs/exclude list



05.01.2015 17:51, Marcus Kool пишет:

Much of the discussion so far  has been about bumping traffic on port 443,

  bumping SSL-encapsulated HTTP traffic and not bumping (allowing)
  other traffic.  Since port 443 is used for many protocols, it is in many
  cases dangerous to allow non-bumpable traffic: SSH tunnels using port 443
  are common, so are VPNs.  Do you know a security officer who does not want
  to block an SSH tunnel, or an app that can share corporate documents
  on public websites?  If there is not more attention to these kinds of
  applications that use port 443 to circumvent corporate firewalls,
  Squid will be doomed to be used only in environments where the priority
  for security is low to non-existent.  Just type punching holes in corporate
  firewalls or ssh tunnel proxy in Google to see how easy it is to use an
  SSH tunnel.
 
  I am the author of ufdbGuard, a filter for Squid and besides filtering
  based on URLs, ufdbGuard also probes port 443 to see what kind of traffic
  the server is expecting.  By using probes, ufdbGuard can detect SSH tunnels,
  popular chat protocols, etc. but it is not a 100% guaranteed solution
  because ufdbGuard cannot not see the traffic that flows through the proxy,
  i.e. there is not yet an interface for this type of traffic inspection.
 
  Marcus
 
 
  On 01/05/2015 07:59 AM, Eliezer Croitoru wrote:
  Hey Yuri,
 
  Indeed there are other *NIX systems and for each and every one of them
  there is a solution in need.
 
  SSL Pinned destinations cannot be identified automatically since the
  are pinned inside a software and the certificate will not show
  anything about that.
  The basic tests we can do are:
  - The host is using ssl or tls or not at all(based on the selective
  answer of the service)
  -
  - If the connection is using tls\ssl then inspect the components of
  the certificate(such as rootCA validation against the local machine
  certificates DB)
 
  Depend on the goal of the certificate validation the decision will be
  made to either allow the connection uninspected or to bump it as
  is without any smart identification.
 
  If indeed there is a database
  sqlite3\mysql\postgres\redis\memcached\others it can be used in the
  iptables level.
  Also a point in this DB and this cache is that it will be persistent
  so what so ever the *NIX system is there is an option once the IP +
  port was tagged as non-bump-able it is better be in the FIREWALL level
  override better then squid external_acl.
  Reason: If the kernel does what it needs to do then squid should not
  touch the packets.
  It's not always right but it's a point in the issue.
  I still do not know how to work with NFQUEUE and I am sure that there
  is an option to make a fast decision and if not then let the
  connection be BUMPED.
 
  I have written a small golang script that can check couple things
  about the ssl session at:
  http://www1.ngtech.co.il/squid/ssl_helpers/ssl_validator.go
 
  Besides this helper there is another script which do couple things in
  another level.
 
  ##
  If any thing will be decided for squid internals it will be after a
  proof of concept that we can implement together.
  Can we take this thread to storm and put on the table a proof of
  concept logic for ssl inspection\bumping and bypassing?
 
  Eliezer
 
  On 01/05/2015 10:40 AM, Yuri Voinov wrote:
   Sounds good,
  
   but server world is not end on Linux. ;)
  
   Now exists another *NIX systems. And will exists further.
  
   Also. I have an idea, gents.
  
   Do we can easy and quickly detect SSL Pinned destinations? And
   remember it, for example, in database?
  
   In another words - both problems is similar. Either non-HTTPS
   traffic over 443 port, or pinned certs.
  
   Can we detect both of them automatically and add to exclude list?
  
   WBR, Yuri
 
  ___
  squid-users mailing list
  squid-users@lists.squid-cache.org
  http://lists.squid-cache.org/listinfo/squid-users
 
  

Re: [squid-users] Squid 3 SSL bump: Google drive application could not connect

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
I think,

non-HTTP/HTTPS security issues is never ever Squid function.

Squid is not all-in-one-security-solution. It's only HTTP proxy.

For others security breches (i.e SSH tunnels, various browser
tunnel-related plugins, Tor etc., ) we have another tools. Cisco NBAR
proticol discovery, other DPI solution.

AFAIK, primitive Cisco extended ACL + tcpiputils.com and simple sniffer
can make miracles.

Following I offer to retirn to the Earth and limit our functionality as
I said before. Just HTTP/HTTPS over 443 port.

I understand that exists wonderful and overall solutions like ufdbGuard.
But we talk not about it.

05.01.2015 17:51, Marcus Kool пишет:
 Much of the discussion so far has been about bumping traffic on port 443,
 bumping SSL-encapsulated HTTP traffic and not bumping (allowing)
 other traffic.  Since port 443 is used for many protocols, it is in many
 cases dangerous to allow non-bumpable traffic: SSH tunnels using port 443
 are common, so are VPNs.  Do you know a security officer who does not want
 to block an SSH tunnel, or an app that can share corporate documents
 on public websites?  If there is not more attention to these kinds of
 applications that use port 443 to circumvent corporate firewalls,
 Squid will be doomed to be used only in environments where the priority
 for security is low to non-existent.  Just type punching holes in
corporate
 firewalls or ssh tunnel proxy in Google to see how easy it is to use an
 SSH tunnel.

 I am the author of ufdbGuard, a filter for Squid and besides filtering
 based on URLs, ufdbGuard also probes port 443 to see what kind of traffic
 the server is expecting.  By using probes, ufdbGuard can detect SSH
tunnels,
 popular chat protocols, etc. but it is not a 100% guaranteed solution
 because ufdbGuard cannot not see the traffic that flows through the proxy,
 i.e. there is not yet an interface for this type of traffic inspection.

 Marcus


 On 01/05/2015 07:59 AM, Eliezer Croitoru wrote:
 Hey Yuri,

 Indeed there are other *NIX systems and for each and every one of them
 there is a solution in need.

 SSL Pinned destinations cannot be identified automatically since the
 are pinned inside a software and the certificate will not show
 anything about that.
 The basic tests we can do are:
 - The host is using ssl or tls or not at all(based on the selective
 answer of the service)
 -
 - If the connection is using tls\ssl then inspect the components of
 the certificate(such as rootCA validation against the local machine
 certificates DB)

 Depend on the goal of the certificate validation the decision will be
 made to either allow the connection uninspected or to bump it as
 is without any smart identification.

 If indeed there is a database
 sqlite3\mysql\postgres\redis\memcached\others it can be used in the
 iptables level.
 Also a point in this DB and this cache is that it will be persistent
 so what so ever the *NIX system is there is an option once the IP +
 port was tagged as non-bump-able it is better be in the FIREWALL level
 override better then squid external_acl.
 Reason: If the kernel does what it needs to do then squid should not
 touch the packets.
 It's not always right but it's a point in the issue.
 I still do not know how to work with NFQUEUE and I am sure that there
 is an option to make a fast decision and if not then let the
 connection be BUMPED.

 I have written a small golang script that can check couple things
 about the ssl session at:
 http://www1.ngtech.co.il/squid/ssl_helpers/ssl_validator.go

 Besides this helper there is another script which do couple things in
 another level.

 ##
 If any thing will be decided for squid internals it will be after a
 proof of concept that we can implement together.
 Can we take this thread to storm and put on the table a proof of
 concept logic for ssl inspection\bumping and bypassing?

 Eliezer

 On 01/05/2015 10:40 AM, Yuri Voinov wrote:
  Sounds good,
 
  but server world is not end on Linux. ;)
 
  Now exists another *NIX systems. And will exists further.
 
  Also. I have an idea, gents.
 
  Do we can easy and quickly detect SSL Pinned destinations? And
  remember it, for example, in database?
 
  In another words - both problems is similar. Either non-HTTPS
  traffic over 443 port, or pinned certs.
 
  Can we detect both of them automatically and add to exclude list?
 
  WBR, Yuri

 ___
 squid-users mailing list
 squid-users@lists.squid-cache.org
 http://lists.squid-cache.org/listinfo/squid-users

 ___
 squid-users mailing list
 squid-users@lists.squid-cache.org
 http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBAgAGBQJUqoe7AAoJENNXIZxhPexGJqoH/2byMvv1s1Qgk5Wh1EwB8ai/
B6wsw6IvHitGvkrS77OEkEtZYjMsbTEv7XEpZuBvsylIGTr8Zp9amyjcTLOG/A+2

Re: [squid-users] Squid 3 SSL bump: Google drive application could not connect

[Douglas Davenport]

Marcus, not to distract from the very important main points being discussed
here but I have to question your last line:
i.e. there is not yet an interface for this type of traffic inspection.

Is that not the whole point of Squid's ICAP interface and HTTPS bumping? Or
do you just mean that ufdbguard doesn't utilize that yet. If so you might
want to consider adding that functionality...




On Mon, Jan 5, 2015 at 9:10 AM, Marcus Kool marcus.k...@urlfilterdb.com
wrote:



 On 01/05/2015 11:11 AM, Yuri Voinov wrote:


 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 And also:

 don't forget about bogus homebrew internet-bankings. Which is uses bogus
 SSL-certs with bogus GOST realisations. And bogus Java-based clients. All
 of them also uses 443 port. And often HTTPS with
 homebrew bogus features.

 We don't know, how to bump it.

 What about it? Pass-through? Pass-through.

 This is clean exclusion.

 So don't worry about SSH/Tor. To block them we will be use another
 solutions. DPI. And not always technical. Revoke administrative rights from
 clients is basics of security, like physical access to
 infrastructure. If they can't install Tor/SSH - why we can worry about
 this traffic?

 We have (and can solve) two simple problems. HTTP over 443 port. And SSL
 Pinning. That's all, folks.


 It is clear what *you* want.
 You prefer  Squid + HTTP filter + Cisco/DPI + tcputils + sniffer + manual
 maintenance of ACLs/exclude list



  05.01.2015 17:51, Marcus Kool пишет:

 Much of the discussion so far  has been about bumping traffic on port
 443,

   bumping SSL-encapsulated HTTP traffic and not bumping (allowing)
   other traffic.  Since port 443 is used for many protocols, it is in
 many
   cases dangerous to allow non-bumpable traffic: SSH tunnels using port
 443
   are common, so are VPNs.  Do you know a security officer who does not
 want
   to block an SSH tunnel, or an app that can share corporate documents
   on public websites?  If there is not more attention to these kinds of
   applications that use port 443 to circumvent corporate firewalls,
   Squid will be doomed to be used only in environments where the priority
   for security is low to non-existent.  Just type punching holes in
 corporate
   firewalls or ssh tunnel proxy in Google to see how easy it is to
 use an
   SSH tunnel.
  
