Have issue with "https_port ssl-bump intercept"

classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

Have issue with "https_port ssl-bump intercept"

pius
I am getting IP address of the client instead of the domain name I requested.

I am trying curl -iv https://www.google.com from a client machine
(10.222.17.106). I am not getting google.com in the access log and getting
TCP_DENIED. Looks like traffic is blocked before checking the certificate( I
am not sure ). And HTTP works fine (curl -iv http://www.google.com). I have
included LOG for from both requests. Please help.

##############
HTTPS REQUEST
1533917193.498      0 10.222.25.60 TCP_DENIED/200 0 CONNECT
10.222.17.106:3130 - HIER_NONE/- -
##############
HTTP REQUEST
1533917208.934     35 10.222.25.60 TCP_MISS/200 11561 GET
http://www.google.com/ - HIER_DIRECT/216.58.212.100 text/html
##############




################################################################################
Here is my squid.conf
###############
http_port 3128

http_port 0.0.0.0:3129 ssl-bump  \
  cert=/etc/squid/ssl_cert/cert.pem \
  generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

https_port 0.0.0.0:3130 ssl-bump intercept \
  cert=/etc/squid/ssl_cert/cert.pem \
  generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl ssl_exclude_domains ssl::server_name "/etc/squid/exclude_domains.conf"

ssl_bump splice localhost
ssl_bump peek step1 all
ssl_bump splice ssl_exclude_domains
ssl_bump stare step2 all
ssl_bump bump all



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Have issue with "https_port ssl-bump intercept"

Alex Rousskov
On 08/10/2018 12:05 PM, pius wrote:
> I am getting IP address of the client instead of the domain name I requested.

I suspect you are getting your Squid https_port address
(10.222.17.106:3130) rather than the client IP address (10.222.25.60).
Logging Squid IP instead of the intended server IP feels wrong to me,
but that is not why things do not otherwise "work" in your test.

Your test request is probably not getting through because your
http_access rules (or equivalent) deny the (fake) CONNECT request to
216.58.212.100 (or whatever one of the www.google.com server IPs is in
your environment). Check your access control rules while keeping in mind
that the initial (i.e. step1) fake CONNECT request on an intercepting
https_port has nothing but TCP/IP-level information.


HTH,

Alex.


> I am trying curl -iv https://www.google.com from a client machine
> (10.222.17.106). I am not getting google.com in the access log and getting
> TCP_DENIED. Looks like traffic is blocked before checking the certificate( I
> am not sure ). And HTTP works fine (curl -iv http://www.google.com). I have
> included LOG for from both requests. Please help.
>
> ##############
> HTTPS REQUEST
> 1533917193.498      0 10.222.25.60 TCP_DENIED/200 0 CONNECT
> 10.222.17.106:3130 - HIER_NONE/- -
> ##############
> HTTP REQUEST
> 1533917208.934     35 10.222.25.60 TCP_MISS/200 11561 GET
> http://www.google.com/ - HIER_DIRECT/216.58.212.100 text/html
> ##############
>
>
>
>
> ################################################################################
> Here is my squid.conf
> ###############
> http_port 3128
>
> http_port 0.0.0.0:3129 ssl-bump  \
>   cert=/etc/squid/ssl_cert/cert.pem \
>   generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
>
> https_port 0.0.0.0:3130 ssl-bump intercept \
>   cert=/etc/squid/ssl_cert/cert.pem \
>   generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
>
> acl step1 at_step SslBump1
> acl step2 at_step SslBump2
> acl ssl_exclude_domains ssl::server_name "/etc/squid/exclude_domains.conf"
>
> ssl_bump splice localhost
> ssl_bump peek step1 all
> ssl_bump splice ssl_exclude_domains
> ssl_bump stare step2 all
> ssl_bump bump all
>
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Have issue with "https_port ssl-bump intercept"

pius
Hi,

Thanks for the reply.

I had an ACL whitelist for IPs. I tried the test again removing that.

Now I get an error

TAG_NONE/200 0 CONNECT. Still, I am not getting server IP or domain name and
got squid IP instead. (10.222.17.106:3130).

