Looking for assistance with setting up a TLS proxy

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Looking for assistance with setting up a TLS proxy

Rohit Sodhia
Greetings,

I'm a backend dev who's been suddenly assigned a task to create a squid
proxy to intercept cURL/wget requests. We've got old servers that don't
support TLS 1.2 and some of the services we use will be requiring it
soon, so the decision was made to route cURL and wget requests through a
pair of squid servers. Unfortunately, I'm not a sysop (or even really
knowledgeable in this area) and am having some trouble, hoping someone
wouldn't mind helping me out.

I've been through the squid documentation and been playing around with
the examples on the squid site, including finding one for creating an
interception proxy. However, if I'm correct, for squid to be able to
upgrade the TLS requests from their current 1.0 to 1.2, squid would need
to decrypt the incoming request, then reencrypt it? I'm hoping someone
out there may be willing to help point me in the right direction; I've
been given a tight deadline, and both learning about the technologies
and find an effective solution is straining.

Thank you,

--
Rohit Sodhia

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Looking for assistance with setting up a TLS proxy

Amos Jeffries
Administrator
On 08/09/17 07:28, Rohit Sodhia wrote:

> Greetings,
>
> I'm a backend dev who's been suddenly assigned a task to create a squid
> proxy to intercept cURL/wget requests. We've got old servers that don't
> support TLS 1.2 and some of the services we use will be requiring it
> soon, so the decision was made to route cURL and wget requests through a
> pair of squid servers. Unfortunately, I'm not a sysop (or even really
> knowledgeable in this area) and am having some trouble, hoping someone
> wouldn't mind helping me out.
>
> I've been through the squid documentation and been playing around with
> the examples on the squid site, including finding one for creating an
> interception proxy. However, if I'm correct, for squid to be able to
> upgrade the TLS requests from their current 1.0 to 1.2, squid would need
> to decrypt the incoming request, then reencrypt it?

Yes. The TLS messaging needs replacing to negotiate TLS/1.0 variants of
things, and often the server cert itself needs replacing entirely due to
TLS/1.1+ extension bits inside it.


> I'm hoping someone
> out there may be willing to help point me in the right direction; I've
> been given a tight deadline, and both learning about the technologies
> and find an effective solution is straining.
>
> Thank you,
>

The feature details for Squid TLS interception capabilities is
<https://wiki.squid-cache.org/Features/SslPeekAndSplice>

The more you know about TLS messaging the easier it is to grasp what
Squid is doing. But the basics as covered on that pages' second section
should be sufficient to use the feature.

Some things that might trip you up:

* the "stare" and "splice" actions we normally advise using cannot be
used when translating TLS versions. They deliver the client TLS version
(at least) on messages to the server.

* bump at step1 (maybe step2) will do exactly what you need. This
emulates the client-first bumping action which is documented as "causes
a lot of problems" mostly in terms of adding major TLS vulnerabilities
to the whole system - so minimize use as much as possible.

* TLS SNI and similar extensions are generally not sent by TLS/1.0
clients. Which makes it difficult to tell what service is being
requested, and thus to do that above minimization.


HTH
Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users