   I am the author of ufdbGuard, a filter for Squid and besides filtering
   based on URLs, ufdbGuard also probes port 443 to see what kind of
 traffic
   the server is expecting.  By using probes, ufdbGuard can detect SSH
 tunnels,
   popular chat protocols, etc. but it is not a 100% guaranteed solution
   because ufdbGuard cannot not see the traffic that flows through the
 proxy,
   i.e. there is not yet an interface for this type of traffic inspection.
  
   Marcus
  
  
   On 01/05/2015 07:59 AM, Eliezer Croitoru wrote:
   Hey Yuri,
  
   Indeed there are other *NIX systems and for each and every one of them
   there is a solution in need.
  
   SSL Pinned destinations cannot be identified automatically since the
   are pinned inside a software and the certificate will not show
   anything about that.
   The basic tests we can do are:
   - The host is using ssl or tls or not at all(based on the selective
   answer of the service)
   -
   - If the connection is using tls\ssl then inspect the components of
   the certificate(such as rootCA validation against the local machine
   certificates DB)
  
   Depend on the goal of the certificate validation the decision will be
   made to either allow the connection uninspected or to bump it as
   is without any smart identification.
  
   If indeed there is a database
   sqlite3\mysql\postgres\redis\memcached\others it can be used in the
   iptables level.
   Also a point in this DB and this cache is that it will be persistent
   so what so ever the *NIX system is there is an option once the IP +
   port was tagged as non-bump-able it is better be in the FIREWALL level
   override better then squid external_acl.
   Reason: If the kernel does what it needs to do then squid should not
   touch the packets.
   It's not always right but it's a point in the issue.
   I still do not know how to work with NFQUEUE and I am sure that there
   is an option to make a fast decision and if not then let the
   connection be BUMPED.
  
   I have written a small golang script that can check couple things
   about the ssl session at:
   http://www1.ngtech.co.il/squid/ssl_helpers/ssl_validator.go
  
   Besides this helper there is another script which do couple things in
   another level.
  
   ##
   If any thing will be decided for squid internals it will be after a
   proof of concept that we can implement together.
   Can we take this thread to storm and put on the table a proof of
   concept logic for ssl inspection\bumping and bypassing?
  
   Eliezer
  
   On 01/05/2015 10:40 AM, Yuri Voinov wrote:
Sounds good,
   
but server world is not end on Linux. ;)
   
Now 

Re: [squid-users] Squid 3 SSL bump: Google drive application could not connect

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
Wait a minute, gents.

What about ICAP? What I skipped?

05.01.2015 20:38, Douglas Davenport пишет:
 Marcus, not to distract from the very important main points being discussed 
 here but I have to
question your last line:
 i.e. there is not yet an interface for this type of traffic inspection.

 Is that not the whole point of Squid's ICAP interface and HTTPS
bumping? Or do you just mean that ufdbguard doesn't utilize that yet. If
so you might want to consider adding that functionality...




 On Mon, Jan 5, 2015 at 9:10 AM, Marcus Kool
marcus.k...@urlfilterdb.com mailto:marcus.k...@urlfilterdb.com wrote:



 On 01/05/2015 11:11 AM, Yuri Voinov wrote:


 And also:

 don't forget about bogus homebrew internet-bankings. Which is uses
bogus SSL-certs with bogus GOST realisations. And bogus Java-based
clients. All of them also uses 443 port. And often HTTPS with
 homebrew bogus features.

 We don't know, how to bump it.

 What about it? Pass-through? Pass-through.

 This is clean exclusion.

 So don't worry about SSH/Tor. To block them we will be use another
solutions. DPI. And not always technical. Revoke administrative rights
from clients is basics of security, like physical access to
 infrastructure. If they can't install Tor/SSH - why we can worry about
this traffic?

 We have (and can solve) two simple problems. HTTP over 443 port. And
SSL Pinning. That's all, folks.


  It is clear what *you* want.
  You prefer  Squid + HTTP filter + Cisco/DPI + tcputils + sniffer
+ manual maintenance of ACLs/exclude list



 05.01.2015 17:51, Marcus Kool пишет:

 Much of the discussion so far  has been about bumping traffic on
port 443,

   bumping SSL-encapsulated HTTP traffic and not bumping (allowing)
   other traffic.  Since port 443 is used for many protocols, it is in
many
   cases dangerous to allow non-bumpable traffic: SSH tunnels using
port 443
   are common, so are VPNs.  Do you know a security officer who does
not want
   to block an SSH tunnel, or an app that can share corporate documents
   on public websites?  If there is not more attention to these kinds of
   applications that use port 443 to circumvent corporate firewalls,
   Squid will be doomed to be used only in environments where the priority
   for security is low to non-existent.  Just type punching holes in
corporate
   firewalls or ssh tunnel proxy in Google to see how easy it is to
use an
   SSH tunnel.

   I am the author of ufdbGuard, a filter for Squid and besides filtering
   based on URLs, ufdbGuard also probes port 443 to see what kind of
traffic
   the server is expecting.  By using probes, ufdbGuard can detect SSH
tunnels,
   popular chat protocols, etc. but it is not a 100% guaranteed solution
   because ufdbGuard cannot not see the traffic that flows through the
proxy,
   i.e. there is not yet an interface for this type of traffic inspection.

   Marcus


   On 01/05/2015 07:59 AM, Eliezer Croitoru wrote:
   Hey Yuri,

   Indeed there are other *NIX systems and for each and every one of them
   there is a solution in need.

   SSL Pinned destinations cannot be identified automatically since the
   are pinned inside a software and the certificate will not show
   anything about that.
   The basic tests we can do are:
   - The host is using ssl or tls or not at all(based on the selective
   answer of the service)
   -
   - If the connection is using tls\ssl then inspect the components of
   the certificate(such as rootCA validation against the local machine
   certificates DB)

   Depend on the goal of the certificate validation the decision will be
   made to either allow the connection uninspected or to bump it as
   is without any smart identification.

   If indeed there is a database
   sqlite3\mysql\postgres\redis\memcached\others it can be used in the
   iptables level.
   Also a point in this DB and this cache is that it will be persistent
   so what so ever the *NIX system is there is an option once the IP +
   port was tagged as non-bump-able it is better be in the FIREWALL level
   override better then squid external_acl.
   Reason: If the kernel does what it needs to do then squid should not
   touch the packets.
   It's not always right but it's a point in the issue.
   I still do not know how to work with NFQUEUE and I am sure that there
   is an option to make a fast decision and if not then let the
   connection be BUMPED.

   I have written a small golang script that can check couple things
   about the ssl session at:
   http://www1.ngtech.co.il/squid/ssl_helpers/ssl_validator.go
http://www1.ngtech.co.il/squid/ssl_helpers/ssl_validator.go

   Besides this helper there is another script which do couple things in
   another level.

   ##
   If any thing will be decided for squid internals it will be after a
   proof of concept that we can implement together.
   Can we take this thread to storm and put on the table a proof of
   concept logic for 

Re: [squid-users] Squid 3 SSL bump: Google drive application could not connect

[Eliezer Croitoru]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 01/05/2015 05:18 PM, Yuri Voinov wrote:
 We haven't filtering non_HTTP over port-443. Just recognize and
 pass.

So let's separate security which is one of the goals of squid and
which some like and other don't.

For now squid 3.4 is stable and 3.5 is in beta and trunk is not for
the public use.
In 3.5 there will be present a new feature which called peek and
splice that can give an interface to squid and the admin which will
allow the admin to know couple things about the connection from squid
and specifically first the client TLS request.
Once squid bumped a connection there are couple steps until the
connection is fully established between the client and the server:
- - receive the TCP connection from client
- - BUMP server or client FIRST
- - determine what certificate to send to the client based on the server
initial ssl response
- - fake it
- - send to the client
- - MITM between two tls connections on the proxy while inspecting the
content in the software layer.

Peek and splice will add another step between the first part to the
second and which will allow SNI usage.
All the above is to allow better BUMPING.
There might be or will be probably an interface that will identify or
will try to identify inside the current stages of the connection
bumping if the connection is indeed a TLS or another one.
The first step of peek and splice can identify if the connection from
the client side has started using a valid TLS\SSL headers.

Leaving all the BUMPING yes or no You(Yuri) need a very specific tool
or want a very specific tool.
The basic interface of the external_acl can provide enough data on the
connection in order to enforce some rules.
You can either use the client IP address or just the destination IP
and PORT.

I cannot speak for the squid project but I am almost sure that the
squid project will not provide you with an official helper and will
not support it.
However squid external_acl is there especially to help others achieve
what they want using a variety of parameters from squid internals.
The external_acl interface provides internal caching which supports
caching ttl with different values for the two options either allow(OK)
or DENY(ERR).

My suggestions stays, don't use sqlite if possible.
There is a sketch for a helper like you seems to want.
Take the glove and write a pesudo code for the helper idea based on
the assumptions:
- - There is a DB which can store timestamps, ip, port, result of test, etc
- - There is a way to check if the certificate is valid and the server
works with TLS\SSL
- - There is no way for the helper to know that a certificate is pined
- - There is a way to add static records to the DB(web interface, cli)
- - All the requests will come from the proxy IP address and can by some
be identified as an attack.
- - ufdbguard does not provide your needs since it uses url_rewrite
interface and doesn't have the needed functionalities for you.

The best I have seen until now was the python helper.
If in couple(4-5) month nobody will do something with this I will see
then what can be done with this if at all.