Does that mean, the request is still blocked in step 1 Or is that Google
won't accept fake CONNECT request?

I saw documentation to use DNS server on the same server of squid







--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Have issue with "https_port ssl-bump intercept"

Alex Rousskov
On 08/10/2018 01:04 PM, pius wrote:

> I had an ACL whitelist for IPs. I tried the test again removing that.

Sounds more like a blacklist than whitelist if removing the rule
_allows_ the request.


> Now I get an error TAG_NONE/200 0 CONNECT.

That is a good sign. The fake CONNECT request was not denied. Please
post all the access.log lines as you did before to show the whole picture.

And what does curl say?


> Still, I am not getting server IP or domain name and
> got squid IP instead. (10.222.17.106:3130).

Ignore that detail for now.


> Does that mean, the request is still blocked in step 1 Or is that Google
> won't accept fake CONNECT request?

Neither, and Google does not receive CONNECT requests (fake or real) --
they are handled internally by Squid.

Please see the following wiki page for what is really going on at
various steps: https://wiki.squid-cache.org/Features/SslPeekAndSplice


HTH,

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Have issue with "https_port ssl-bump intercept"

Rafał S
In reply to this post by Alex Rousskov


W dniu pt., 10.08.2018 o 20:28 Alex Rousskov <[hidden email]> napisał(a):
On 08/10/2018 12:05 PM, pius wrote:
> I am getting IP address of the client instead of the domain name I requested.

I suspect you are getting your Squid https_port address
(10.222.17.106:3130) rather than the client IP address (10.222.25.60).
Logging Squid IP instead of the intended server IP feels wrong to me,
but that is not why things do not otherwise "work" in your test.

Your test request is probably not getting through because your
http_access rules (or equivalent) deny the (fake) CONNECT request to
216.58.212.100 (or whatever one of the www.google.com server IPs is in
your environment). Check your access control rules while keeping in mind
that the initial (i.e. step1) fake CONNECT request on an intercepting
https_port has nothing but TCP/IP-level information.


HTH,

Alex.


> I am trying curl -iv https://www.google.com from a client machine
> (10.222.17.106). I am not getting google.com in the access log and getting
> TCP_DENIED. Looks like traffic is blocked before checking the certificate( I
> am not sure ). And HTTP works fine (curl -iv http://www.google.com). I have
> included LOG for from both requests. Please help.
>
> ##############
> HTTPS REQUEST
> 1533917193.498      0 10.222.25.60 TCP_DENIED/200 0 CONNECT
> 10.222.17.106:3130 - HIER_NONE/- -
> ##############
> HTTP REQUEST
> 1533917208.934     35 10.222.25.60 TCP_MISS/200 11561 GET
> http://www.google.com/ - HIER_DIRECT/216.58.212.100 text/html
> ##############
>
>
>
>
> ################################################################################
> Here is my squid.conf
> ###############
> http_port 3128
>
> http_port 0.0.0.0:3129 ssl-bump  \
>   cert=/etc/squid/ssl_cert/cert.pem \
>   generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
>
> https_port 0.0.0.0:3130 ssl-bump intercept \
>   cert=/etc/squid/ssl_cert/cert.pem \
>   generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
>
> acl step1 at_step SslBump1
> acl step2 at_step SslBump2
> acl ssl_exclude_domains ssl::server_name "/etc/squid/exclude_domains.conf"
>
> ssl_bump splice localhost
> ssl_bump peek step1 all
> ssl_bump splice ssl_exclude_domains
> ssl_bump stare step2 all
> ssl_bump bump all
>
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Have issue with "https_port ssl-bump intercept"

pius
In reply to this post by Alex Rousskov
Hi,

Thanks for the reply. I haven't got access to log on weekend, sorry about
the late reply.

