Enable SSL bump

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Enable SSL bump

Mustafa Mohammad
I'm trying to enable ssl bump but it says that 
FATAL: No valid signing SSL certificate configured for HTTP_port [::]:the port I'm listening on. I did a lot of research and I couldn't find the answer. Any help would be deeply appreciated.

Thanks,
Mustafa Mohammad

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Enable SSL bump

Amos Jeffries
Administrator
On 24/01/2017 11:27 a.m., Mustafa Mohammad wrote:
> I'm trying to enable ssl bump but it says that
> FATAL: No valid signing SSL certificate configured for HTTP_port [::]:the
> port I'm listening on. I did a lot of research and I couldn't find the
> answer. Any help would be deeply appreciated.
>

SSL-Bump feature requires the TLS/SSL options which are normally only
mandatory on https_port.

Specifically the cert= option needs to be pointing Squid at a CA cert
with privileges to sign the auto-generated certs SSL-Bump creates.
 NP: a normal server cert such as one receives from the global root CAs
is not sufficient.


Also, please ensure you are using the latest versions of Squid with this
feature (today that is 3.5.23 or later, the 4.0 beta if possible).
SSL-Bump has gone through a lot of change and older implementations have
some quite nasty limitations and side effects.

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Enable SSL bump

Amos Jeffries
Administrator
[ Please reply to the list, not to me personally. ]

On 24/01/2017 11:54 a.m., Mustafa Mohammad wrote:
> I'm using 3.5.23 version. My problem is that I'm trying to hit our
> regression server and after doing research, I found that SSL bump might
> work for me but I'm not sure.

We (the squid-users list people) can probably answer that. But will need
to know a bit more details about what exactly your situation is.

I have been assuming that by "regression" you actually mean "legacy
server" - as in; 'a server running old software'. Is that correct?

If so, then the CRL check failing usually means that the CA who issued
that certificate has formally published an advisory (CRL) indicating
that certificate as invalid and must never be used again. Why can't you
just change the cert?


> When my config file is not doing a crl check,
> I was able to hit the server but I can't hit the server if my crlcheck is
> set to yes. I'm very new to squid.

Okay. Sounds like you just need to disable the some checks. But lets put
that aside until its clear whether Squid is the right solution for your
need.

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Enable SSL bump

Mustafa Mohammad
By regression...I mean our QA testing server. Let me explain this in detail: I have a squid proxy running which is needed to connect to the server so we can get back if the transaction was approved or not. It is a point of sale application that send transaction data to the server to receive response about the transaction and that's when the problem is occurring when It is trying to communicate to that server. I received some help and I think ssl splice and ssl peek might work but I don't know how to use them. I don't the rules to apply in this situation.

On Mon, Jan 23, 2017 at 7:35 PM, Amos Jeffries <[hidden email]> wrote:
[ Please reply to the list, not to me personally. ]

On 24/01/2017 11:54 a.m., Mustafa Mohammad wrote:
> I'm using 3.5.23 version. My problem is that I'm trying to hit our
> regression server and after doing research, I found that SSL bump might
> work for me but I'm not sure.

We (the squid-users list people) can probably answer that. But will need
to know a bit more details about what exactly your situation is.

I have been assuming that by "regression" you actually mean "legacy
server" - as in; 'a server running old software'. Is that correct?

If so, then the CRL check failing usually means that the CA who issued
that certificate has formally published an advisory (CRL) indicating
that certificate as invalid and must never be used again. Why can't you
just change the cert?


> When my config file is not doing a crl check,
> I was able to hit the server but I can't hit the server if my crlcheck is
> set to yes. I'm very new to squid.

Okay. Sounds like you just need to disable the some checks. But lets put
that aside until its clear whether Squid is the right solution for your
need.

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Enable SSL bump

Amos Jeffries
Administrator
On 24/01/2017 3:38 p.m., Mustafa Mohammad wrote:
> By regression...I mean our QA testing server. Let me explain this in
> detail: I have a squid proxy running which is needed to connect to the
> server so we can get back if the transaction was approved or not. It is a
> point of sale application that send transaction data to the server to
> receive response about the transaction and that's when the problem is
> occurring when It is trying to communicate to that server. I received some
> help and I think ssl splice and ssl peek might work but I don't know how to
> use them. I don't the rules to apply in this situation.

Whats usually needed in these setups is a reverse-proxy (aka "load
balancer", CDN frontend, etc.). But for that to be Squid it would
require the POS application to be messaging with HTTP.
 Is that the case?

The peek-and-splice form of SSL-Bump MITM might work anyway so long as
the application is actually using real TLS. But you need to be aware the
splice action is just blindly tunneling the TLS data through Squid. It
is not being touched, so anything like CRL issues is a problem between
the endpoints - Squid cannot help unless its actually HTTP messages,
then 'bump' action is needed to fully decrypt and modify the TLS.


