Is there a way on client to show proxy's certificate?

classic Classic list List threaded Threaded
16 messages Options
Reply | Threaded
Open this post in threaded view
|

Is there a way on client to show proxy's certificate?

GeorgeShen
Running a client program through a proxy server, and I was given the proxy's
root CA certificate file. When applied, got the error on the program: "x509:
certificate signed by unknown authority". Now I'm wondering if the so called
"proxy's root CA cert" is given correctly.

I now for openssl, I can do "openssl s_client -connect remote-host:443
-showcert" to show the chain of server's CAs, is there a way to use the
openssl to show what is the CA on the proxy server? or is there someway to
find this out?

thanks.
George



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Is there a way on client to show proxy's certificate?

Amos Jeffries
Administrator
On 21/12/19 6:27 pm, GeorgeShen wrote:
> Running a client program through a proxy server, and I was given the proxy's
> root CA certificate file. When applied, got the error on the program: "x509:
> certificate signed by unknown authority". Now I'm wondering if the so called
> "proxy's root CA cert" is given correctly.
>
> I now for openssl, I can do "openssl s_client -connect remote-host:443
> -showcert" to show the chain of server's CAs, is there a way to use the
> openssl to show what is the CA on the proxy server? or is there someway to
> find this out?

The same openssl command can connect to any type of TLS server.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Is there a way on client to show proxy's certificate?

GeorgeShen
> The same openssl command can connect to any type of TLS server.

True. But the proxy server may not run normal TLS service or listen on the
port 443.
The proxy with SSL-Bump is listening on the 3129 for example, I have
certainly tried:

 openssl s_client -connect proxy-server-ip:3129 -showcert

and that does not work. I'm just say the proxy server may not also run a
normal TLS service.

thanks.
George



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Is there a way on client to show proxy's certificate?

Amos Jeffries
Administrator
On 21/12/19 7:02 pm, GeorgeShen wrote:

>> The same openssl command can connect to any type of TLS server.
>
> True. But the proxy server may not run normal TLS service or listen on the
> port 443.
> The proxy with SSL-Bump is listening on the 3129 for example, I have
> certainly tried:
>
>  openssl s_client -connect proxy-server-ip:3129 -showcert
>
> and that does not work. I'm just say the proxy server may not also run a
> normal TLS service.

Squid only supports normal TLS service. If the above command is not
producing proper TLS details that is the problem.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Is there a way on client to show proxy's certificate?

Matus UHLAR - fantomas
In reply to this post by GeorgeShen
>> The same openssl command can connect to any type of TLS server.

On 21.12.19 00:02, GeorgeShen wrote:
>True. But the proxy server may not run normal TLS service or listen on the
>port 443.
>The proxy with SSL-Bump is listening on the 3129 for example, I have
>certainly tried:
>
> openssl s_client -connect proxy-server-ip:3129 -showcert
>
>and that does not work. I'm just say the proxy server may not also run a
>normal TLS service.

how is port 3129 defined in squid.conf?

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Eagles may soar, but weasels don't get sucked into jet engines.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Is there a way on client to show proxy's certificate?

GeorgeShen

> how is port 3129 defined in squid.conf?

ssl_bump peek step1
ssl_bump stare step2
ssl_bump bump all
http_port 3128
http_port 3129 ssl-bump cert=/usr/local/squid/etc/ssl_cert/myCA.pem
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
options=SINGLE_DH_USE:SINGLE_ECDH_USE
tls-dh=prime256v1:/usr/local/squid/etc/dhparams.pem

BTW, the https/TLS bump through this server works. when using the openssl
s_client, get this result,
(it says "no peer certificate available"):

$ openssl s_client -connect 192.168.1.35:3129 -showcerts
CONNECTED(00000003)
4659451500:error:1400410B:SSL routines:CONNECT_CR_SRVR_HELLO:wrong version
number:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.260.1/libressl-2.6/ssl/ssl_pkt.c:386:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Start Time: 1576955529
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---



and if I run this openssl s_client on the proxy itself (should use the same
version of openssl):

$ openssl s_client -connect 127.0.0.1:3129 -showcerts
CONNECTED(00000003)
140248349009560:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol:s23_clnt.c:827:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 311 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1576956256
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---






--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Is there a way on client to show proxy's certificate?

Matus UHLAR - fantomas
>> how is port 3129 defined in squid.conf?