I google about this error. I got some answer like connect message is in
plain text and squid is expecting a TCP communication and it gets rejected
in lower level before getting to step 2. I am not sure that maybe my issue.
Please check logs and let me know what I am doing wrong

####### curl #####
* About to connect() to proxy 10.222.17.106 port 3130 (#0)
*   Trying 10.222.17.106...
* Connected to 10.222.17.106 (10.222.17.106) port 3130 (#0)
* Establish HTTP proxy tunnel to www.google.com:443
> CONNECT www.google.com:443 HTTP/1.1
> Host: www.google.com:443
> User-Agent: curl/7.29.0
> Proxy-Connection: Keep-Alive
>
* Recv failure: Connection reset by peer
* Received HTTP code 0 from proxy after CONNECT
* Connection #0 to host 10.222.17.106 left intact
curl: (56) Recv failure: Connection reset by peer

###### access.log ####
1534148669.183      0 10.222.25.60 TCP_DENIED/200 0 CONNECT
10.222.17.106:3130 - HIER_NONE/- -
############






--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Have issue with "https_port ssl-bump intercept"

pius
Hi,

I made some improvement. I added "ssl_bump splice all" and now it passing
through the step 1, but I can't whitelist the domain I want to connect
through the squid now. I am getting a new error


###### cache.log ###########
2018/08/13 13:37:02 kid1| SECURITY ALERT: Host header forgery detected on
local=10.222.17.106:3130 remote=10.222.25.60:59108 FD 14 flags=33
(intercepted port does not match 443)
2018/08/13 13:37:02 kid1| SECURITY ALERT: By user agent: curl/7.29.0
2018/08/13 13:37:02 kid1| SECURITY ALERT: on URL: www.google.com:443
2018/08/13 13:37:02 kid1| abandoning local=10.222.17.106:3130
remote=10.222.25.60:59108 FD 14 flags=33
#####################


Can you please help.




--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Have issue with "https_port ssl-bump intercept"

pius
Hi,

It will be great if anybody can help.

I can see that the client can talk to squid and squid communicating to
google. But it responding with an error.

###### Curl Log #####

]# curl https://www.google.com -iv
* About to connect() to www.google.com port 443 (#0)
*   Trying 216.58.204.68...
* Connected to www.google.com (216.58.204.68) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* NSS error -12263 (SSL_ERROR_RX_RECORD_TOO_LONG)
* SSL received a record that exceeded the maximum permissible length.
* Closing connection 0
curl: (35) SSL received a record that exceeded the maximum permissible
length.

############# access.log #####

1534179809.818      0 10.222.17.37 TCP_DENIED/403 3605 CONNECT
216.58.204.68:443 - HIER_NONE/- text/html
1534179809.900      0 10.222.17.37 TAG_NONE/400 0 NONE error:invalid-request
- HIER_NONE/- text/html
#######





--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Have issue with "https_port ssl-bump intercept"

pius
Hi,

We are planning to control the traffic that goes out from the network. Few
of them are HTTPS. we managed to whitelist HTTP traffic that going out the
network. And we are really happy about it. Now only worry we got is the
HTTPS traffic.

I listen 2 port in squid.  3129(HTTP) and 3130 (HTTPS).

When we communicate https traffic to the outside world, we prefer to use
3130 so that we will have an end to end encryption. But at the same time, I
need to whitelist some domain name so that only those domain name can be
communicated safely. Is this is possible in squid?



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Have issue with "https_port ssl-bump intercept"

Amos Jeffries
Administrator
On 16/08/18 21:15, pius wrote:

> Hi,
>
> We are planning to control the traffic that goes out from the network. Few
> of them are HTTPS. we managed to whitelist HTTP traffic that going out the
> network. And we are really happy about it. Now only worry we got is the
> HTTPS traffic.
>
> I listen 2 port in squid.  3129(HTTP) and 3130 (HTTPS).
>
> When we communicate https traffic to the outside world, we prefer to use
> 3130 so that we will have an end to end encryption. But at the same time, I
> need to whitelist some domain name so that only those domain name can be
> communicated safely. Is this is possible in squid?

Yes, provided that:
 1) only the domain name is wanted, and
 2 a) the client sends TLS SNI, and
 2 b) the server certificate confirms the TLS SNI

In that one case, you can use SSL-Bump peek and splice to retain the
encryption.

 acl whitelist ssl::server_name ...

 acl step1 at_step SslBump1
 acl step2 at_step SslBump2

 ssl_bump peek all
 ssl_bump splice whitelist
 ssl_bump terminate all

NP: you will still have to configure Squid with a self-signed CA cert
for the odd situations when Squid has to 'bump' to deliver errors to the
client.

