Multiple SSL certificates on same IP

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Multiple SSL certificates on same IP

Patrick Chemla

Hi all,


Thanks for the great work you do/provide with squid.


I am using squid for years, I like it very much, and I am now installing a SSL load-balancing unit for about 80 domains/sub-domains.


My OS release is Fedora release 29 (Twenty Nine)


My squid version and parameters are :


# squid -v

Squid Cache: Version 4.4
Service Name: squid

This binary uses OpenSSL 1.1.1-pre9 (beta) FIPS 21 Aug 2018. For legal restrictions on distribution see https://www.openssl.org/source/license.html

configure options:  '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid' '--disable-dependency-tracking' '--enable-eui' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,PAM,POP3,RADIUS,SASL,SMB,SMB_LM' '--enable-auth-ntlm=SMB_LM,fake' '--enable-auth-digest=file,LDAP' '--enable-auth-negotiate=kerberos' '--enable-external-acl-helpers=LDAP_group,time_quota,session,unix_group,wbinfo_group,kerberos_ldap_group' '--enable-storeid-rewrite-helpers=file' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-icap-client' '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl' '--enable-ssl-crtd' '--enable-storeio=aufs,diskd,ufs,rock' '--enable-diskio' '--enable-wccpv2' '--enable-esi' '--enable-ecap' '--with-aio' '--with-default-user=squid' '--with-dl' '--with-openssl' '--with-pthreads' '--disable-arch-native' '--with-pic' '--disable-security-cert-validators' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -fPIC' 'LDFLAGS=-Wl,-z,relro   -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -pie -Wl,-z,relro -Wl,-z,now -Wl,--warn-shared-textrel' 'CXXFLAGS=-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -fPIC' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'


The problem I have is that all these domains are actually on one IP only, on a single server, running nginx with multiple SSL certificates on one single IP, and I would like to do the same with squid.


I did few years ago with HaProxy, but I would prefer to keep squid.


3 choices:


- Having more than one IP on the server, create SSL certificates from LetsEncrypt including each a list of some domains and sub-domains

- Create a very bing certificate to have squid using it (not the best choice because domains are of different content, far one to the other)

- Having squid managing all certificates on a single IP. (The best because some domains have very high encryption needs, and LetsEncrypt is not their preference)


Like a bottle in the sea: Is that possible, multiple certificates, with squid 4.4 on a single IP?


Thanks for your help.


Patrick



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Multiple SSL certificates on same IP

Squid users-2

Could you

 

A – forward to different ports

B – Use Network address translation?

 

Thoughts…

 

From: squid-users <[hidden email]> On Behalf Of Patrick Chemla
Sent: 19 December 2018 18:29
To: [hidden email]
Subject: [squid-users] Multiple SSL certificates on same IP

 

Hi all,

 

Thanks for the great work you do/provide with squid.

 

I am using squid for years, I like it very much, and I am now installing a SSL load-balancing unit for about 80 domains/sub-domains.

 

My OS release is Fedora release 29 (Twenty Nine)

 

My squid version and parameters are :

 

# squid -v

Squid Cache: Version 4.4
Service Name: squid

This binary uses OpenSSL 1.1.1-pre9 (beta) FIPS 21 Aug 2018. For legal restrictions on distribution see https://www.openssl.org/source/license.html

configure options:  '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid' '--disable-dependency-tracking' '--enable-eui' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,PAM,POP3,RADIUS,SASL,SMB,SMB_LM' '--enable-auth-ntlm=SMB_LM,fake' '--enable-auth-digest=file,LDAP' '--enable-auth-negotiate=kerberos' '--enable-external-acl-helpers=LDAP_group,time_quota,session,unix_group,wbinfo_group,kerberos_ldap_group' '--enable-storeid-rewrite-helpers=file' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-icap-client' '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl' '--enable-ssl-crtd' '--enable-storeio=aufs,diskd,ufs,rock' '--enable-diskio' '--enable-wccpv2' '--enable-esi' '--enable-ecap' '--with-aio' '--with-default-user=squid' '--with-dl' '--with-openssl' '--with-pthreads' '--disable-arch-native' '--with-pic' '--disable-security-cert-validators' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -fPIC' 'LDFLAGS=-Wl,-z,relro   -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -pie -Wl,-z,relro -Wl,-z,now -Wl,--warn-shared-textrel' 'CXXFLAGS=-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -fPIC' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'

 

The problem I have is that all these domains are actually on one IP only, on a single server, running nginx with multiple SSL certificates on one single IP, and I would like to do the same with squid.

 

I did few years ago with HaProxy, but I would prefer to keep squid.

 

3 choices:

 

- Having more than one IP on the server, create SSL certificates from LetsEncrypt including each a list of some domains and sub-domains

- Create a very bing certificate to have squid using it (not the best choice because domains are of different content, far one to the other)

- Having squid managing all certificates on a single IP. (The best because some domains have very high encryption needs, and LetsEncrypt is not their preference)

 

Like a bottle in the sea: Is that possible, multiple certificates, with squid 4.4 on a single IP?

 

Thanks for your help.

