Hi I´m using squid (3.5.9) as transparent https proxy with build options (see below) and config (see below , I removed some uninteresting things from the config like caching).
To get the system more secure I would like to add crl checking (at the moment static , later maybe dynamic if it's possible with my skills :-) ) and ocsp (later) . I´m using the site https://revoked.grc.com/ to test my config. To do it I downloaded the certificate from the site , checked if a CRL URI is available and downloaded the crl. Converted the format of the crl from DER to pem and inserted it my squid.conf "crlfile=/tmp/crl/glob.pem sslflags=VERIFY_CRL". I tested the "crl.pem" with openssl and the site https://revoked.grc.com/ is revoked in the crl. But why squid seems to ignore the crlfile option / file ? Also I tested to use the crl in DER format but it still wouldn’t work , even didn’t saw an error in the log when the file isn’t available. #logfile 2015/10/01 12:40:45.015 kid1| 83,3| client_side_request.cc(1684) doCallouts: Doing calloutContext->hostHeaderVerify() 2015/10/01 12:40:45.015 kid1| 83,3| client_side_request.cc(1691) doCallouts: Doing calloutContext->clientAccessCheck() 2015/10/01 12:40:45.017 kid1| 83,3| client_side_request.cc(1712) doCallouts: Doing calloutContext->clientRedirectStart() 2015/10/01 12:40:45.018 kid1| 83,3| client_side_request.cc(1720) doCallouts: Doing calloutContext->clientAccessCheck2() 2015/10/01 12:40:45.018 kid1| 83,3| client_side_request.cc(1739) doCallouts: Doing clientInterpretRequestHeaders() 2015/10/01 12:40:45.018 kid1| 83,3| client_side_request.cc(1748) doCallouts: Doing calloutContext->checkNoCache() 2015/10/01 12:40:45.018 kid1| 83,3| client_side_request.cc(1528) sslBumpNeed: sslBump required: peek 2015/10/01 12:40:45.018 kid1| 83,3| client_side_request.cc(1830) doCallouts: calling processRequest() 2015/10/01 12:40:45.025 kid1| 83,5| bio.cc(576) squid_bio_ctrl: 0x80771c7b0 104(6000, 0x7fffffffe51c) 2015/10/01 12:40:45.026 kid1| 83,5| client_side.cc(4267) clientPeekAndSpliceSSL: Start peek and splice on FD 10 2015/10/01 12:40:45.026 kid1| 83,5| bio.cc(118) read: FD 10 read 11 <= 11 2015/10/01 12:40:45.026 kid1| 83,5| bio.cc(144) readAndBuffer: read 11 out of 11 bytes 2015/10/01 12:40:45.026 kid1| 83,5| bio.cc(148) readAndBuffer: recorded 11 bytes of TLS client Hello 2015/10/01 12:40:45.026 kid1| 83,2| client_side.cc(4270) clientPeekAndSpliceSSL: SSL_accept failed. <snipped more failed SSL_accepts > 2015/10/01 12:40:45.040 kid1| 83,5| client_side.cc(4267) clientPeekAndSpliceSSL: Start peek and splice on FD 10 2015/10/01 12:40:45.040 kid1| 83,5| bio.cc(118) read: FD 10 read 11 <= 11 2015/10/01 12:40:45.040 kid1| 83,5| bio.cc(144) readAndBuffer: read 11 out of 11 bytes 2015/10/01 12:40:45.040 kid1| 83,5| bio.cc(148) readAndBuffer: recorded 11 bytes of TLS client Hello 2015/10/01 12:40:45.041 kid1| 83,2| client_side.cc(4270) clientPeekAndSpliceSSL: SSL_accept failed. 