Elizer
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEcBAEBAgAGBQJUqrvGAAoJENxnfXtQ8ZQUIDsH/iw82UdjIvwk/bycmuvTIgi2
FjgdXHcOP1EFi1aC6utgZ3ab8GVaOhV8PJpLpFSD3ZLbrFXfLg9c3ubY6EMHVxWz
HNgYBQ/MetSCTHwNKiKHiu8pqy0CR9aTth91KwArrWtXYBqeGyCVCRvyccHc07u4
QVE3rUTNX0ICAgvfrhyUsjgjZVUCRC1dvZT7c2aVeowR1qyvfpK2JRVJSuaUI2oU
HS2516qxzxHvyxJjjz1Cypn06BPiCp2wItIPdX9biEXid2DCJsGGrd9hjhkoZtgH
AiAf7mpFnWZybw4934S1ubUE5x59v8rzpZiuVTE/iSIpVzAci2moeijqosL2yEg=
=7quC
-END PGP SIGNATURE-
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3 SSL bump: Google drive application could not connect

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
Agreed.

I'm expert on shell, not Perl/Python. :)

But will try to make some useful with it.

05.01.2015 22:28, Eliezer Croitoru пишет:
 On 01/05/2015 05:18 PM, Yuri Voinov wrote:
  We haven't filtering non_HTTP over port-443. Just recognize and
  pass.

 So let's separate security which is one of the goals of squid and
 which some like and other don't.

 For now squid 3.4 is stable and 3.5 is in beta and trunk is not for
 the public use.
 In 3.5 there will be present a new feature which called peek and
 splice that can give an interface to squid and the admin which will
 allow the admin to know couple things about the connection from squid
 and specifically first the client TLS request.
 Once squid bumped a connection there are couple steps until the
 connection is fully established between the client and the server:
 - receive the TCP connection from client
 - BUMP server or client FIRST
 - determine what certificate to send to the client based on the server
 initial ssl response
 - fake it
 - send to the client
 - MITM between two tls connections on the proxy while inspecting the
 content in the software layer.

 Peek and splice will add another step between the first part to the
 second and which will allow SNI usage.
 All the above is to allow better BUMPING.
 There might be or will be probably an interface that will identify or
 will try to identify inside the current stages of the connection
 bumping if the connection is indeed a TLS or another one.
 The first step of peek and splice can identify if the connection from
 the client side has started using a valid TLS\SSL headers.

 Leaving all the BUMPING yes or no You(Yuri) need a very specific tool
 or want a very specific tool.
 The basic interface of the external_acl can provide enough data on the
 connection in order to enforce some rules.
 You can either use the client IP address or just the destination IP
 and PORT.

 I cannot speak for the squid project but I am almost sure that the
 squid project will not provide you with an official helper and will
 not support it.
 However squid external_acl is there especially to help others achieve
 what they want using a variety of parameters from squid internals.
 The external_acl interface provides internal caching which supports
 caching ttl with different values for the two options either allow(OK)
 or DENY(ERR).

 My suggestions stays, don't use sqlite if possible.
 There is a sketch for a helper like you seems to want.
 Take the glove and write a pesudo code for the helper idea based on
 the assumptions:
 - There is a DB which can store timestamps, ip, port, result of test, etc
 - There is a way to check if the certificate is valid and the server
 works with TLS\SSL
 - There is no way for the helper to know that a certificate is pined
 - There is a way to add static records to the DB(web interface, cli)
 - All the requests will come from the proxy IP address and can by some
 be identified as an attack.
 - ufdbguard does not provide your needs since it uses url_rewrite
 interface and doesn't have the needed functionalities for you.

 The best I have seen until now was the python helper.
 If in couple(4-5) month nobody will do something with this I will see
 then what can be done with this if at all.

 Elizer
 ___
 squid-users mailing list
 squid-users@lists.squid-cache.org
 http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBAgAGBQJUqr3NAAoJENNXIZxhPexG5UoIAKxANAcs77iuSQlNOmbO9D4B
xip3QbFhug2/LayR+Wa1Vd3UBUfkSUUdvvqedXRc6KKfCqxa5BECTYSpM0qT/L+h
WasstLpV/Mm2seYRK/CUJbmAJDps6mAgB8MdU1Kq9XWUVYGuGHXnWa220sU/TuhW
wD55VRDScX7cELOQyv4kCr/3mqobLD0KLAMwpDwtxel88eE9NYFW1OcIyM2XHtJd
ouY/hM6sAlYusXITrQrbOy7Sw5yT6DjY+sm6NYx7NCpDyKZTZemU0QVN9hEG6H0s
AmPi0m3OedUAmh83rXMS47+GyzIq3yxIqe52qOsFSsA5PoK/l93zqRivvUUTxyQ=
=sq3n
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3 SSL bump: Google drive application could not connect

[Marcus Kool]

On 01/05/2015 12:38 PM, Douglas Davenport wrote:

Marcus, not to distract from the very important main points being discussed 
here but I have to question your last line:
i.e. there is not yet an interface for this type of traffic inspection.

Is that not the whole point of Squid's ICAP interface and HTTPS bumping? Or do 
you just mean that ufdbguard doesn't utilize that yet. If so you might want to 
consider adding that functionality...


ICAP does
   HTTP filtering based on URL and HTTP content
   port-443 filtering based on FQDN  (ICAP server only receives CONNECT 
FQDN:443)
   port-443 filtering based on HTTP content _if_ Squid uses sslbump

ICAP does _not_
   port-443 filtering for non-HTTP protocols

ICAP was designed for HTTP-based content modification.
There is no industry standard for filtering non-HTTP data.
I have discussed this subject twice with the Squid development team
but there is currently no sponsor to implement a new protocol to filter
non-HTTP data in Squid.

Marcus





On Mon, Jan 5, 2015 at 9:10 AM, Marcus Kool marcus.k...@urlfilterdb.com 
mailto:marcus.k...@urlfilterdb.com wrote:



On 01/05/2015 11:11 AM, Yuri Voinov wrote:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

And also:

don't forget about bogus homebrew internet-bankings. Which is uses 
bogus SSL-certs with bogus GOST realisations. And bogus Java-based clients. All 
of them also uses 443 port. And often HTTPS with
homebrew bogus features.

We don't know, how to bump it.

What about it? Pass-through? Pass-through.

This is clean exclusion.

So don't worry about SSH/Tor. To block them we will be use another 
solutions. DPI. And not always technical. Revoke administrative rights from 
clients is basics of security, like physical
access to
infrastructure. If they can't install Tor/SSH - why we can worry about 
this traffic?

We have (and can solve) two simple problems. HTTP over 443 port. And 
SSL Pinning. That's all, folks.


It is clear what *you* want.
You prefer  Squid + HTTP filter + Cisco/DPI + tcputils + sniffer + manual 
maintenance of ACLs/exclude list



05.01.2015 17:51, Marcus Kool пишет:

Much of the discussion so far  has been about bumping traffic on 
port 443,

   bumping SSL-encapsulated HTTP traffic and not bumping (allowing)
   other traffic.  Since port 443 is used for many protocols, it is in 
many
   cases dangerous to allow non-bumpable traffic: SSH tunnels using 
port 443
   are common, so are VPNs.  Do you know a security officer who does 
not want
   to block an SSH tunnel, or an app that can share corporate documents
   on public websites?  If there is not more attention to these kinds 
of
   applications that use port 443 to circumvent corporate firewalls,
   Squid will be doomed to be used only in environments where the 
priority
   for security is low to non-existent.  Just type punching holes in 
corporate
   firewalls or ssh tunnel proxy in Google to see how easy it is to 
use an
   SSH tunnel.
  
   I am the author of ufdbGuard, a filter for Squid and besides 
filtering
   based on URLs, ufdbGuard also probes port 443 to see what kind of 
traffic
   the server is expecting.  By using probes, ufdbGuard can detect SSH 
tunnels,
   popular chat protocols, etc. but it is not a 100% guaranteed 
solution
   because ufdbGuard cannot not see the traffic that flows through the 
proxy,
   i.e. there is not yet an interface for this type of traffic 
inspection.
  
   Marcus
  
  
   On 01/05/2015 07:59 AM, Eliezer Croitoru wrote:
   Hey Yuri,
  
   Indeed there are other *NIX systems and for each and every one of 
them
   there is a solution in need.
  
   SSL Pinned destinations cannot be identified automatically since the
   are pinned inside a software and the certificate will not show
   anything about that.
   The basic tests we can do are:
   - The host is using ssl or tls or not at all(based on the selective
   answer of the service)
   -
   - If the connection is using tls\ssl then inspect the components of
   the certificate(such as rootCA validation against the local machine
   certificates DB)
  
   Depend on the goal of the certificate validation the decision will 
be
   made to either allow the connection uninspected or to bump it as
   is without any smart identification.
  
   If indeed there is a database
   sqlite3\mysql\postgres\redis\__memcached\others it can be used in 
the
   iptables level.
   Also a point in this DB and this cache is that it will be persistent
   so what 

Re: [squid-users] Squid 3 SSL bump: Google drive application could not connect

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
We haven't filtering non_HTTP over port-443. Just recognize and pass.

05.01.2015 21:15, Marcus Kool пишет:


 On 01/05/2015 12:38 PM, Douglas Davenport wrote:
 Marcus, not to distract from the very important main points being
discussed here but I have to question your last line:
 i.e. there is not yet an interface for this type of traffic inspection.

 Is that not the whole point of Squid's ICAP interface and HTTPS
bumping? Or do you just mean that ufdbguard doesn't utilize that yet. If
so you might want to consider adding that functionality...

 ICAP does
HTTP filtering based on URL and HTTP content
port-443 filtering based on FQDN  (ICAP server only receives
CONNECT FQDN:443)
port-443 filtering based on HTTP content _if_ Squid uses sslbump

 ICAP does _not_
port-443 filtering for non-HTTP protocols

 ICAP was designed for HTTP-based content modification.
 There is no industry standard for filtering non-HTTP data.
 I have discussed this subject twice with the Squid development team
 but there is currently no sponsor to implement a new protocol to filter
 non-HTTP data in Squid.

 Marcus




 On Mon, Jan 5, 2015 at 9:10 AM, Marcus Kool
marcus.k...@urlfilterdb.com mailto:marcus.k...@urlfilterdb.com wrote:



 On 01/05/2015 11:11 AM, Yuri Voinov wrote:


 And also:

 don't forget about bogus homebrew internet-bankings. Which is uses
bogus SSL-certs with bogus GOST realisations. And bogus Java-based
clients. All of them also uses 443 port. And often HTTPS with
 homebrew bogus features.