Care also has to be taken to "allow" the CONNECT messages SSl-Bump
processing uses. These may appear in http_access etc. with raw-IP:port
only OR with non-whitelisted domains from TLS SNI.

The above config will only whitelist after the server cert is known and
should terminate TLS without any HTTP(S) error page being delivered to
clients - but can only do so if http_access does _not_ cause a "deny"
part way through the handshake (eg from on-whitelisted SNI names).


BTW; Please also be aware that TLS is *not* "end-to-end". It is only
point-to-point encryption. It is a mistake to think of it as fully
end-to-end. There are very likely multiple HTTP(S) network hops at both
client and server ends which are encrypted differently or unencrypted.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Have issue with "https_port ssl-bump intercept"

Amos Jeffries
Administrator
On 16/08/18 23:17, Amos Jeffries wrote:>
> The above config will only whitelist after the server cert is known and
> should terminate TLS without any HTTP(S) error page being delivered to
> clients - but can only do so if http_access does _not_ cause a "deny"
> part way through the handshake (eg from on-whitelisted SNI names).

Sorry that should read:  "from non-whitelisted SNI names"

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Have issue with "https_port ssl-bump intercept"

pius
In reply to this post by Amos Jeffries
Hi Amos,


Thanks for the reply. It makes more things clear.

I do apologize for a Friday message in advance.

I will explain a bit more about my situation. We are using Jfrog artifactory
in our private network. Artifactory host lots of remote repos. We are
planning lock down the artifactory using squid. So in my case artifactory is
the client.

artifactory ------> Squid(whitelist) -----> Internet
                            http (3129) / https (3130)

I followed the steps from your message. I trust the self-signed squid
certificate in artifactory. Now I error I am getting is in artifactory is

"Connection to remote repository failed: Host name 'repo.jenkins-ci.org'
does not match the certificate subject provided by the peer
(CN=130.211.20.35)"

Looks like artifactory is requesting repo.jenkins-ci.org to squid without
enough information about domain name. May be that why squid created a ssl
certificate in behalf of artifactory with a IP address and instead of domain
name. So how can map the ip to a domain name ? DNS server ?




--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Have issue with "https_port ssl-bump intercept"

Amos Jeffries
Administrator
On 17/08/18 20:39, pius wrote:

> Hi Amos,
>
>
> Thanks for the reply. It makes more things clear.
>
> I do apologize for a Friday message in advance.
>
> I will explain a bit more about my situation. We are using Jfrog artifactory
> in our private network. Artifactory host lots of remote repos. We are
> planning lock down the artifactory using squid. So in my case artifactory is
> the client.
>
> artifactory ------> Squid(whitelist) -----> Internet
>                             http (3129) / https (3130)
>
> I followed the steps from your message. I trust the self-signed squid
> certificate in artifactory. Now I error I am getting is in artifactory is
>
> "Connection to remote repository failed: Host name 'repo.jenkins-ci.org'
> does not match the certificate subject provided by the peer
> (CN=130.211.20.35)"
>
> Looks like artifactory is requesting repo.jenkins-ci.org to squid without
> enough information about domain name. May be that why squid created a ssl
> certificate in behalf of artifactory with a IP address and instead of domain
> name. So how can map the ip to a domain name ? DNS server ?
>

With the config I provided Squid should only send the custom cert to the
client if there is a problem connecting to the upstream server of your
http_access rules perform a "deny" action.

 Are you able to identify which of those is going on?
 your Squid access.log and/or cache.log should have some hints.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Have issue with "https_port ssl-bump intercept"

pius
Thanks for the reply.

That really helped. I had an ACL for network and that blocked the https
traffic coming through.

It has been a journey settling it up. But without you guys help I think I
was not able to do it. Thanks for all help. Much appreciated.

Few settings that help with debugging and fixing it
debug_options ALL,9 => full debug
dns_v4_first on =>  http://www.squid-cache.org/Doc/config/dns_v4_first/
ssl::server_name_regex =>
http://www.squid-cache.org/Versions/v3/3.5/cfgman/acl.html





--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users