2015/10/01 12:40:45.041 kid1| 83,5| client_side.cc(4284) clientPeekAndSpliceSSL: I got hello. Start forwarding the request!!! 2015/10/01 12:40:45.220 kid1| 83,5| bio.cc(576) squid_bio_ctrl: 0x8077e5eb0 104(6001, 0x7fffffffe4bc) 2015/10/01 12:40:45.220 kid1| 83,5| bio.cc(95) write: FD 15 wrote 357 <= 357 2015/10/01 12:40:45.220 kid1| 83,5| bio.cc(118) read: FD 15 read -1 <= 7 2015/10/01 12:40:45.220 kid1| 83,5| bio.cc(123) read: error: 35 ignored: 1 2015/10/01 12:40:45.408 kid1| 83,5| bio.cc(118) read: FD 15 read 7 <= 7 2015/10/01 12:40:45.408 kid1| 83,5| bio.cc(576) squid_bio_ctrl: 0x8077e5eb0 6(0, 0x8077e5f90) 2015/10/01 12:40:45.408 kid1| 83,5| bio.cc(118) read: FD 15 read 1453 <= 4368 2015/10/01 12:40:45.408 kid1| 83,5| bio.cc(118) read: FD 15 read -1 <= 2915 2015/10/01 12:40:45.408 kid1| 83,5| bio.cc(123) read: error: 35 ignored: 1 2015/10/01 12:40:45.408 kid1| 83,5| bio.cc(118) read: FD 15 read 1460 <= 2915 2015/10/01 12:40:45.408 kid1| 83,5| bio.cc(118) read: FD 15 read -1 <= 1455 2015/10/01 12:40:45.408 kid1| 83,5| bio.cc(123) read: error: 35 ignored: 1 2015/10/01 12:40:45.586 kid1| 83,5| bio.cc(118) read: FD 15 read 1455 <= 1455 2015/10/01 12:40:45.587 kid1| 83,5| support.cc(257) ssl_verify_cb: SSL Certificate signature OK: /C=US/OU=Domain Control Validated/CN=revoked.grc.com 2015/10/01 12:40:45.587 kid1| 83,5| support.cc(257) ssl_verify_cb: SSL Certificate signature OK: /C=US/OU=Domain Control Validated/CN=revoked.grc.com 2015/10/01 12:40:45.588 kid1| 83,5| support.cc(257) ssl_verify_cb: SSL Certificate signature OK: /C=US/OU=Domain Control Validated/CN=revoked.grc.com 2015/10/01 12:40:45.588 kid1| 83,4| support.cc(211) check_domain: Verifying server domain revoked.grc.com to certificate name/subjectAltName revoked.grc.com 2015/10/01 12:40:45.593 kid1| 83,5| bio.cc(95) write: FD 15 wrote 182 <= 182 2015/10/01 12:40:45.593 kid1| 83,5| bio.cc(576) squid_bio_ctrl: 0x8077e5eb0 11(0, 0x0) 2015/10/01 12:40:45.593 kid1| 83,5| bio.cc(118) read: FD 15 read -1 <= 5 2015/10/01 12:40:45.593 kid1| 83,5| bio.cc(123) read: error: 35 ignored: 1 2015/10/01 12:40:45.781 kid1| 83,5| bio.cc(118) read: FD 15 read 5 <= 5 2015/10/01 12:40:45.781 kid1| 83,5| bio.cc(118) read: FD 15 read 1 <= 1 2015/10/01 12:40:45.781 kid1| 83,5| bio.cc(118) read: FD 15 read 5 <= 5 2015/10/01 12:40:45.781 kid1| 83,5| bio.cc(118) read: FD 15 read 64 <= 64 2015/10/01 12:40:45.781 kid1| 83,5| bio.cc(576) squid_bio_ctrl: 0x8077e5eb0 7(0, 0x8077e5f90) 2015/10/01 12:40:45.781 kid1| 83,5| PeerConnector.cc(304) serverCertificateVerified: HTTPS server CN: revoked.grc.com bumped: local=46.227.216.51:61698 remote=4.79.142.205:443 FD 15 flags=1 2015/10/01 12:40:45.781 kid1| 83,5| PeerConnector.cc(58) ~PeerConnector: Peer connector 0x807950f38 gone 2015/10/01 12:40:45.785 kid1| 