 We don't know, how to bump it.

 What about it? Pass-through? Pass-through.

 This is clean exclusion.

 So don't worry about SSH/Tor. To block them we will be use another
solutions. DPI. And not always technical. Revoke administrative rights
from clients is basics of security, like physical
 access to
 infrastructure. If they can't install Tor/SSH - why we can worry about
this traffic?

 We have (and can solve) two simple problems. HTTP over 443 port. And
SSL Pinning. That's all, folks.


  It is clear what *you* want.
  You prefer  Squid + HTTP filter + Cisco/DPI + tcputils +
sniffer + manual maintenance of ACLs/exclude list



 05.01.2015 17:51, Marcus Kool пишет:

 Much of the discussion so far  has been about bumping traffic on
port 443,

bumping SSL-encapsulated HTTP traffic and not bumping (allowing)
other traffic.  Since port 443 is used for many protocols, it is
in many
cases dangerous to allow non-bumpable traffic: SSH tunnels using
port 443
are common, so are VPNs.  Do you know a security officer who does
not want
to block an SSH tunnel, or an app that can share corporate documents
on public websites?  If there is not more attention to these kinds of
applications that use port 443 to circumvent corporate firewalls,
Squid will be doomed to be used only in environments where the
priority
for security is low to non-existent.  Just type punching holes in
corporate
firewalls or ssh tunnel proxy in Google to see how easy it is
to use an
SSH tunnel.

I am the author of ufdbGuard, a filter for Squid and besides filtering
based on URLs, ufdbGuard also probes port 443 to see what kind of
traffic
the server is expecting.  By using probes, ufdbGuard can detect
SSH tunnels,
popular chat protocols, etc. but it is not a 100% guaranteed solution
because ufdbGuard cannot not see the traffic that flows through
the proxy,
i.e. there is not yet an interface for this type of traffic
inspection.

Marcus


On 01/05/2015 07:59 AM, Eliezer Croitoru wrote:
Hey Yuri,

Indeed there are other *NIX systems and for each and every one of them
there is a solution in need.

SSL Pinned destinations cannot be identified automatically since the
are pinned inside a software and the certificate will not show
anything about that.
The basic tests we can do are:
- The host is using ssl or tls or not at all(based on the selective
answer of the service)
-
- If the connection is using tls\ssl then inspect the components of
the certificate(such as rootCA validation against the local machine
certificates DB)

Depend on the goal of the certificate validation the decision will be
made to either allow the connection uninspected or to bump it as
is without any smart identification.

If indeed there is a database
sqlite3\mysql\postgres\redis\__memcached\others it can be used in the
iptables level.
Also a point in this DB and this cache is that it will be persistent
so what so ever the *NIX system is there is an option once the IP +
port was tagged as non-bump-able it is better be in the FIREWALL level
override better then squid external_acl.
Reason: If the kernel does what it needs to do then squid should not
touch the packets.
It's not always right but it's a point in the issue.
I still do not know how 

Re: [squid-users] Squid 3 SSL bump: Google drive application could not connect

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
To return to Earth:

I think, a good idea is built-in (ma be, in ssl_crtd?) functionality to
check 443 port connection for Is an HTTPS inside? and if no, do not
bump by default.

This is so simple and fast, is it? And we can have some config option to
disable this function...Or not.

;)

05.01.2015 2:17, Douglas Davenport пишет:
 I saw a very similar feature in ufdbGuard which is a URL filter implemented 
 as a Squid Redirector. They
have a feature which probes the destination server for a valid HTTPS
cert in parallel to the user's connection and terminates it if it turns
out not to be a valid HTTPS cert. Their code is open source, maybe this
could be helpful in creating such a helper?

 http://www.urlfilterdb.com/home.html

 On Sat, Jan 3, 2015 at 3:45 AM, Yuri Voinov yvoi...@gmail.com
mailto:yvoi...@gmail.com wrote:


 Term HTTPS often uses as Any connect over 443 port

 03.01.2015 13:59, Jason Haar пишет:
  On 01/01/15 00:11, James Harper wrote:
  The helper connects to the IP:port and tries to obtain the
 certificate, and then caches the result (in an sqlite database). If it
 can't do so within a fairly short time it returns failure (but keeps
 trying a bit longer and caches it for next time). Alternatively if the
 IP used to be SSL but is now timing out it returns the previously cached
 value. Negative results are cached for an increasing amount of time each
 time it fails, on the basis that it probably isn't SSL.
  That sounds great James! I'd certainly like to take a look at it too

  However, you say SSL  - did you mean HTTPS? ie discovering a ip:port
  is a IMAPS server doesn't really help squid talk to it - surely you want
  to discover HTTPS servers - and everything else should be
  pass-through/splice?



 ___
 squid-users mailing list
 squid-users@lists.squid-cache.org
mailto:squid-users@lists.squid-cache.org
 http://lists.squid-cache.org/listinfo/squid-users



-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBAgAGBQJUqaH3AAoJENNXIZxhPexG+VAH/3+fQfAUA1IdCXTdvZXjR2Ih
2AAa2d/mPOQtk1RNTk7PUxp1tIuUVt054euuwnhxItGSIb6OB7U2fTHK1k3BF+ta
BG6fyghpKYFBHJkloYX6m45g7K3vgpKEjVPDQZuaUz1CBZ67ie/ThngxmgNwFqaO
HbDvcX6FnvYeplRDrsx8DATD7fqujw5wy6ZI+23bXAOf4j7PO6zwIeoh4hSkMhr/
7ZRBYv2T6iYh+sL3XiYgVh9fWcGy2O2ovJLW/2AA4YXnlEAGLgbgVZCiF6jIdomn
iSiel6enLOCDneLsMcW1h+n7HNTTpv6N2D5ATMEcf8kz3ACmH99mBhk2bh9jQ94=
=Iw5c
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3 SSL bump: Google drive application could not connect

[Douglas Davenport]

Seems to me it would be more useful as an external ACL so that a decision
could be made based on other factors eg src or dstdomain whether to deny or
allow the un-bumpable connection.

On Sun, Jan 4, 2015 at 4:29 PM, Yuri Voinov yvoi...@gmail.com wrote:


 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 As I can see, we have two major problems with SSL Bump now.

 1. Stupid apps and it's stupid developers - like ICQ and other stupid IM -
 which is hope 443 port is never be blocked due to using for logons/internet
 banking etc.
 This stupid way broke standards (?) and make us crazy. Now single solution
 is catch them manually and pass it without bumping. This is the simplest
 problem. And I hope it will be solved in core - i.e. in Squid directly.

 2. SSL Pinned sites. We cannot do with them anything excluding sniff it
 and pass by IP without bump.

 First problems seems to solve easy. Either by helper, or by squid - no
 matter. It's really simple. Just check SSL cert on server side - and make
 decision - to bump, or not to bump.

 The second problem seems difficult and now I can't see any reasonable
 solution, excluding sniffer/manual add to acl.

 Any ideas? Will be write helper?

 WBR, Yuri

 05.01.2015 2:17, Douglas Davenport пишет:
  I saw a very similar feature in ufdbGuard which is a URL filter
 implemented as a Squid Redirector. They have a feature which probes the
 destination server for a valid HTTPS cert in parallel to the user's
 connection and terminates it if it turns out not to be a valid HTTPS cert.
 Their code is open source, maybe this could be helpful in creating such a
 helper?
 
  http://www.urlfilterdb.com/home.html
 
  On Sat, Jan 3, 2015 at 3:45 AM, Yuri Voinov yvoi...@gmail.com
 mailto:yvoi...@gmail.com yvoi...@gmail.com wrote:
 
 
  Term HTTPS often uses as Any connect over 443 port
 
  03.01.2015 13:59, Jason Haar пишет:
   On 01/01/15 00:11, James Harper wrote:
   The helper connects to the IP:port and tries to obtain the
  certificate, and then caches the result (in an sqlite database). If it
  can't do so within a fairly short time it returns failure (but keeps
  trying a bit longer and caches it for next time). Alternatively if the
  IP used to be SSL but is now timing out it returns the previously cached
  value. Negative results are cached for an increasing amount of time each
  time it fails, on the basis that it probably isn't SSL.
   That sounds great James! I'd certainly like to take a look at it too
 
   However, you say SSL  - did you mean HTTPS? ie discovering a
 ip:port
   is a IMAPS server doesn't really help squid talk to it - surely you
 want
   to discover HTTPS servers - and everything else should be
   pass-through/splice?
 
 
 
  ___
  squid-users mailing list
  squid-users@lists.squid-cache.org
 mailto:squid-users@lists.squid-cache.org
 squid-users@lists.squid-cache.org
  http://lists.squid-cache.org/listinfo/squid-users
 
 

 -BEGIN PGP SIGNATURE-
 Version: GnuPG v2

 iQEcBAEBAgAGBQJUqbC7AAoJENNXIZxhPexGwwkH/j8XR2fQ4v/r3M2zFuDuhVsP
 JZMM93IvZrGYRzJjAmmwg7ZUoYdwWWEaXoY6GygO+RdZESWfPvh00cSsxwRKfmvm
 2s7sLDKlPnfUsf9fyWnihCtJg9hETZTsvUqK9I+iopiM1DHq/qwX3Pjkb2e2T45u
 JuqU5ySBZPEt6G1gRn/+F2EyHdhWpa9OOtfeTAt4/oaJIuLoHP7855fif/1eg59U
 QlISZkLjDcL4DqEVM+9UJh9TSN+dawj/Ks+3b+MT8sA/xvVdOyqhLMqnm4MPadSv
 yvK5nQWW4rkfHOJ1zwWq3hAMLjCIXjY4q1NxNQAxdK5ESZvszecvXg3JMKo/THw=
 =Ygen
 -END PGP SIGNATURE-


 ___
 squid-users mailing list
 squid-users@lists.squid-cache.org
 http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3 SSL bump: Google drive application could not connect

[Jason Haar]

On 05/01/15 15:44, Eliezer Croitoru wrote:
 A squid helper is nice but... a NFQUEUE helper that can verify if to
 FORWARD or BUMP the connection would be a better suited solution to my
 opinion.
Not sure if you're ignoring the ssl-peek work, but squid still needs to
be able to peek in order for squid to know the actual HTTPS server
name the client is connecting to before it's able to call any external
helper/etc. As that involves understanding SSL (which is a huge chunk of
code) - that means it's not appropriate for a kernel solution - it has
to be done at Layer-7 (ie squid - but not some app called by squid as
that's too late to see the data it needs)

eg after hearing how James Harper wrote his own external https-tester
script, I've written my own and have been merrily testing it under
squid-3.4.10 (ie not 3.5 with peek). In proxy-mode it works great, the
https-tester script is passed the DNS name and port, it manually uses
curl to test that to ensure it's a real HTTPS server and returns OK,
else it returns ERR - making squid fall-back on passthrough/splice mode.
That means it can detect non-SSL apps, as well as client-cert protected
HTTPS webservers (which you also have to drop back to splice with - you
can never successfully MiTM a client-cert based SSL session).

