How to Configure Proxy Chaining with ssl-bump

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

How to Configure Proxy Chaining with ssl-bump

Michael Chen
Hi,
I would like to proxy chaining squid to parent proxy on the cloud, Netskope proxy.
First of all, I configure http_port 3128 ssl-bump, without proxy chaining to parent proxy. And it works fine. However, my next step to add cache_peer to parent proxy with Netskope certificates loaded. It failed and shows sslv3 certificate unknown.
Below are my configuration and test results:

The first Test without proxy chaining to Netskope (just ssl-bump on squid proxy): normally access internet
My config:
http_port 3128 ssl-bump cert=/etc/squid/ssl_cert/myCA9.pem key=/etc/squid/ssl_cert/myCA9.pem generate-host-certification=on dynamic_cert_mem_cache_size=4MB

acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all

Cache.log:

image.png
  normally access https://translate.google.com  

The second test is squid proxy chaining to Netskope (with ssl  enabled): Result is failed to access internet (HTTP/HTTPS)
My config: (where I put Netskope intermediate & root certs on /etc/squid/ssl_cert/)
http_port 3128 ssl-bump cert=/etc/squid/ssl_cert/myCA9.pem key=/etc/squid/ssl_cert/myCA9.pem generate-host-certification=on dynamic_cert_mem_cache_size=4MB

cache_peer pxc-sasesg-tpe.eu.goskope.com parent 8080 0 no-query default ssl sslpath=/etc/squid/ssl_cert/ sslcafile=/etc/squid/ssl_cert/cacert-2020-01-01.pem login=PASSTHRU ssloptions=NO_SSLv2 sslflags=DONT_VERIFY_DOMAIN

never_direct allow all

acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all

Cache.log once squid restart, It shows “ sslv3 alert certificate unknown”

image.png

Do you see anything wrong?
BR,
Michael

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: How to Configure Proxy Chaining with ssl-bump

Amos Jeffries
Administrator
On 20/03/20 6:31 pm, Michael Chen wrote:
> Hi,
> I would like to proxy chaining squid to parent proxy on the cloud,
> Netskope proxy.

Output of "squid -v" please. The version matters a lot when it comes to
what you are trying to configure.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: How to Configure Proxy Chaining with ssl-bump

Amos Jeffries
Administrator
On 20/03/20 7:12 pm, Michael Chen wrote:
> Hi Amos,
> Squid version 3.5.28

Squid-3 cannot do what you are wanting.

You require Squid-4 or later if the peer supports TLS/SSL connections,
and Squid-5 or later if it does not.



> image.png
> BR,
> Michael
>

Please avoid posting things images. They often do not make it through
the mailing list, are very hard to read and even worse to grep/search
for significant values.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: How to Configure Proxy Chaining with ssl-bump

Michael Chen
Hi Amos,
May I know which function Squid v3.5.28 cannot do for my scenario?
Because Squid v3.5 still has command of cache_peer and ssl .....

BR,
Michael

Amos Jeffries <[hidden email]> 於 2020年3月20日 週五 下午2:46寫道:
On 20/03/20 7:12 pm, Michael Chen wrote:
> Hi Amos,
> Squid version 3.5.28

Squid-3 cannot do what you are wanting.

You require Squid-4 or later if the peer supports TLS/SSL connections,
and Squid-5 or later if it does not.



> image.png
> BR,
> Michael
>

Please avoid posting things images. They often do not make it through
the mailing list, are very hard to read and even worse to grep/search
for significant values.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: How to Configure Proxy Chaining with ssl-bump

Amos Jeffries
Administrator
On 20/03/20 8:27 pm, Michael Chen wrote:
> Hi Amos,
> May I know which function Squid v3.5.28 cannot do for my scenario?
> Because Squid v3.5 still has command of cache_peer and ssl .....
>

TLS is a volatile environment, with many changes going on constantly.
Squid-3 has been deprecated since 2018 and is far behind in support
needed for current TLS practices.

Especially when bumping you should always have the latest Squid version.


This first bit can be tested with Squid-3. It is just about getting a
secure connection to the peer, any Squid should be able to do that.

Ensure that the peer proxy is delivering its CA *chain* properly.
 * All the intermediates should be supplied during the server handshake.
 * cache_peer should only need the root CA for that chain. Configured in
the sslca= or tls-ca= option.

At this point your Squid should be able to pass traffic to the peer.
Test that with regular http:// URL requests to your Squid. *Not* HTTPS
or bumped traffic.


You can test this following with Squid-3, but do not expect it to work
very well. Squid-4 is better in a lot of cases, but still not completely.

Your ssl_bump rules should peek at the client cert, then stare at the
server cert, then bump the crypto. Like so:

 ssl_bump peek  step1
 ssl_bump stare all
 ssl_bump bump  all


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: How to Configure Proxy Chaining with ssl-bump

Michael Chen
Hi Amos,
Thanks for your explanation.
Could you instruct me how to install squid v5 based on CentOS 7?

BR,
Michael

Amos Jeffries <[hidden email]> 於 2020年3月20日 週五 下午5:29寫道:
On 20/03/20 8:27 pm, Michael Chen wrote:
> Hi Amos,
> May I know which function Squid v3.5.28 cannot do for my scenario?
> Because Squid v3.5 still has command of cache_peer and ssl .....
>

TLS is a volatile environment, with many changes going on constantly.
Squid-3 has been deprecated since 2018 and is far behind in support
needed for current TLS practices.

Especially when bumping you should always have the latest Squid version.


This first bit can be tested with Squid-3. It is just about getting a
secure connection to the peer, any Squid should be able to do that.

Ensure that the peer proxy is delivering its CA *chain* properly.
 * All the intermediates should be supplied during the server handshake.
 * cache_peer should only need the root CA for that chain. Configured in
the sslca= or tls-ca= option.

At this point your Squid should be able to pass traffic to the peer.
Test that with regular http:// URL requests to your Squid. *Not* HTTPS
or bumped traffic.


You can test this following with Squid-3, but do not expect it to work
very well. Squid-4 is better in a lot of cases, but still not completely.

Your ssl_bump rules should peek at the client cert, then stare at the
server cert, then bump the crypto. Like so:

 ssl_bump peek  step1
 ssl_bump stare all
 ssl_bump bump  all


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: How to Configure Proxy Chaining with ssl-bump

Amos Jeffries
Administrator
On 21/03/20 2:13 am, Michael Chen wrote:
> Hi Amos,
> Thanks for your explanation.
> Could you instruct me how to install squid v5 based on CentOS 7?
> Based on
> url https://wiki.squid-cache.org/SquidFaq/BinaryPackages#KnowledgeBase.2FCentOS.Stable_Repository_Package_.28like_epel-release.29,
> CentOS seems not support squid v5.
>

There do not seem to be packages yet. You should be able to build from
sources easily enough though following the wiki instructions:
 <https://wiki.squid-cache.org/KnowledgeBase/CentOS#Compiling>

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users