83,5| bio.cc(576) squid_bio_ctrl: 0x80771c7b0 6(0, 0x8077e5d60) 2015/10/01 12:40:45.785 kid1| 83,5| bio.cc(95) write: FD 10 wrote 1590 <= 1590 2015/10/01 12:40:45.785 kid1| 83,5| bio.cc(576) squid_bio_ctrl: 0x80771c7b0 11(0, 0x0) 2015/10/01 12:40:45.785 kid1| 83,5| bio.cc(118) read: FD 10 read -1 <= 5 2015/10/01 12:40:45.785 kid1| 83,5| bio.cc(123) read: error: 35 ignored: 1 2015/10/01 12:40:45.787 kid1| 83,5| bio.cc(118) read: FD 10 read 5 <= 5 2015/10/01 12:40:45.787 kid1| 83,5| bio.cc(118) read: FD 10 read 518 <= 518 2015/10/01 12:40:45.820 kid1| 83,5| bio.cc(118) read: FD 10 read 5 <= 5 2015/10/01 12:40:45.820 kid1| 83,5| bio.cc(118) read: FD 10 read 1 <= 1 2015/10/01 12:40:45.820 kid1| 83,5| bio.cc(118) read: FD 10 read 5 <= 5 2015/10/01 12:40:45.820 kid1| 83,5| bio.cc(118) read: FD 10 read 40 <= 40 2015/10/01 12:40:45.820 kid1| 83,5| bio.cc(95) write: FD 10 wrote 51 <= 51 2015/10/01 12:40:45.820 kid1| 83,5| bio.cc(576) squid_bio_ctrl: 0x80771c7b0 11(0, 0x0) 2015/10/01 12:40:45.820 kid1| 83,5| bio.cc(576) squid_bio_ctrl: 0x80771c7b0 7(0, 0x8077e5d60) 2015/10/01 12:40:45.820 kid1| 83,5| support.cc(1913) store_session_cb: Request to store SSL Session 2015/10/01 12:40:45.820 kid1| 83,5| support.cc(1935) store_session_cb: wrote an ssl session entry of size 135 at pos 132 -----BEGIN SSL SESSION PARAMETERS----- MIGEAgEBAgIDAwQCAJ0EIFfPyAJnK5rMXgH2iPggVhYKDTWAC6DSTaD8aY1CT+zY BDBxSWMijLlcdMU2SQVLAdXHpWz4KD/zD1XmSyqSpQKsgOpn3D2xH7tDroHzkF0G UrahBgIEVg0NraIEAgIBLKQCBACmEQQPcmV2b2tlZC5ncmMuY29t -----END SSL SESSION PARAMETERS----- 2015/10/01 12:40:45.820 kid1| 83,2| client_side.cc(3796) clientNegotiateSSL: clientNegotiateSSL: New session 0x80789dd80 on FD 10 (192.168.1.102:38824) 2015/10/01 12:40:45.821 kid1| 83,3| client_side.cc(3800) clientNegotiateSSL: clientNegotiateSSL: FD 10 negotiated cipher AES256-GCM-SHA384 2015/10/01 12:40:45.821 kid1| 83,5| client_side.cc(3816) clientNegotiateSSL: clientNegotiateSSL: FD 10 has no certificate. 2015/10/01 12:40:45.821 kid1| 83,5| bio.cc(118) read: FD 10 read 5 <= 5 2015/10/01 12:40:45.821 kid1| 83,5| bio.cc(118) read: FD 10 read 103 <= 103 2015/10/01 12:40:45.821 kid1| 83,2| support.cc(1314) ssl_read_method: SSL FD 10 is pending 2015/10/01 12:40:45.821 kid1| 83,4| support.cc(211) check_domain: Verifying server domain revoked.grc.com to certificate name/subjectAltName revoked.grc.com 2015/10/01 12:40:45.821 kid1| 83,3| client_side_request.cc(1684) doCallouts: Doing calloutContext->hostHeaderVerify() 2015/10/01 12:40:45.821 kid1| 83,3| client_side_request.cc(1691) doCallouts: Doing calloutContext->clientAccessCheck() 2015/10/01 12:40:45.822 kid1| 83,3| client_side_request.cc(1712) doCallouts: Doing calloutContext->clientRedirectStart() 2015/10/01 12:40:45.823 kid1| 83,3| client_side_request.cc(1720) doCallouts: Doing calloutContext->clientAccessCheck2() 2015/10/01 12:40:45.823 kid1| 