However, the moment you try to do transparent https proxy, things break.
In that case, squid-3.4 only sees the destination IP, and https_tester
can only try to curl -k https://ip.add.ress:port/; - which only works
for *some* webservers. A lot have WAFs on them and righteously ditch the
incoming connection when they recognise the client (my script) doesn't
know what their hostname is. eg any HTTPS site using cloudfront.net is
in that category. Of course it still works - but in passthrough mode -
which isn't the outcome we're after.

I'm going to have to look at squid-3.5 ;-)

-- 
Cheers

Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3 SSL bump: Google drive application could not connect

[Eliezer Croitoru]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hey Thread(Jason,Yuri,Douglas...),

There are couple aspects about the ssl and connections in general and
as we talk about ssl port I first would like to put couple things on
the table.

* Squid is a http caching proxy and there for every feature which is
out of the http related scope should not be handled by squid at all.
* Any squid operation is an application level and there for is limited
by the software(kernel + squid).
* There is a difference between servers taking a load of 1k requests
per second to a SMB which handles about 50 requests per second.

In general it's better to not intercept a connection which is not
bump-able.
The decision about if to DROP\REJECT or ACCEPT the connection should
better not involve squid in general if possible.
Squid offers a very nice interface but if you compare the Linux kernel
forwarding capabilities compared to squid you would see that squid is
very limited in the userspace.

So in a case the helper only needs to know if the connection is
bump-able there are other alternatives in the Linux kernel!!
And if you need logs.. you can use the *helper*(which one you ever
choose to work with) to log...

So now for the real thing:
My opinion about external_acl vs other solutions is that if squid with
an external_acl works for you and you understand what it means from
performance and security aspects try it, test it and then use it.

But if your squid load is high and in the case squid slows down the
bumped connections too much(compared to linux forwarding) I would try
to use something like NFQUEUE to just test if the connection is
bump-able or not by IP and DST PORT.

 * some information about NFQUEUE
https://home.regit.org/netfilter-en/using-nfqueue-and-libnetfilter_queue/
http://suricata-ids.org/

* Some examples:
https://www.wzdftpd.net/redmine/projects/nfqueue-bindings/repository/entry/examples/rewrite.py
http://danmcinerney.org/reliable-dns-spoofing-with-python-scapy-nfqueue/
http://5d4a.wordpress.com/2011/08/25/having-fun-with-nfqueue-and-scapy/

A squid helper is nice but... a NFQUEUE helper that can verify if to
FORWARD or BUMP the connection would be a better suited solution to my
opinion.

All The Bests,
Eliezer Croitoru

On 01/05/2015 03:07 AM, Douglas Davenport wrote:
 Seems to me it would be more useful as an external ACL so that a
 decision could be made based on other factors eg src or dstdomain
 whether to deny or allow the un-bumpable connection.

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEcBAEBAgAGBQJUqfp/AAoJENxnfXtQ8ZQUSwoH/icug7X4oexKW1hewZ+u6mUd
/MTS+0pfrcl3ZiKi3oNcYBbnI+o1oqDVgYdW2XKpeWuUaZpvDF0NsIsO0Aj+0kjy
BccCiofUQABKPuG2MtM4ODMUbouoob3eBWdVmbbRr3KWyAu0aPnjMHUWX5QeSAif
8FF38xQvnR4EOLi7UmT8UOV4iugloxg8feDjIxRcRPJalfAGrOyfGmFYuxoFELjg
7XMTTLkJW2DuteIl4M1cdKRSJKt/CUKah3z5D3EyDBQcHhV4xDUk3ncTLXXr1cZH
kLnkFQWC2Jq43S2zEin7STJE3zumWu/YN/s2Wj3oAmyPAQBAlkNpHB4VPoF9w+c=
=L6HT
-END PGP SIGNATURE-
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3 SSL bump: Google drive application could not connect

[Jason Haar]

On 01/01/15 00:11, James Harper wrote:
 The helper connects to the IP:port and tries to obtain the certificate, and 
 then caches the result (in an sqlite database). If it can't do so within a 
 fairly short time it returns failure (but keeps trying a bit longer and 
 caches it for next time). Alternatively if the IP used to be SSL but is now 
 timing out it returns the previously cached value. Negative results are 
 cached for an increasing amount of time each time it fails, on the basis that 
 it probably isn't SSL.
That sounds great James! I'd certainly like to take a look at it too

However, you say SSL  - did you mean HTTPS? ie discovering a ip:port
is a IMAPS server doesn't really help squid talk to it - surely you want
to discover HTTPS servers - and everything else should be
pass-through/splice?

-- 
Cheers

Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3 SSL bump: Google drive application could not connect

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
Term HTTPS often uses as Any connect over 443 port

03.01.2015 13:59, Jason Haar пишет:
 On 01/01/15 00:11, James Harper wrote:
 The helper connects to the IP:port and tries to obtain the
certificate, and then caches the result (in an sqlite database). If it
can't do so within a fairly short time it returns failure (but keeps
trying a bit longer and caches it for next time). Alternatively if the
IP used to be SSL but is now timing out it returns the previously cached
value. Negative results are cached for an increasing amount of time each
time it fails, on the basis that it probably isn't SSL.
 That sounds great James! I'd certainly like to take a look at it too

 However, you say SSL  - did you mean HTTPS? ie discovering a ip:port
 is a IMAPS server doesn't really help squid talk to it - surely you want
 to discover HTTPS servers - and everything else should be
 pass-through/splice?


-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBAgAGBQJUp6wSAAoJENNXIZxhPexGb8MH/irRYZBuoGjHZrpcI6kweMGv
YqSjFYUasZ/hlDoN6bbJUKqAfeos0am0OuTy2FxOmA0YVxIEz6sJKj9FzeMJtOSW
NTZk7IJ7mT6aRg+hKfW3JCEl68RcLb0J/eSNvG6QR6HcqHQODiEE489zcq+o+yn0
Z45P1WwgQLv6PIIeNXnM7nFtA0ce3D54agu/fr7zC3c1Z72A04BMU0W4dFC9M6Ob
T2NQz2CsSp+nIDFZjHTaZuBmw5ZjMtrsoO79FT5GyX1lT+tCR9angtI+TYSSis15
o+/aw1U+yWScZXhdNUz/gjWLbW8WL/9ygVY43Y2laPII+WdlFhaJozEhr5h1e+A=
=2f0+
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3 SSL bump: Google drive application could not connect

[Amos Jeffries]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 2/01/2015 1:21 p.m., Eliezer Croitoru wrote:
 Hey Yuri,
 
 You would want to avoid sqlite as far as you can due to it's Whole
 DB file LOCK nature.

Indeed. My experience with SQLite has been that it is vastly slower
than other DB options even a remote SQL database.

FWIW other Squid helpers written in C/C++ use BerkleyDB, and if
written in Perl use the DBI module for generic SQL DB's.

There is also the option of not using a DB at all in the initial
version. Squid has a cache of previous helper results which it uses
instead of calling the helper repeatedly for the same input.


Yuri, regarding Squid packaged helpers...

Distribution of any code within the Squid package requires:

 1) copyright under GPLv2+ or a GPL compatible license (such as Public
Domain, or BSD 3-clause license).

 2) compliance with the Squid coding and documentation guidelines.
  - One guideline is that the code be as portable as possible. So take
that into consideration with scripts.


* I also request authors/submitters of new helpers to please provide
at least 1 years support for it. Both in assistance of the community
here in squid-users learning how to use the helper, and in support
maintaining its code through its early period when most bugs are found.

Amos
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUphGSAAoJELJo5wb/XPRj600H/i23sN/OgYocxWTAZ3/3lvM/
I/Z7KA/JTBCsVbWybO9WlNHZQkm9cE+F4H2a62Aw6MVojYERq7+p30/sB29GxGhS
05+JwpzvQ+bQfDgAi8fp4XPSnjuSBjA7MdQPUf6sAH8qFfOtuLYX3DBFKVGA77dY
mLxLsZcozJyqzMbwA55A4nU5sOBZo0je9LMdYXt0ag05RVVLRz4baGKKmZIH6rd2
HbZ5O2glTHhOv1UJ/oHoeX0LD3U1bg88iUD455/SEYwOgR56D0E6XfnK8MWYgYy7
7tsj1FkkVBxQKso6YT8+rD1czR1+eyQa4MT92nWMUBxsOmNifS4ujkhO1zZNIGQ=
=yJ2S
-END PGP SIGNATURE-
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3 SSL bump: Google drive application could not connect

[Amos Jeffries]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 2/01/2015 4:33 p.m., Amos Jeffries wrote:
 
 Yuri, regarding Squid packaged helpers...
 

Opps sorry that should have been directed at James or anyone wishing
to bundle his helper with Squid.


 Distribution of any code within the Squid package requires:
 
 1) copyright under GPLv2+ or a GPL compatible license (such as
 Public Domain, or BSD 3-clause license).
 
 2) compliance with the Squid coding and documentation guidelines. -
 One guideline is that the code be as portable as possible. So take 
 that into consideration with scripts.
 