(That said, there have been some weird issues showing up even when the
tunnel is spliced. see the threads about 30sec delays to cloudeflare, or
curl rejecting tunneled traffic.)

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Enable SSL bump

Mustafa Mohammad
No, It is messaging with HTTPS. If I were to use splice and peek, do I need a self signed certificate or any type of certificate?

On Tue, Jan 24, 2017 at 12:56 AM, Amos Jeffries <[hidden email]> wrote:
On 24/01/2017 3:38 p.m., Mustafa Mohammad wrote:
> By regression...I mean our QA testing server. Let me explain this in
> detail: I have a squid proxy running which is needed to connect to the
> server so we can get back if the transaction was approved or not. It is a
> point of sale application that send transaction data to the server to
> receive response about the transaction and that's when the problem is
> occurring when It is trying to communicate to that server. I received some
> help and I think ssl splice and ssl peek might work but I don't know how to
> use them. I don't the rules to apply in this situation.

Whats usually needed in these setups is a reverse-proxy (aka "load
balancer", CDN frontend, etc.). But for that to be Squid it would
require the POS application to be messaging with HTTP.
 Is that the case?

The peek-and-splice form of SSL-Bump MITM might work anyway so long as
the application is actually using real TLS. But you need to be aware the
splice action is just blindly tunneling the TLS data through Squid. It
is not being touched, so anything like CRL issues is a problem between
the endpoints - Squid cannot help unless its actually HTTP messages,
then 'bump' action is needed to fully decrypt and modify the TLS.


(That said, there have been some weird issues showing up even when the
tunnel is spliced. see the threads about 30sec delays to cloudeflare, or
curl rejecting tunneled traffic.)

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Enable SSL bump

Mustafa Mohammad
What TLS option. I don't know how to configure that?

On Tue, Jan 24, 2017 at 10:08 AM, Mustafa Mohammad <[hidden email]> wrote:
No, It is messaging with HTTPS. If I were to use splice and peek, do I need a self signed certificate or any type of certificate?

On Tue, Jan 24, 2017 at 12:56 AM, Amos Jeffries <[hidden email]> wrote:
On 24/01/2017 3:38 p.m., Mustafa Mohammad wrote:
> By regression...I mean our QA testing server. Let me explain this in
> detail: I have a squid proxy running which is needed to connect to the
> server so we can get back if the transaction was approved or not. It is a
> point of sale application that send transaction data to the server to
> receive response about the transaction and that's when the problem is
> occurring when It is trying to communicate to that server. I received some
> help and I think ssl splice and ssl peek might work but I don't know how to
> use them. I don't the rules to apply in this situation.

Whats usually needed in these setups is a reverse-proxy (aka "load
balancer", CDN frontend, etc.). But for that to be Squid it would
require the POS application to be messaging with HTTP.
 Is that the case?

The peek-and-splice form of SSL-Bump MITM might work anyway so long as
the application is actually using real TLS. But you need to be aware the
splice action is just blindly tunneling the TLS data through Squid. It
is not being touched, so anything like CRL issues is a problem between
the endpoints - Squid cannot help unless its actually HTTP messages,
then 'bump' action is needed to fully decrypt and modify the TLS.


(That said, there have been some weird issues showing up even when the
tunnel is spliced. see the threads about 30sec delays to cloudeflare, or
curl rejecting tunneled traffic.)

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Enable SSL bump

Mustafa Mohammad
In reply to this post by Amos Jeffries
I just received the news from my team that squid is working at first but when they restart the service, It doesn't work. Has anyone encountered issues like that?

On Tue, Jan 24, 2017 at 12:56 AM, Amos Jeffries <[hidden email]> wrote:
On 24/01/2017 3:38 p.m., Mustafa Mohammad wrote:
> By regression...I mean our QA testing server. Let me explain this in
> detail: I have a squid proxy running which is needed to connect to the
> server so we can get back if the transaction was approved or not. It is a
> point of sale application that send transaction data to the server to
> receive response about the transaction and that's when the problem is
> occurring when It is trying to communicate to that server. I received some
> help and I think ssl splice and ssl peek might work but I don't know how to
> use them. I don't the rules to apply in this situation.

Whats usually needed in these setups is a reverse-proxy (aka "load
balancer", CDN frontend, etc.). But for that to be Squid it would
require the POS application to be messaging with HTTP.
 Is that the case?

The peek-and-splice form of SSL-Bump MITM might work anyway so long as
the application is actually using real TLS. But you need to be aware the
splice action is just blindly tunneling the TLS data through Squid. It
is not being touched, so anything like CRL issues is a problem between
the endpoints - Squid cannot help unless its actually HTTP messages,
then 'bump' action is needed to fully decrypt and modify the TLS.


(That said, there have been some weird issues showing up even when the
tunnel is spliced. see the threads about 30sec delays to cloudeflare, or
curl rejecting tunneled traffic.)

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users