On 21.12.19 13:34, GeorgeShen wrote:
>ssl_bump peek step1
>ssl_bump stare step2
>ssl_bump bump all
>http_port 3128
>http_port 3129 ssl-bump cert=/usr/local/squid/etc/ssl_cert/myCA.pem
>generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
>options=SINGLE_DH_USE:SINGLE_ECDH_USE
>tls-dh=prime256v1:/usr/local/squid/etc/dhparams.pem

this is http port, speaking http.  This is not a https port, so you can't
speak https to it.  The difference between 3128 and 3129 is, when you issue
CONNECT request to 3129, squid tries to communicate using SSL as if it was
the destination server (or, whatever you configure in ssl_bump options).

if you want to talk to squid on port 443, you must configure https_port.

>BTW, the https/TLS bump through this server works. when using the openssl
>s_client, get this result,
>(it says "no peer certificate available"):

this looks to me more like failure of setting up SSL protocol.
I really wonder something SSL related works  at all.

you should check with:

openssl s_client -proxy 192.168.1.35:3129 -connect <host:port> -showcerts

on both squid ports to see the difference.


>$ openssl s_client -connect 192.168.1.35:3129 -showcerts
>CONNECTED(00000003)
>4659451500:error:1400410B:SSL routines:CONNECT_CR_SRVR_HELLO:wrong version
>number:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.260.1/libressl-2.6/ssl/ssl_pkt.c:386:
>---
>no peer certificate available
>---
>No client certificate CA names sent
>---
>SSL handshake has read 5 bytes and written 0 bytes
>---
>New, (NONE), Cipher is (NONE)
>Secure Renegotiation IS NOT supported
>Compression: NONE
>Expansion: NONE
>No ALPN negotiated
>SSL-Session:
>    Protocol  : TLSv1.2
>    Cipher    : 0000
>    Session-ID:
>    Session-ID-ctx:
>    Master-Key:
>    Start Time: 1576955529
>    Timeout   : 7200 (sec)
>    Verify return code: 0 (ok)
>---
>
>
>
>and if I run this openssl s_client on the proxy itself (should use the same
>version of openssl):
>
>$ openssl s_client -connect 127.0.0.1:3129 -showcerts
>CONNECTED(00000003)
>140248349009560:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
>protocol:s23_clnt.c:827:
>---
>no peer certificate available
>---
>No client certificate CA names sent
>---
>SSL handshake has read 7 bytes and written 311 bytes
>---
>New, (NONE), Cipher is (NONE)
>Secure Renegotiation IS NOT supported
>Compression: NONE
>Expansion: NONE
>No ALPN negotiated
>SSL-Session:
>    Protocol  : TLSv1.2
>    Cipher    : 0000
>    Session-ID:
>    Session-ID-ctx:
>    Master-Key:
>    Key-Arg   : None
>    PSK identity: None
>    PSK identity hint: None
>    SRP username: None
>    Start Time: 1576956256
>    Timeout   : 300 (sec)
>    Verify return code: 0 (ok)
>---
>
>
>
>
>
>
>--
>Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
>_______________________________________________
>squid-users mailing list
>[hidden email]
>http://lists.squid-cache.org/listinfo/squid-users

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
(R)etry, (A)bort, (C)ancer
 
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Is there a way on client to show proxy's certificate?

GeorgeShen
This post was updated on .
>this is http port, speaking http.  This is not a https port, so you can't
>speak https to it.  The difference between 3128 and 3129 is, when you issue
>CONNECT request to 3129, squid tries to communicate using SSL as if it was
>the destination server (or, whatever you configure in ssl_bump options).

>if you want to talk to squid on port 443, you must configure https_port.

because I'm doing the explicit proxy for https on this proxy server. if I
configure
"https_port 3129 ssl-bump ...", then I get this error when doing the https
proxy:

2019/12/22 22:07:15| FATAL: ssl-bump on https_port requires tproxy/intercept
which is missing.

so this to me means, i can only configure https_port if I'm using the
intercept method, which I'm not.
Or is there a way to listern to the https_port with explicit proxy?

>>BTW, the https/TLS bump through this server works. when using the openssl
>>s_client, get this result,
>>(it says "no peer certificate available"):

>this looks to me more like failure of setting up SSL protocol.
>I really wonder something SSL related works  at all.
>you should check with:
>
>openssl s_client -proxy 192.168.1.35:3129 -connect <host:port> -showcerts
>
>on both squid ports to see the difference.

The above command works for me, but I only get the certs from the real host, or actually
the proxy dynamically modified certs for the remote host, but not the proxy server's cert itself.

thanks.
George




--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Is there a way on client to show proxy's certificate?

GeorgeShen

actually doing "openssl s_client -proxy 192.168.1.35:3129 -connect
<host:port> -showcerts ",
noticed two of the three certs from that display is from the proxy server I
think. the first one
is the modified host cert. maybe that's the way to get proxy server's certs.

thanks.
George



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Is there a way on client to show proxy's certificate?