 
 * I also request authors/submitters of new helpers to please
 provide at least 1 years support for it. Both in assistance of the
 community here in squid-users learning how to use the helper, and
 in support maintaining its code through its early period when most
 bugs are found.
 

Amos

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUphLKAAoJELJo5wb/XPRjcR4IAM+oU38WD75nhjqZL88adyfC
9GkmtXuKRUSErHMNdllBuedLdg0d1ws4PDS/u3MqNoGiNKb5EXxdX1Uu508ym9E2
dmFqatGSsjYyhOFkFx3saFCSm1bX2w+dcJDlp9c30YKRAuTQfABicYg1b+y6CU6S
RU1yRZpSAkzE/8bjl1iufNHf6CJ2BiIVFLmyf6SpDPvYOzMTQ3S8pGbslvi3H2Dd
1MkU1caInOhSifNvKpXUx8CcODBkCI4F7GXO/kNxmNEOHp0OD0xempa3sgUjmsIJ
rzLdnt84MeG1LRSJONajJshLp72FemQOl19KjfgmSO97EnhSKMFk2cTOlEuMKN4=
=fMGW
-END PGP SIGNATURE-
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3 SSL bump: Google drive application could not connect

[James Harper]

 
 Probably non-HTTPS protocol being used.
 
 As bumping gets more popular we are hearing about a number of services
 abusing port 443 for non-HTTPS protocols on the false assumption that
 the TLS layer goes all the way to the origin server without
 inspection. That has never been a true assumption, CDN frontends have
 always decrypted.
 

I've mentioned it before, and it's been pointed out that it probably doesn't 
scale, but I wrote a callout helper for this reason and for better logging.

Basically:

external_acl_type cert_callout concurrency=20 %DST %PORT 
/usr/local/squid/libexec/ext_cert_callout_acl
acl is_ssl external cert_callout IS_SSL
ssl_bump bump is_ssl
ssl_bump splice all

The helper connects to the IP:port and tries to obtain the certificate, and 
then caches the result (in an sqlite database). If it can't do so within a 
fairly short time it returns failure (but keeps trying a bit longer and caches 
it for next time). Alternatively if the IP used to be SSL but is now timing out 
it returns the previously cached value. Negative results are cached for an 
increasing amount of time each time it fails, on the basis that it probably 
isn't SSL.

So it's somewhat optimistic - on a slow link or for a slow server a given 
IP:port might be spliced the first time when it should be bumped, but it will 
learn fairly quickly. And for non-SSL connections that appear to just hang in 
response to the request there will be an additional delay the first time. But 
otherwise it learns about the target without requiring admin intervention.

It also returns the name of the cert so it can be logged instead of the IP (for 
transparent connections), although that isn't ideal as the same IP might be 
used for many services (google/youtube/etc)

I can post it if anyone is interested, although it would require a bit of work 
to be completely useful.

James

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3 SSL bump: Google drive application could not connect

[Amos Jeffries]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 31/12/2014 2:12 a.m., Yuri Voinov wrote:
 
 Hi gents,
 
 I found strange issue.
 
 Squid 3.4.10. Intercept. HTTPS bumping. All works fine. All configs
 correct.
 
 Whenever all web https sites works perfectly - especially in
 Chrome, most cloud clients works like charm (SpiderOak is!), Google
 Drive client application (PC) could not work. Note: Web Google Docs
 works. Web Google drive works.
 
 Note: Google support info - even I if pass dozen Google URL's
 without bump - cannot help. It doesn't work when server-first
 bumping is on and works othervise.
 
 So, the Serious Question is: Why? :)
 
 Any idea?
 

Probably non-HTTPS protocol being used.

As bumping gets more popular we are hearing about a number of services
abusing port 443 for non-HTTPS protocols on the false assumption that
the TLS layer goes all the way to the origin server without
inspection. That has never been a true assumption, CDN frontends have
always decrypted.

Amos
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUoq9PAAoJELJo5wb/XPRjcSQIAJk349r6X95aJbaTTueFWfgP
RkAOwmDF7M6kiir8XgJ0D4+LXXL4mTxwkuGlIDe1au1jrhMAY8S1aIoU1Dc0BN5x
z4j9m1OeSeTrMAVvDCSFdf+pvAWOpLclY+f6b5HY773vus0kqT8PWhb4wVaIHP3m
9JtgpKOD9ElWdZosGVtdIl3uaExrmFGFbNLeVVo6VdeSE/D21YcH2HtEo3b+dopx
9T1SCMHItT83lr0LLFTlgTlKBrjREuKMNHN1L6FWkyJSe9OSu1efPvm23MG33G8a
ShbFMrWh9Zo50fVXZRidAyXlvjBcX7aHM/ZSb8+3ID5O7Ao484aPvbSSck9Hq/g=
=IeYG
-END PGP SIGNATURE-
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3 SSL bump: Google drive application could not connect

[Rafael Akchurin]

SSL Pinning? (I know Dropbox does this)

my two cents only :)

Raf


From: squid-users squid-users-boun...@lists.squid-cache.org on behalf of Yuri 
Voinov yvoi...@gmail.com
Sent: Tuesday, December 30, 2014 2:12 PM
To: squid-users@lists.squid-cache.org
Subject: [squid-users] Squid 3 SSL bump: Google drive application could not 
connect

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi gents,

I found strange issue.

Squid 3.4.10. Intercept. HTTPS bumping. All works fine. All configs correct.

Whenever all web https sites works perfectly - especially in Chrome,
most cloud clients works like charm (SpiderOak is!), Google Drive client
application (PC) could not work.
Note: Web Google Docs works. Web Google drive works.

Note: Google support info - even I if pass dozen Google URL's without
bump - cannot help. It doesn't work when server-first bumping is on and
works othervise.

So, the Serious Question is: Why? :)

Any idea?


-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBAgAGBQJUoqSqAAoJENNXIZxhPexGMlsH/iEoVUCBOdF174Kj8I9mBbI3
RFdsouwnd6IMT0HTBt+MtjHK00NU/8yKVwgmUy4IyqVK1k6j+96ipGR6SeRsVzu1
RC7eym7ZLlRBWKUx+evQ5VhYXv7c1sX6UzD8irAUAp1019mZCVm5LfM4JJ/Vadw+
3mlOj4ASQGjDnA3BU+YKUhITFFdOY8vGrZKrJvY8JtkpOZ6i+GKW4V8UB+uGXicL
cYpx+LEbIV6UCL+lA4O3vOiQPBEVymu+TCeQ2gp6sxwNE+927TNrJEh8hp6IXha1
KAgareSZK3lp+/NXQwJTRsUw1YF768iPWP+RcB1Ao+2CGDjGk49b6WigvvHKlL0=
=Vbof
-END PGP SIGNATURE-


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3 SSL bump: Google drive application could not connect

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
May be.

Does workaround exists?

30.12.2014 20:09, Rafael Akchurin ?:
 SSL Pinning? (I know Dropbox does this)

 my two cents only :)

 Raf

 
 From: squid-users squid-users-boun...@lists.squid-cache.org on
behalf of Yuri Voinov yvoi...@gmail.com
 Sent: Tuesday, December 30, 2014 2:12 PM
 To: squid-users@lists.squid-cache.org
 Subject: [squid-users] Squid 3 SSL bump: Google drive application
could not connect

 Hi gents,

 I found strange issue.

 Squid 3.4.10. Intercept. HTTPS bumping. All works fine. All configs
correct.

 Whenever all web https sites works perfectly - especially in Chrome,
 most cloud clients works like charm (SpiderOak is!), Google Drive client
 application (PC) could not work.
 Note: Web Google Docs works. Web Google drive works.

 Note: Google support info - even I if pass dozen Google URL's without
 bump - cannot help. It doesn't work when server-first bumping is on and
 works othervise.

 So, the Serious Question is: Why? :)

 Any idea?




 ___
 squid-users mailing list
 squid-users@lists.squid-cache.org
 http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBAgAGBQJUorRuAAoJENNXIZxhPexGRPEH/0Vlh/kZINRlo3IaDe/9UYSW
M0oaXQemB2Wg/wvNMdZ8SA3F4dUJUuHgS/y7FXcCgP/KgWnudsoJ7oPiHEVNPzt3
L8K7rNPy3d/c/+baXilh4/xErp/mAOKU/mLBqd0GQYQ2N7bAsWpsWqt7/dTGxWkU
kLVgFJr9JblxVdABAZ7JTooye3bLskdrAB/865vZOyQcveozW6d4TKZwaEGFrq/d
b/3Mki4T6YLMG248jVN+43W2us6Z598geDLn8aJN+zb/s6TBEzxy1d5tUROM4a2A
1rE7B92o+9leZi+JdQAGX4l7Um1WVmrnih52w+Pxz/PR/k7Hz+fCcQBlUtsqvMk=
=Lf+I
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3 SSL bump: Google drive application could not connect

[Rafael Akchurin]

Hello Yuri,

Luckily the same topic was just discussed on our forum – please see if this can 
help 
https://groups.google.com/d/msg/quintolabs-content-security-for-squid-proxy/GKIV3FpYSBE/9IET-4hg_tEJ

It describes the iptables settings for successful SSL bump exclusions for 
Dropbox clients / Google Drive / iTunes (bypassing SSL Bump because of SSL 
Pinning).

Best regards,
Raf

From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Rafael Akchurin
Sent: Tuesday, December 30, 2014 4:23 PM
To: Yuri Voinov; squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Squid 3 SSL bump: Google drive application could not 
connect


​Only exclusion from SSL Bump as far as I know.



raf


From: Yuri Voinov yvoi...@gmail.commailto:yvoi...@gmail.com
Sent: Tuesday, December 30, 2014 3:19 PM
To: Rafael Akchurin; 
squid-users@lists.squid-cache.orgmailto:squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Squid 3 SSL bump: Google drive application could not 
connect


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

May be.

Does workaround exists?