83,3| client_side_request.cc(1739) doCallouts: Doing clientInterpretRequestHeaders() 2015/10/01 12:40:45.823 kid1| 83,3| client_side_request.cc(1748) doCallouts: Doing calloutContext->checkNoCache() 2015/10/01 12:40:45.823 kid1| 83,3| client_side_request.cc(1830) doCallouts: calling processRequest() 2015/10/01 12:40:45.823 kid1| 83,5| bio.cc(95) write: FD 15 wrote 245 <= 245 2015/10/01 12:40:46.004 kid1| 83,5| bio.cc(118) read: FD 15 read 5 <= 5 2015/10/01 12:40:46.004 kid1| 83,5| bio.cc(118) read: FD 15 read 2915 <= 11712 2015/10/01 12:40:46.004 kid1| 83,5| bio.cc(118) read: FD 15 read -1 <= 8797 2015/10/01 12:40:46.004 kid1| 83,5| bio.cc(123) read: error: 35 ignored: 1 2015/10/01 12:40:46.004 kid1| 83,5| bio.cc(118) read: FD 15 read 1460 <= 8797 2015/10/01 12:40:46.004 kid1| 83,5| bio.cc(118) read: FD 15 read -1 <= 7337 2015/10/01 12:40:46.004 kid1| 83,5| bio.cc(123) read: error: 35 ignored: 1 2015/10/01 12:40:46.004 kid1| 83,5| bio.cc(118) read: FD 15 read 1460 <= 7337 2015/10/01 12:40:46.004 kid1| 83,5| bio.cc(118) read: FD 15 read 1460 <= 5877 2015/10/01 12:40:46.004 kid1| 83,5| bio.cc(118) read: FD 15 read -1 <= 4417 2015/10/01 12:40:46.004 kid1| 83,5| bio.cc(123) read: error: 35 ignored: 1 2015/10/01 12:40:46.183 kid1| 83,5| bio.cc(118) read: FD 15 read 2920 <= 4417 2015/10/01 12:40:46.183 kid1| 83,5| bio.cc(118) read: FD 15 read -1 <= 1497 2015/10/01 12:40:46.183 kid1| 83,5| bio.cc(123) read: error: 35 ignored: 1 2015/10/01 12:40:46.183 kid1| 83,5| bio.cc(118) read: FD 15 read 1460 <= 1497 2015/10/01 12:40:46.183 kid1| 83,5| bio.cc(118) read: FD 15 read 37 <= 37 2015/10/01 12:40:46.243 kid1| 83,5| bio.cc(95) write: FD 10 wrote 347 <= 347 2015/10/01 12:40:46.243 kid1| 83,5| bio.cc(95) write: FD 10 wrote 4125 <= 4125 2015/10/01 12:40:46.243 kid1| 83,5| bio.cc(95) write: FD 10 wrote 4125 <= 4125 2015/10/01 12:40:46.243 kid1| 83,5| bio.cc(95) write: FD 10 wrote 3306 <= 3306 2015/10/01 12:40:46.248 kid1| 83,5| bio.cc(118) read: FD 10 read 5 <= 5 2015/10/01 12:40:46.248 kid1| 83,5| bio.cc(118) read: FD 10 read 26 <= 26 2015/10/01 12:40:46.248 kid1| 83,5| bio.cc(95) write: FD 10 wrote 31 <= 31 2015/10/01 12:40:46.249 kid1| 83,5| bio.cc(95) write: FD 15 wrote 53 <= 53 #config http_port local.ip.adress:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/pbi/squid-amd64/local/etc/squid/serverkey.pem capath=/usr/pbi/squid-amd64/local/share/certs/ crlfile=/tmp/crl/glob.pem sslflags=VERIFY_CRL http_port 127.0.0.1:3128 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/pbi/squid-amd64/local/etc/squid/serverkey.pem capath=/usr/pbi/squid-amd64/local/share/certs/ crlfile=/tmp/crl/glob.pem sslflags=VERIFY_CRL https_port 127.0.0.1:3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/pbi/squid-amd64/local/etc/squid/serverkey.pem capath=/usr/pbi/squid-amd64/local/share/certs/ crlfile=/tmp/crl/glob.pem sslflags=VERIFY_CRL icp_port 0 dns_v4_first on pid_filename /var/run/squid/squid.pid cache_effective_user proxy cache_effective_group proxy error_default_language de-de icon_directory /usr/pbi/squid-amd64/local/etc/squid/icons visible_hostname pfsense cache_mgr ad...