Hi all, a Measurement Factory customer reported the following bug: 1) A user sends a CONNECT request with valid credentials 2) Squid checks the credentials and adds the user to the user cache 3) The same user sends a CONNECT request with invalid credentials 4) Squid overwrites the entry in the user cache and denies the second CONNECT request 5) The user sends a GET request on the first SSL connection which is established by now 6) Squid knows that it does not need to check the credentials on the bumped connection but still somehow checks again whether the user is successfully authenticated 7) Due to the second CONNECT request the user is regarded as not successfully authenticated 8) Squid denies the GET request of the first SSL connection with 403 ERR_CACHE_ACCESS_DENIED
On proxies with Basic authentication and SSL bumping, this can be used to prevent a legitimate user from making any HTTPS requests I am attaching a patch which disables authentication for tunneled requests. Looks important bug and patch should applied. Looking in the authentication squid3 code I am seeing issues, related to authentication cache. For example - inside Auth::Basic::User::updateCached() we are replacing with (maybe wrong) password a valid cache entry. This is does not looks normal. - For digest authentication inside Auth::Digest::Config::decode method we are retrieving user from cache, and if we found it we are marking the cached user as Auth::Unchecked which means that the entry needs checking again. Looking in the code, in practice this is means, do not use cache, always query again. Am I missing something?
=== modified file 'src/auth/AclProxyAuth.cc' --- src/auth/AclProxyAuth.cc 2013-06-05 20:21:26 +0000 +++ src/auth/AclProxyAuth.cc 2014-03-21 16:05:08 +0000 @@ -61,44 +61,47 @@ type_ = rhs.type_; return *this; } char const * ACLProxyAuth::typeString() const { return type_; } void ACLProxyAuth::parse() { data->parse(); } int ACLProxyAuth::match(ACLChecklist *checklist) { allow_t answer = AuthenticateAcl(checklist); + ACLFilledChecklist *filled = Filled(checklist); // convert to tri-state ACL match 1,0,-1 switch (answer) { case ACCESS_ALLOWED: + if (filled->request->flags.sslBumped) + return 1; // AuthenticateAcl() already handled this bumped request // check for a match return matchProxyAuth(checklist); case ACCESS_DENIED: return 0; // non-match case ACCESS_DUNNO: case ACCESS_AUTH_REQUIRED: default: // If the answer is not allowed or denied (matches/not matches) and // async authentication is not in progress, then we are done. if (checklist->keepMatching()) checklist->markFinished(answer, "AuthenticateAcl exception"); return -1; // other } } wordlist * ACLProxyAuth::dump() const {