30.12.2014 20:09, Rafael Akchurin ?:
 SSL Pinning? (I know Dropbox does this)



 my two cents only :)



 Raf



 

 From: squid-users mailto:squid-users-boun...@lists.squid-cache.org
squid-users-boun...@lists.squid-cache.orgmailto:squid-users-boun...@lists.squid-cache.org
 on behalf of Yuri Voinov mailto:yvoi...@gmail.com
yvoi...@gmail.commailto:yvoi...@gmail.com

 Sent: Tuesday, December 30, 2014 2:12 PM

 To: mailto:squid-users@lists.squid-cache.org
squid-users@lists.squid-cache.orgmailto:squid-users@lists.squid-cache.org

 Subject: [squid-users] Squid 3 SSL bump: Google drive application could not   
   connect



 Hi gents,



 I found strange issue.



 Squid 3.4.10. Intercept. HTTPS bumping. All works fine. All configs correct.



 Whenever all web https sites works perfectly - especially in Chrome,

 most cloud clients works like charm (SpiderOak is!), Google Drive client

 application (PC) could not work.

 Note: Web Google Docs works. Web Google drive works.



 Note: Google support info - even I if pass dozen Google URL's without

 bump - cannot help. It doesn't work when server-first bumping is on and

 works othervise.



 So, the Serious Question is: Why? :)



 Any idea?









 ___

 squid-users mailing list

 mailto:squid-users@lists.squid-cache.org
squid-users@lists.squid-cache.orgmailto:squid-users@lists.squid-cache.org

 http://lists.squid-cache.org/listinfo/squid-users
http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBAgAGBQJUorRuAAoJENNXIZxhPexGRPEH/0Vlh/kZINRlo3IaDe/9UYSW
M0oaXQemB2Wg/wvNMdZ8SA3F4dUJUuHgS/y7FXcCgP/KgWnudsoJ7oPiHEVNPzt3
L8K7rNPy3d/c/+baXilh4/xErp/mAOKU/mLBqd0GQYQ2N7bAsWpsWqt7/dTGxWkU
kLVgFJr9JblxVdABAZ7JTooye3bLskdrAB/865vZOyQcveozW6d4TKZwaEGFrq/d
b/3Mki4T6YLMG248jVN+43W2us6Z598geDLn8aJN+zb/s6TBEzxy1d5tUROM4a2A
1rE7B92o+9leZi+JdQAGX4l7Um1WVmrnih52w+Pxz/PR/k7Hz+fCcQBlUtsqvMk=
=Lf+I
-END PGP SIGNATURE-
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3 SSL bump: Google drive application could not connect

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
Already found this lonely right post ;) I have Google-Fu too :) And it
longer than you :)

Anyway,

all of these issues solved.

I have snoop (not Windoze wireshark - all great things makes in console,
ya!) and take a look on single client traffic during bumping.

As I haven't iptables (no penguins, please!), but I have Cisco 2911, I
pass some Windows Update, Symantec Update (which is not work too)
bypassing Squid.

Cisco is greatest. All others are probably suxx :)

The complete solution looks like:

access-list 121 remark ACL for HTTPS WCCP
access-list 121 remark Squid proxies bypass
access-list 121 deny   ip host 192.168.200.3 any
access-list 121 remark WU bypass
access-list 121 deny tcp any 191.232.0.0 0.7.255.255
access-list 121 deny tcp any 65.52.0.0 0.3.255.255
access-list 121 remark Symantec bypass
access-list 121 deny tcp any host 195.215.221.99
access-list 121 deny tcp any host 195.215.221.104
access-list 121 deny tcp any host 213.248.114.172
access-list 121 deny tcp any host 213.248.114.173
access-list 121 deny tcp any host 213.248.114.174
access-list 121 deny tcp any host 213.248.114.175
access-list 121 deny tcp any host 77.67.22.168
access-list 121 deny tcp any host 77.67.22.171
access-list 121 deny tcp any host 77.67.22.173
access-list 121 deny tcp any host 213.248.114.171
access-list 121 remark LAN clients proxy port 443
access-list 121 permit tcp 192.168.0.0 0.0.255.255 any eq 443
access-list 121 remark all others bypass WCCP
access-list 121 deny   ip any any

So, all others issue solves similar.

Want to do something good - do it yourself!

That's the way. :)

30.12.2014 23:39, Rafael Akchurin пишет:

 Hello Yuri,

 

 Luckily the same topic was just discussed on our forum – please see if
this can help
https://groups.google.com/d/msg/quintolabs-content-security-for-squid-proxy/GKIV3FpYSBE/9IET-4hg_tEJ

 

 It describes the iptables settings for successful SSL bump exclusions
for Dropbox clients / Google Drive / iTunes (bypassing SSL Bump because
of SSL Pinning).

 

 Best regards,

 Raf

 

 *From:*squid-users [mailto:squid-users-boun...@lists.squid-cache.org]
*On Behalf Of *Rafael Akchurin
 *Sent:* Tuesday, December 30, 2014 4:23 PM
 *To:* Yuri Voinov; squid-users@lists.squid-cache.org
 *Subject:* Re: [squid-users] Squid 3 SSL bump: Google drive
application could not connect

 

 ​Only exclusion from SSL Bump as far as I know.

 

 raf

 -

 *From:*Yuri Voinov yvoi...@gmail.com mailto:yvoi...@gmail.com
 *Sent:* Tuesday, December 30, 2014 3:19 PM
 *To:* Rafael Akchurin; squid-users@lists.squid-cache.org
mailto:squid-users@lists.squid-cache.org
 *Subject:* Re: [squid-users] Squid 3 SSL bump: Google drive
application could not connect

 


 May be.

 Does workaround exists?

 30.12.2014 20:09, Rafael Akchurin ?:
  SSL Pinning? (I know Dropbox does this)



  my two cents only :)



  Raf



  

  From: squid-users mailto:squid-users-boun...@lists.squid-cache.org

 squid-users-boun...@lists.squid-cache.org
mailto:squid-users-boun...@lists.squid-cache.orgon behalf of Yuri
Voinov mailto:yvoi...@gmail.com

 yvoi...@gmail.com mailto:yvoi...@gmail.com

  Sent: Tuesday, December 30, 2014 2:12 PM

  To: mailto:squid-users@lists.squid-cache.org

 squid-users@lists.squid-cache.org
mailto:squid-users@lists.squid-cache.org

  Subject: [squid-users] Squid 3 SSL bump: Google drive application
could not connect



  Hi gents,



  I found strange issue.



  Squid 3.4.10. Intercept. HTTPS bumping. All works fine. All configs
correct.



  Whenever all web https sites works perfectly - especially in Chrome,

  most cloud clients works like charm (SpiderOak is!), Google Drive client

  application (PC) could not work.

  Note: Web Google Docs works. Web Google drive works.



  Note: Google support info - even I if pass dozen Google URL's without

  bump - cannot help. It doesn't work when server-first bumping is on and

  works othervise.



  So, the Serious Question is: Why? :)



  Any idea?









  ___

  squid-users mailing list

  mailto:squid-users@lists.squid-cache.org

 squid-users@lists.squid-cache.org
mailto:squid-users@lists.squid-cache.org

  http://lists.squid-cache.org/listinfo/squid-users

 http://lists.squid-cache.org/listinfo/squid-users



-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBAgAGBQJUowFgAAoJENNXIZxhPexGHxkIAM2mb+OjhevZWpgdwiKHP2E0
D+8UM6/c7OZcJ2uSjIWN7DG0h+b86/ATul+9S+mZHl1DLBYpGUKW9J5I3iIQb+sr
5xR2ReFkuFeSpZASXex2yq5lfmACPdiUzI9iVhe7DPJqKJNiIzvHLq4ZRnjJN4Ih
0u0NGuPKfkkWFJ/SmXAceEdS7sT/lT0cVm1JgpurVzipelBUNbLQUd0yKrpbIz2x
ia7gwu3ZFi2aY2DvrfP7ntkoZpLl+SyDI/PkFIEaAr2+KaMcTbUXVQcVTZ7S6eLu
pgCNil0x8AFApWSIg+P68DcFcIS/nUIvNqXjuvr0ikqGwLEAqvueM6LPKifsdSg=
=J+Cs
-END PGP SIGNATURE-

___
squid-users mailing list
squid-users@lists.squid-cache.org
http

Re: [squid-users] Squid 3 SSL bump: Google drive application could not connect

[Yuri Voinov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
Sure.

Squid 3 WCCP key config part:

# WCCPv2 parameters
wccp2_router 192.168.200.2
wccp2_forwarding_method l2
wccp2_return_method l2
wccp2_service standard 0
wccp2_rebuild_wait off
wccp2_service standard 0
wccp2_service dynamic 70
wccp2_service_info 70 protocol=tcp
flags=dst_ip_hash,src_ip_alt_hash,src_port_alt_hash priority=240 ports=443

Cisco config key parts:

!
ip wccp web-cache redirect-list 120
ip wccp 70 redirect-list 121
!
!
! This interface look to Squid proxy (internal networks on another
interface)
interface GigabitEthernet0/1
 ip address 192.168.200.2 255.255.255.0
 ip wccp web-cache redirect out
 ip wccp 70 redirect out
 ip nbar protocol-discovery
 ip virtual-reassembly in
 duplex auto
 speed auto
!
access-list 120 remark ACL for HTTP WCCP
access-list 120 remark Squid proxies bypass WCCP
access-list 120 deny   ip host 192.168.200.3 any
access-list 120 remark LAN clients proxy port 80
access-list 120 permit tcp 192.168.0.0 0.0.255.255 any eq www
access-list 120 remark all others bypass WCCP
access-list 120 deny   ip any any
!
access-list 121 remark ACL for HTTPS WCCP
access-list 121 remark Squid proxies bypass
access-list 121 deny   ip host 192.168.200.3 any
access-list 121 remark LAN clients proxy port 443
access-list 121 permit tcp 192.168.0.0 0.0.255.255 any eq 443
access-list 121 remark all others bypass WCCP
access-list 121 deny   ip any any
!

That's all. :)

31.12.2014 2:10, Rafael Akchurin пишет:

 Glad that it worked.

 May be useful to dump here your squid.conf to better understand how to
configure squid to transparently work with wccp traffic coming from your
Cisco router?