Amos Jeffries
Administrator
On 23/12/19 7:45 pm, GeorgeShen wrote:
>
> actually doing "openssl s_client -proxy 192.168.1.35:3129 -connect
> <host:port> -showcerts ",
> noticed two of the three certs from that display is from the proxy server I
> think. the first one
> is the modified host cert. maybe that's the way to get proxy server's certs.
>

You are using SSL-Bump. There is no "proxy cert" in these connections.
There is only client cert (optional) and server cert (possibly modified
by Squid, with CA chain).

What you see there is what exists in the traffic.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Is there a way on client to show proxy's certificate?

Amos Jeffries
Administrator
In reply to this post by GeorgeShen
On 23/12/19 7:26 pm, GeorgeShen wrote:

>> this is http port, speaking http.  This is not a https port, so you can't
>> speak https to it.  The difference between 3128 and 3129 is, when you issue
>> CONNECT request to 3129, squid tries to communicate using SSL as if it was
>> the destination server (or, whatever you configure in ssl_bump options).
>
>> if you want to talk to squid on port 443, you must configure https_port.
>
> because I'm doing the explicit proxy for https on this proxy server. if I
> configure
> "https_port 3129 ssl-bump ...",

That is port 3129, not port 443.


> then I get this error when doing the https
> proxy:
>
> 2019/12/22 22:07:15| FATAL: ssl-bump on https_port requires tproxy/intercept
> which is missing.
>
> so this to me means, i can only configure https_port if I'm using the
> intercept method, which I'm not.

That is saying the "ssl-bump" flag requires "intercept" on that port
directive.

SSL-Bump is intercepting the TLS layer. It makes no sense for a client
to explicitly open TCP connections to Squid when trying to perform TLS
with a different server elsewhere.


> Or is there a way to listern to the https_port with explicit proxy?

There is. Remove the ssl-bump stuff from that https_port line. Configure
it with a regular server cert and key. What you have then is an
"explicit TLS proxy" - a proxy clients need to use TLS to communicate with.


>
>>> BTW, the https/TLS bump through this server works. when using the openssl
>>> s_client, get this result,
>>> (it says "no peer certificate available"):
>
>> this looks to me more like failure of setting up SSL protocol.
>> I really wonder something SSL related works  at all.
>> you should check with:
>>
>> openssl s_client -proxy 192.168.1.35:3129 -connect <host:port> -showcerts
>>
>> on both squid ports to see the difference.
>
> The above command works for me, but I only get the certs from the real host,
> not the proxy server itself.


You seem(ed) to be in some confusion about what "the certs" actually
are. See my earlier response about that output.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Is there a way on client to show proxy's certificate?

GeorgeShen
This post was updated on .
In reply to this post by Amos Jeffries
>> actually doing "openssl s_client -proxy 192.168.1.35:3129 -connect
>> <host:port> -showcerts ",
>> noticed two of the three certs from that display is from the proxy server
>> I
>> think. the first one
>> is the modified host cert. maybe that's the way to get proxy server's
>> certs.
>>

>You are using SSL-Bump. There is no "proxy cert" in these connections.
>There is only client cert (optional) and server cert (possibly modified
>by Squid, with CA chain).
>
>What you see there is what exists in the traffic.

Sorry, but when I run the above openssl command, I do get three certs, first
one is the modified server cert, the 2nd and third certs are the squid proxy's
certs. Yes the proxy is configured to do the SSL-BUMP on port 3129. I would think the proxy
needs to send it's certs to the client for that part of the TLS connection. Can this
explain I'm receiving the proxy's cert in 'openssl s_client" display?

thanks.
- George




--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Is there a way on client to show proxy's certificate?

Amos Jeffries
Administrator
On 24/12/19 7:55 am, GeorgeShen wrote:

>
>>> actually doing "openssl s_client -proxy 192.168.1.35:3129 -connect
>>> <host:port> -showcerts ",
>>> noticed two of the three certs from that display is from the proxy server
>>> I
>>> think. the first one
>>> is the modified host cert. maybe that's the way to get proxy server's
>>> certs.
>>>
>
>> You are using SSL-Bump. There is no "proxy cert" in these connections.
>> There is only client cert (optional) and server cert (possibly modified
>> by Squid, with CA chain).
>>
>> What you see there is what exists in the traffic.
>
> Sorry, but when I run the above openssl command, I do get three certs, first
> one is
> the modified server cert, the 2nd and third certs are the squid proxy's
> certs.

No. You receive a server cert and the CA chain required to validate that
server cert.

