How to make sslbump'ing more robust? (option to continue?)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

How to make sslbump'ing more robust? (option to continue?)

L. A. Walsh
I tried accessing a site that had an expired certificate today
(https://www.tcl.tk/doc/scripting.html).

In going through squid, I got:

-----
The following error was encountered while trying to retrieve the URL:
https://www.tcl.tk/doc/scripting.html

    *Failed to establish a secure connection to 38.88.76.19*

The system returned:

    (71) Protocol error (TLS code: X509_V_ERR_CERT_HAS_EXPIRED)

    SSL Certificate expired on: May 10 23:59:59 2017 GMT

This proxy and the remote host failed to negotiate a mutually acceptable
security settings for handling your request. It is possible that the
remote host does not support secure connections, or the proxy is not
satisfied with the host security credentials.

----------------


But trying the same page through IE (not going through squid), I got:

-------

There is a problem with this website's security certificate.

The security certificate presented by this website has expired or is not
yet valid.

Security certificate problems may indicate an attempt to fool you or
intercept any data you send to the server.

We recommend that you close this webpage and do not continue to this
website.

Click here to close this webpage. <javascript:closePage()>

Continue to this website (not recommended).


------

Is there any way to put up some similar page to describe the problem,
and most importantly, allow the connection to continue at user
discretion?


Thanks!
-linda

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: How to make sslbump'ing more robust? (option to continue?)

Alex Rousskov
On 05/10/2017 11:15 PM, L A Walsh wrote:
> I tried accessing a site that had an expired certificate today

> In going through squid, I got [a Squid error page]

> But trying the same page through IE, I got [IE error page with]
> Continue to this website (not recommended).

> Is there any way to put up some similar page to describe the problem,
> and most importantly, allow the connection to continue at user
> discretion?

Yes, there is a way. Your options include:

1. Tell Squid to ignore expired certificates errors. Squid will then
mimic the expired certificate while allowing the client traffic. The
client should then detect the expired (fake) certificate and may offer
the user to bypass the problem. However, if the client is not smart
enough, it may silently allow the connection to an attacker. In general,
not all clients are smart browsers (and not all users are smart enough
not to bypass warnings that should not be bypassed). It is your decision
who to delegate certificate freshness checks to. By default, Squid does
them (and smart browsers do them as well). This is not so much about
robustness but mostly about security.

2.1 Customize Squid error page(s). You can make them look almost exactly
like the browser error pages if you want.

2.2. Add user-driven error bypass to #2.1. Write Squid helper scripts
(at least!) that convert user clicking a link in a Squid-generated error
page to Squid ignoring the expired certificate error and generating a
fresh fake certificate (instead of the expired one). Implementing this
well is difficult, but, AFAICT, possible.

For more details and starting points, please see error_directory,
sslproxy_cert_error, sslproxy_cert_adapt, and external_acl_type in
squid.conf.documented.


HTH,

Alex.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: How to make sslbump'ing more robust? (option to continue?)

erdosain9
how you do the option 1???
Thanks
Reply | Threaded
Open this post in threaded view
|

Re: How to make sslbump'ing more robust? (option to continue?)

Antony Stone
On Thursday 11 May 2017 at 18:37:49, erdosain9 wrote:

> how you do the option 1???

As Alex already said:

"For more details and starting points, please see error_directory,
sslproxy_cert_error, sslproxy_cert_adapt, and external_acl_type in
squid.conf.documented."


Antony.

--
Salad is what food eats.

                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: How to make sslbump'ing more robust? (option to continue?)

L. A. Walsh
In reply to this post by Alex Rousskov
Alex Rousskov wrote:
> Yes, there is a way. Your options include:
>
> 1. Tell Squid to ignore expired certificates errors. Squid will then
> mimic the expired certificate while allowing the client traffic. The
> client should then detect the expired (fake) certificate and may offer
> the user to bypass the problem.
...
----

Since my SSL-bump is on a private server with most clients
being my clients, this is probably the most ideal.  I wasn't sure
if the type of SSL-problem would be correctly duplicated to the
client, as I didn't want to just continue the connection without
telling the browser operator (most often, me) that there was
some problem.

Thanks!
-linda


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: How to make sslbump'ing more robust? (option to continue?)

Amos Jeffries
Administrator


On 12/05/17 15:45, L A Walsh wrote:

> Alex Rousskov wrote:
>> Yes, there is a way. Your options include:
>>
>> 1. Tell Squid to ignore expired certificates errors. Squid will then
>> mimic the expired certificate while allowing the client traffic. The
>> client should then detect the expired (fake) certificate and may offer
>> the user to bypass the problem.
> ...
> ----
>
> Since my SSL-bump is on a private server with most clients
> being my clients, this is probably the most ideal.  I wasn't sure
> if the type of SSL-problem would be correctly duplicated to the
> client, as I didn't want to just continue the connection without
> telling the browser operator (most often, me) that there was
> some problem.

The detail of what gets mimic'd are documented at
<http://wiki.squid-cache.org/Features/MimicSslServerCert>.

Under validity Dates:
  "True dates by default. If a true validity date is missing or if
sslproxy_cert_adapt setValidAfter and setValidBefore is active, then the
signing certificate validity date is used."

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users