@pfsense-onesty.loc access_log /var/squid/logs/access.log cache_log /var/squid/logs/cache.log cache_store_log none netdb_filename /var/squid/logs/netdb.state pinger_enable on pinger_program /usr/pbi/squid-amd64/local/libexec/squid/pinger sslcrtd_program /usr/pbi/squid-amd64/local/libexec/squid/ssl_crtd -s /var/squid/lib/ssl_db -M 4MB -b 2048 sslcrtd_children 5 logfile_rotate 7 debug_options rotate=7 shutdown_lifetime 3 seconds acl localnet src local.network.range forwarded_for on uri_whitespace strip acl dynamic urlpath_regex cgi-bin ? cache deny dynamic acl allsrc src all acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 3128 3127 1025-65535 acl sslports port 443 563 acl purge method PURGE acl connect method CONNECT acl HTTP proto HTTP acl HTTPS proto HTTPS acl allowed_subnets src local.network.range acl whitelist dstdom_regex -i '/var/squid/acl/whitelist.acl' http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !safeports http_access deny CONNECT !sslports request_body_max_size 0 KB delay_pools 1 delay_class 1 2 delay_parameters 1 -1/-1 -1/-1 delay_initial_bucket_level 100 delay_access 1 allow allsrc always_direct allow whitelist ssl_bump none whitelist # Package Integration url_rewrite_program /usr/pbi/squidguard-amd64/bin/squidGuard -c /usr/pbi/squidguard-amd64/etc/squidGuard/squidGuard.conf url_rewrite_bypass off url_rewrite_children 16 startup=8 idle=4 concurrency=0 # Custom options before auth #debug_options all,1 20,0 36,0 41,0 47,0 79,0 90,0 92,0 debug_options 83,6 acl step1 at_step SslBump1 acl step2 at_step SslBump2 acl step3 at_step SslBump3 acl bypass ssl::server_name .google.de .sparkasse.de .postbank.de acl wupdate ssl::server_name .windowsupdate.com .microsoft.com ssl_bump peek step1 ssl_bump peek bypass wupdate ssl_bump splice bypass wupdate ssl_bump bump all sslproxy_cert_error allow wupdate sslproxy_cert_error deny all # Always allow access to whitelist domains http_access allow whitelist # Setup allowed acls # Allow local network(s) on interface(s) http_access allow allowed_subnets http_access allow localnet # Default block all to be sure http_access deny allsrc icap_enable on icap_send_client_ip on icap_send_client_username on icap_client_username_encode off icap_client_username_header X-Authenticated-User icap_preview_enable on icap_preview_size 1024 icap_service service_avi_req reqmod_precache icap://[::1]:1344/squid_clamav bypass=off adaptation_access service_avi_req allow all icap_service service_avi_resp respmod_precache icap://[::1]:1344/squid_clamav bypass=on adaptation_access service_avi_resp allow all #build options configure options: '--with-default-user=squid' '--bindir=/usr/pbi/squid-amd64/local/sbin' '--sbindir=/usr/pbi/squid-amd64/local/sbin' '--datadir=/usr/pbi/squid-amd64/local/etc/squid' '--libexecdir=/usr/pbi/squid-amd64/local/libexec/squid' '--localstatedir=/var' '--sysconfdir=/usr/pbi/squid-amd64/local/etc/squid' '--with-logdir=/var/squid/logs' '--with-pidfile=/var/run/squid/squid.pid' '--with-swapdir=/var/squid/cache' '--without-gnutls' '--enable-auth' '--enable-build-info' '--enable-loadable-modules' '--enable-removal-policies=lru heap' '--disable-epoll' '--disable-linux-netfilter' '--disable-linux-tproxy' '--disable-translation' '--disable-arch-native' '--enable-eui' '--enable-cache-digests' '--enable-delay-pools' '--enable-ecap' '--enable-esi' '--enable-follow-x-forwarded-for' '--enable-htcp' '--enable-icap-client' '--enable-icmp' '--disable-ident-lookups' '--enable-ipv6' '--disable-kqueue' '--with-large-files' '--enable-http-violations' '--without-nettle' '--enable-snmp' '--enable-ssl' '--enable-ssl-crtd' '--disable-stacktraces' '--disable-ipf-transparent' '--disable-ipfw-transparent' '--enable-pf-transparent' '--with-nat-devpf' '--disable-forw-via-db' '--enable-wccp' '--enable-wccpv2' '--with-mit-krb5=/usr/local' 'CFLAGS=-I/usr/local/include -O2 -pipe -I/usr/local/include -I/usr/local/include -I/usr/local/include -I/usr/local/include -I/usr/local/include/libxml2 -I/usr/local/include -fstack-protector -DLDAP_DEPRECATED -fno-strict-aliasing' 'LDFLAGS=-L/usr/local/lib -Wl,-rpath,/usr/local/lib:/usr/local/lib -L/usr/local/lib -L/usr/local/lib -L/usr/local/lib -L/usr/local/lib -pthread -L/usr/local/lib -fstack-protector' 'LIBS=-lkrb5 -lgssapi_krb5 ' 'KRB5CONFIG=/usr/local/bin/krb5-config' '--enable-auth-basic=DB SMB_LM MSNT-multi-domain NCSA PAM POP3 RADIUS fake getpwnam LDAP SASL SMB NIS' '--enable-auth-digest=file' '--enable-external-acl-helpers=file_userip time_quota unix_group LDAP_group wbinfo_group SQL_session kerberos_ldap_group' '--enable-auth-negotiate=kerberos wrapper' '--enable-auth-ntlm=fake smb_lm' '--enable-storeio=ufs aufs diskd rock' '--enable-disk-io=AIO Blocking IpcIo Mmapped DiskThreads DiskDaemon' '--enable-log-daemon-helpers=file' '--enable-url-rewrite-helpers=fake' '--enable-storeid-rewrite-helpers=file' '--with-openssl=/usr/local' '--prefix=/usr/pbi/squid-amd64/local' '--mandir=/usr/pbi/squid-amd64/local/man' '--infodir=/usr/pbi/squid-amd64/local/info/' '--build=amd64-portbld-freebsd10.1' 'build_alias=amd64-portbld-freebsd10.1' 'CC=cc' 'CPPFLAGS=-I/usr/local/include' 'CXX=c++' 'CXXFLAGS=-O2 -pipe -I/usr/local/include -I/usr/local/include -I/usr/local/include -I/usr/local/include -I/usr/local/include/libxml2 -I/usr/local/include -fstack-protector -DLDAP_DEPRECATED -fno-strict-aliasing ' 'CPP=cpp' 'PKG_CONFIG=pkgconf' Mit freundlichen Grüßen / Best Regards Sebastian _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