Stop thinking of certs as belonging to the proxy. It seems to be
confusing you. All 3 certs can be called "the proxy's certs" and yet
none of them is a "proxy cert" in TLS definitions.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Is there a way on client to show proxy's certificate?

GeorgeShen


>No. You receive a server cert and the CA chain required to validate that
>server cert.
>
>Stop thinking of certs as belonging to the proxy. It seems to be
>confusing you. All 3 certs can be called "the proxy's certs" and yet
>none of them is a "proxy cert" in TLS definitions.

Amos,

but those two certs the client got is the certificate I created for the
proxy, and it is defined on the 'ssl-bump' line
cert=/usr/local/squid/etc/ssl_cert/myCA.pem. That myCA.pem has a private key
and a certificate, the client 'openssl s_client' receives two of the certs
are that certificate. I thought this had to be the 'proxy' cert.

thanks.
- George




--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Is there a way on client to show proxy's certificate?

GeorgeShen
In reply to this post by Amos Jeffries

>That is saying the "ssl-bump" flag requires "intercept" on that port
>directive.
>
>SSL-Bump is intercepting the TLS layer. It makes no sense for a client
>to explicitly open TCP connections to Squid when trying to perform TLS
>with a different server elsewhere.

but my proxy's purpose is to do the 'SSL-BUMP', with my config:

ssl_bump peek step1
ssl_bump stare step2
ssl_bump bump all
acl SSL_ports port 443
acl CONNECT method CONNECT
http_port 3128
http_port 3129 ssl-bump cert=/usr/local/squid/etc/ssl_cert/myCA.pem
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
options=SINGLE_DH_USE:SINGLE_ECDH_USE
tls-dh=prime256v1:/usr/local/squid/etc/dhparams.pem

the ssl-bump through this proxy seems to work. am i doing this incorrectly?

>
>> Or is there a way to listern to the https_port with explicit proxy?
>
>There is. Remove the ssl-bump stuff from that https_port line. Configure
>it with a regular server cert and key. What you have then is an
>"explicit TLS proxy" - a proxy clients need to use TLS to communicate with.

if I change the above configure to (still want to do ssl-bump operation):

http_port 3128
https_port 3129 cert=/usr/local/squid/etc/ssl_cert/myCA.pem
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
options=SINGLE_DH_USE:SINGLE_ECDH_USE
tls-dh=prime256v1:/usr/local/squid/etc/dhparams.pem

then the wget can not get through this proxy:
$ export https_proxy=192.168.1.35:3129
 wget https://www.cnn.com
--2019-12-23 14:34:22--  https://www.cnn.com/
Connecting to 192.168.1.35:3129... connected.
Failed reading proxy response: Connection reset by peer
Retrying.

did I configure it wrong?

thanks.
- George





--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Is there a way on client to show proxy's certificate?

Amos Jeffries
Administrator
In reply to this post by GeorgeShen
On 24/12/19 3:47 pm, GeorgeShen wrote:

>
>
>> No. You receive a server cert and the CA chain required to validate that
>> server cert.
>>
>> Stop thinking of certs as belonging to the proxy. It seems to be
>> confusing you. All 3 certs can be called "the proxy's certs" and yet
>> none of them is a "proxy cert" in TLS definitions.
>
> Amos,
>
> but those two certs the client got is the certificate I created for the
> proxy, and it is defined on the 'ssl-bump' line
> cert=/usr/local/squid/etc/ssl_cert/myCA.pem. That myCA.pem has a private key
> and a certificate, the client 'openssl s_client' receives two of the certs
> are that certificate. I thought this had to be the 'proxy' cert.


Lets start with some of the basics:

TLS has the concept of a "proxy cert" - that is a certificate with a
flag stating that the server type is a proxy. That makes modifications
to how things like SNI, same-origin protections and nested encryption
are handled in clients. The traffic inside the TLS is the same as you
would see on port 3128 - its just encrypted now.


The "cert you put in the proxy" for SSL-Bump should be a CA cert. Either
a root/self-signed or intermediate CA cert. That type of cert can sign
other certs. SSL-Bump generates the 'modified host cert' and needs a CA
to sign it. The client thinks it is talking to an origin server - the
traffic inside the TLS is usually the same as you would see on port 80.


I hope that makes the situation(s) clear? (I am simplifying a few
things. But they should not matter to the basic understanding.)

If you are looking to view the cert the proxy has been _configured with_
on an ssl-bump port that 'cert' is the *entire chain* of CAs following
the server cert you called the "modified host cert". Some will have been
loaded through 'cert=' and some maybe loaded through other directives
(eg cafile or capath).


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users