 Raf

 

 *From:*Yuri Voinov [mailto:yvoi...@gmail.com]
 *Sent:* Tuesday, December 30, 2014 8:48 PM
 *To:* Rafael Akchurin; squid-users@lists.squid-cache.org
 *Subject:* Re: [squid-users] Squid 3 SSL bump: Google drive
application could not connect

 


 Already found this lonely right post ;) I have Google-Fu too :) And it
longer than you :)

 Anyway,

 all of these issues solved.

 I have snoop (not Windoze wireshark - all great things makes in
console, ya!) and take a look on single client traffic during bumping.

 As I haven't iptables (no penguins, please!), but I have Cisco 2911, I
pass some Windows Update, Symantec Update (which is not work too)
bypassing Squid.

 Cisco is greatest. All others are probably suxx :)

 The complete solution looks like:

 access-list 121 remark ACL for HTTPS WCCP
 access-list 121 remark Squid proxies bypass
 access-list 121 deny   ip host 192.168.200.3 any
 access-list 121 remark WU bypass
 access-list 121 deny tcp any 191.232.0.0 0.7.255.255
 access-list 121 deny tcp any 65.52.0.0 0.3.255.255
 access-list 121 remark Symantec bypass
 access-list 121 deny tcp any host 195.215.221.99
 access-list 121 deny tcp any host 195.215.221.104
 access-list 121 deny tcp any host 213.248.114.172
 access-list 121 deny tcp any host 213.248.114.173
 access-list 121 deny tcp any host 213.248.114.174
 access-list 121 deny tcp any host 213.248.114.175
 access-list 121 deny tcp any host 77.67.22.168
 access-list 121 deny tcp any host 77.67.22.171
 access-list 121 deny tcp any host 77.67.22.173
 access-list 121 deny tcp any host 213.248.114.171
 access-list 121 remark LAN clients proxy port 443
 access-list 121 permit tcp 192.168.0.0 0.0.255.255 any eq 443
 access-list 121 remark all others bypass WCCP
 access-list 121 deny   ip any any

 So, all others issue solves similar.

 Want to do something good - do it yourself!

 That's the way. :)

 30.12.2014 23:39, Rafael Akchurin пишет:


Hello Yuri,







Luckily the same topic was just discussed on our forum –

   please see if this can help


https://groups.google.com/d/msg/quintolabs-content-security-for-squid-proxy/GKIV3FpYSBE/9IET-4hg_tEJ







It describes the iptables settings for successful SSL bump

   exclusions for Dropbox clients / Google Drive / iTunes (bypassing

   SSL Bump because of SSL Pinning).







Best regards,



Raf







*From:*squid-users

   [mailto:squid-users-boun...@lists.squid-cache.org] *On Behalf Of

  *Rafael Akchurin

*Sent:* Tuesday, December 30, 2014 4:23 PM

*To:* Yuri Voinov; squid-users@lists.squid-cache.org
mailto:squid-users@lists.squid-cache.org

*Subject:* Re: [squid-users] Squid 3 SSL bump: Google drive

   application could not connect







​Only exclusion from SSL Bump as far as I know.







raf



-



*From:*Yuri Voinov yvoi...@gmail.com mailto:yvoi...@gmail.com

   mailto:yvoi...@gmail.com mailto:yvoi...@gmail.com

*Sent:* Tuesday, December 30, 2014 3:19 PM

*To:* Rafael Akchurin; squid-users@lists.squid-cache.org
mailto:squid-users@lists.squid-cache.org

   mailto:squid-users@lists.squid-cache.org
mailto:squid-users@lists.squid-cache.org

*Subject:* Re: [squid

Re: [squid-users] Squid 3 SSL bump: Google drive application could not connect

[Rafael Akchurin]

Perfect thanks a lot!!!
Raf :)

From: Yuri Voinov [mailto:yvoi...@gmail.com]
Sent: Tuesday, December 30, 2014 9:23 PM
To: Rafael Akchurin; squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Squid 3 SSL bump: Google drive application could not 
connect


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

WCCP only, of course. To reduce Cisco CPU usage.

Also, iOS version 15.4 with SECURITYK9 techno pack activated.

31.12.2014 2:21, Rafael Akchurin пишет:


   Just for me to completely clarify:

  

  

  

   - how exactly your Squid gets the traffic from your clients?
  (explicit proxy or cisco WCCP?)

  

  

  

   raf

  

   *From:*Yuri Voinov [mailto:yvoi...@gmail.com]

   *Sent:* Tuesday, December 30, 2014 9:16 PM

   *To:* Rafael Akchurin; 
squid-users@lists.squid-cache.orgmailto:squid-users@lists.squid-cache.org

   *Subject:* Re: [squid-users] Squid 3 SSL bump: Google drive
  application could not connect

  

  

  

  

   To finalize a solution,

  

   see the our favorite:

  

  
  http://www.squid-cache.org/mail-archive/squid-users/201406/0369.html

  

   Why use iptables, ipfilter,Cisco, etc?!

  

   Only Squid, only hardcore!

  

   Revert cisco config back:

  

   R2911(config)#no access-list 121

   R2911(config)#access-list 121 remark ACL for HTTPS WCCP

   R2911(config)#access-list 121 remark Squid proxies bypass

   R2911(config)#access-list 121 deny   ip host 192.168.200.3
  any

   R2911(config)#access-list 121 deny   ip host 192.168.100.251
  any

   R2911(config)#access-list 121 remark Videoserver

   R2911(config)#access-list 121 deny   ip host 192.168.200.5
  any

   R2911(config)#access-list 121 remark LAN clients proxy port
  443

   R2911(config)#access-list 121 permit tcp 192.168.0.0
  0.0.255.255 any eq 443

   R2911(config)#access-list 121 remark all others bypass WCCP

   R2911(config)#access-list 121 deny   ip any any

   R2911(config)#^Z

   R2911#wr

   Building configuration...

   [OK]

  

   Write acl file with IP/net with SSL Pinning:

  

   root @ ktulhu /usr/local/squid/etc # cat dst.nobump

   # BCC bypass

   91.198.63.0/24

   # Salyk bypass

   212.154.165.148/32

   # WU bypass

   191.232.0.0/13

   65.52.0.0/14

   # Symantec bypass

   195.215.221.99/32

   195.215.221.104/32

   213.248.114.172/32

   213.248.114.173/32

   213.248.114.174/32

   213.248.114.175/32

   77.67.22.168/32

   77.67.22.171/32

   77.67.22.173/32

   213.248.114.171/32

  

   Add needful nets/apps to acl by your taste.

  

   Add to squid config:

  

   # SSL bump acl

   acl net_bump src /usr/local/squid/etc/net.bump

   # HTTP-use 443 port apps

   acl url_nobump dstdom_regex \.icq\.*

   # SSL Pinning servers. Only ip-based dst acl!

   acl dst_nobump dst /usr/local/squid/etc/dst.nobump

  

   # SSL bump rules

   sslproxy_cert_error allow all

   ssl_bump none localhost

   ssl_bump none url_nobump

   ssl_bump none dst_nobump

   ssl_bump server-first net_bump

  

   Yahooo! The same result with Squid only!

  

   30.12.2014 23:39, Rafael Akchurin пишет:

SSL Pinning

  

  

-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBAgAGBQJUowmnAAoJENNXIZxhPexGEtwH/10nuDG9+Z7AG2W+nh64X7JV
5JmvvaC778yUYnMUaPJTLPK3hxVuQshVMaE2x4jhuxBEkhtKPWBJZg8JFLFinzf5
nDINk8zz0j4fLCXmDAJaXz2NMacUviCiKFY8k63SumxKeTIBU20DuLk9glggTpfY
3RgdNWfvmma9iv8QW/s2UJFbRdJS0cLjra4XFFQBZLyGEJPTOcft3slWX3QgHVCD
SB3CZWy2gwbLVphiCiG91HxBtUUUzSLqPc60RdSwOCoSOaBMHZgy8yjZ8VRgQkyi
uz41hhp1mCMfssNjoLdCvr/AxJG990yQ24MiCDuzN9fYVNzUPdXF+q4E5G/avtk=
=FkuL
-END PGP SIGNATURE-
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 3 SSL bump: Google drive application could not connect

[shawn wilson]

On Dec 30, 2014 7:04 PM, Amos Jeffries squ...@treenet.co.nz wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 On 31/12/2014 6:30 a.m., shawn wilson wrote:
  On Dec 30, 2014 8:57 AM, Amos Jeffries wrote:
 
 
 
  As bumping gets more popular we are hearing about a number of
  services abusing port 443 for non-HTTPS protocols on the false
  assumption that the TLS layer goes all the way to the origin
  server without inspection. That has never been a true assumption,
  CDN frontends have always decrypted.
 
 
  OT but you use 443 because people expect it to be encrypted web
  data and don't block it. And DPI doesn't tell you anything more.
 

 web is no longer just HTTP and that is part of the problem. People
 treating port 443 as if any of the web protocols can use it just by
 being wrapped in TLS.


Worse than that - I'm mainly thinking ssh (which won't survive DPI).

 Port 443 is specifically registered for HTTP over TLS (aka HTTPS).
 Web includes HTTP, but also includes protocols like RSS, WebSockets,
 SPDY, QUIC, COAP, even IRC and Jabber at times.

 The other non-HTTP protocols have other non-443 ports registered or
 available for their use. Some like SMTP even switch their main port
 between encrypted and non-encrypted as needed.

 I know it can be hard to get unusual ports opened past firewalls, but
 that is not being helped by everything using only a handful of ports.
 [I have a long rant at this point about lazy corporates, but its 2015
 in a few hrs so I'll drop it for now].


My point isn't even about lazy corporates  but this: how many airlines
will block ssh over port 22 and how many will block it over 443? (And if
that doesn't work OpenVPN on 443 and ssh through that) I assume Google
thought along similar lines when they talked about which port to put their
binary Drive data on.

You want people to stop using 443 for non-https traffic, get people to stop
blocking the other ssl ports.

This is OT but here's the topical point -  if you're going to bump http+ssl
traffic, you need to know that due to some people blocking alternative
ports for secure services, you'll always see non-http traffic here. The
IETF might give you a port but only smart long term business decisions will
allow you to keep it - that's far past over for 443/tcp at this point I
think :/
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users