 

Patrick

 


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Multiple SSL certificates on same IP

Bruno de Paula Larini
In reply to this post by Patrick Chemla
Em 19/12/2018 16:29, Patrick Chemla escreveu:

- Having more than one IP on the server, create SSL certificates from LetsEncrypt including each a list of some domains and sub-domains

- Create a very bing certificate to have squid using it (not the best choice because domains are of different content, far one to the other)

- Having squid managing all certificates on a single IP. (The best because some domains have very high encryption needs, and LetsEncrypt is not their preference)


Like a bottle in the sea: Is that possible, multiple certificates, with squid 4.4 on a single IP?


Based on what I had researched recently, Squid still doesn't handle SNI in accel mode, so you could set different, non-wildcard certificates to the websites. See: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-4-0-x-SNI-Support-td4682018.html
But it would be nice if Amos could confirm if this information is still true for 4.4.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Multiple SSL certificates on same IP

Amos Jeffries
Administrator
On 20/12/18 9:29 am, Bruno de Paula Larini wrote:

> Em 19/12/2018 16:29, Patrick Chemla escreveu:
>>
>> - Having more than one IP on the server, create SSL certificates from
>> LetsEncrypt including each a list of some domains and sub-domains
>>
>> - Create a very bing certificate to have squid using it (not the best
>> choice because domains are of different content, far one to the other)
>>
>> - Having squid managing all certificates on a single IP. (The best
>> because some domains have very high encryption needs, and LetsEncrypt
>> is not their preference)
>>
>>
>> Like a bottle in the sea: Is that possible, multiple certificates,
>> with squid 4.4 on a single IP?
>>
>>
> Based on what I had researched recently, Squid still doesn't handle SNI
> in accel mode, so you could set different, non-wildcard certificates to
> the websites. See:
> http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-4-0-x-SNI-Support-td4682018.html
> But it would be nice if Amos could confirm if this information is still
> true for 4.4.
>


There has been some progress in that I have now tested this behaviour
both with multiple certs in different files and sharing a PEM file.


OpenSSL definitely can use only one certificate per http(s)_port. Either
the _last_ loaded if several PEM files are loaded (each call to the
OpenSSL API *replaces* the certs loaded), or if one tries to work around
that by merging everything into a single PEM and only loading it all at
once - only the _first_ cert chain is ever used from that set.

There also does not appear to be any alternative API capable of loading
multiple certs into a single security context and having them used as
leaf certs. If anyone is aware of such a mechanism I would *greatly*
appreciate hearing about it.


On the other hand the GnuTLS mechanism can simply load as many PEM's as
one wants with a single cert chain in each - it "just works". Providing
the appropriate cert chain for any requested domain in its serverHello,
or the first cert loaded if the domain has no cert at all.


FYI; there are other bugs apparently with the GnuTLS priority-string
settings (the tls-options= and tls-min-version=) which may prevent
advanced TLS tuning. And of course with GnuTLS builds one cannot yet
have a dual-purpose proxy also doing SSL-Bump on some traffic (if that
matters). So, YMMV as to whether GnuTLS is worthwhile switching to right
now.

If you do choose to switch the squid.conf for this feature in a GnuTLS
build would look like:

 https_port 443 accel \
    cert=/etc/squid/tls/default.example.com.pem \
    cert=/etc/squid/tls/example.net.pem \
    cert=/etc/squid/tls/example.org.pem \

 ... and so on with a PEM for each domain served by that port.

You should be able to reduce the list a bit by using wildcard certs for
the sub-domains, but I have not tested that possibility yet.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Multiple SSL certificates on same IP

Bruno de Paula Larini
Em 19/12/2018 20:09, Amos Jeffries escreveu:
> OpenSSL definitely can use only one certificate per http(s)_port. Either
> the _last_ loaded if several PEM files are loaded (each call to the
> OpenSSL API *replaces* the certs loaded), or if one tries to work around
> that by merging everything into a single PEM and only loading it all at
> once - only the _first_ cert chain is ever used from that set.
Sorry for maybe going a bit off-topic, just curious about it.
I'm mostly clueless about the implications and intricacies of "behind
the scenes" of SNI, but most modern webservers support it (Apache,
nginx, IIS). Apache, for instance, says it should be built with "OpenSSL
with the TLS Extensions option enabled", since OpenSSL v0.9.8f. And
their configuration for Virtual Hosts and SSL/TLS is rather simple on a
user's view .

So, my question would be: why Squid would have problems with SNI and
OpenSSL when other webservers/proxies have this feature using
OpenSSL/LibreSSL libs?

In my (user's) opinion, Squid has far more complex features with SSL
Bump and other forward proxy handling for SSL/TLS. Why SNI would be such
a big deal?

-Bruno

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Multiple SSL certificates on same IP

Alex Rousskov
On 12/20/18 5:45 AM, Bruno de Paula Larini wrote:
> why Squid would have problems with SNI and
> OpenSSL when other webservers/proxies have this feature using
> OpenSSL/LibreSSL libs?

Squid lacks the necessary code to support SNI in accelerator mode when
using OpenSSL.


> Why SNI would be such a big deal?

SNI support with OpenSSL is not a "big deal"[1]. Apparently, nobody has
needed that support badly enough to either add that support or sponsor
that addition.

[1]
https://stackoverflow.com/questions/5113333/how-to-implement-server-name-indication-sni

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users