(SQUID 4.11) SSl_bump Fails on IOS and Android devices

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

(SQUID 4.11) SSl_bump Fails on IOS and Android devices

jeremy42nyt

I have compiled and installed SQUID_4.11-3 with SSL, CRTD on debian10 and here is my configuration - 


##### SQUID.CONF  SNAPSHOT (START) ######


# Manual connection on 3128

http_port 3128


# Standard intercept

http_port 3129 intercept


# intercept & bump SSL connections

https_port 3130 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl/squid-ca-cert-key.pem dhparams=/usr/local/etc/squid/certs/dhparam.pem


sslcrtd_children 5


tls_outgoing_options cafile=/etc/ssl/certs/ca-certificates.crt

tls_outgoing_options options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE


acl foreignProtocol squid_error ERR_PROTOCOL_UNKNOWN ERR_TOO_BIG

acl serverTalksFirstProtocol squid_error ERR_REQUEST_START_TIMEOUT

on_unsupported_protocol tunnel foreignProtocol

on_unsupported_protocol tunnel serverTalksFirstProtocol

on_unsupported_protocol tunnel all


acl step1 at_step SslBump1

acl step2 at_step SslBump2

acl step3 at_step SslBump3


#acl noBumpSites ssl::server_name_regex -i "/etc/squid/url.nobump"

acl noBumpSites ssl::server_name .app.seesaw.me .schoology.com .dropbox.com

ssl_bump peek step1 all

ssl_bump peek step2 noBumpSites

ssl_bump splice step3 noBumpSites

ssl_bump stare step2

ssl_bump bump step3


##### CONFIG SNAPSHOT (END) ######


I created the certificates by doing the following - 


openssl dhparam -outform PEM -out dhparam.pem 2048


openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -extensions v3_ca -keyout squid-ca-key.pem -out squid-ca-cert.pem


cat squid-ca-cert.pem squid-ca-key.pem >> squid-ca-cert-key.pem


chown proxy:proxy /etc/squid/ssl/dhparam.pem 

chown proxy:proxy /etc/squid/ssl/squid-ca-key.pem


chmod 400 dhparam.pem 

chmod 400 squid-ca-key.pem


/usr/lib/squid/security_file_certgen -c -s /var/spool/squid/ssl_db -M 4MB


chown -R proxy:proxy /etc/squid/ssl


chown -R proxy:proxy /var/spool/squid/ssl_db


openssl x509 -hash -fingerprint -noout -in /etc/ssl/certs/ca-certificates.crt


### for my firewall, I issued this 


iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

iptables -A FORWARD -s 192.168.10.0/24 -j ACCEPT

iptables -A INPUT -j ACCEPT -p tcp --dport 3128 -m comment --comment "squid http proxy"

iptables -A INPUT -j ACCEPT -p tcp --dport 3129 -m comment --comment "squid http proxy (intercept)"

iptables -A INPUT -j ACCEPT -p tcp --dport 3130 -m comment --comment "squid https proxy (intercept"

iptables -t nat -A PREROUTING -m iprange --src-range 192.168.10.8-192.168.10.30 -p tcp --dport 80 -m comment --comment "transparent http proxy" -j DNAT --to-destination 192.168.10.8:3129

iptables -t nat -A PREROUTING -m iprange --src-range 192.168.10.8-192.168.10.30 -p tcp --dport 443 -m comment --comment "transparent https proxy" -j DNAT --to-destination 192.168.10.8:3130


### I can browse https on laptops BUT when I used IOS devices or android, I get errors with this -


1589083941.053      1 192.168.10.15 NONE_ABORTED/200 0 CONNECT 157.240.18.35:443 - HIER_NONE/- -

1589083941.072      4 192.168.10.10 NONE_ABORTED/200 0 CONNECT 52.94.224.113:443 - HIER_NONE/- -

1589083941.205      5 192.168.10.10 NONE_ABORTED/200 0 CONNECT 52.94.224.113:443 - HIER_NONE/- -

1589083941.860     32 192.168.10.10 NONE_ABORTED/200 0 CONNECT 52.94.232.0:443 - HIER_NONE/- -

1589083941.862      4 192.168.10.10 NONE_ABORTED/200 0 CONNECT 54.239.27.116:443 - HIER_NONE/- -

1589083941.864     38 192.168.10.10 NONE_ABORTED/200 0 CONNECT 52.94.224.113:443 - HIER_NONE/- -

1589083941.983      5 192.168.10.10 NONE_ABORTED/200 0 CONNECT 52.94.224.113:443 - HIER_NONE/- -

1589083942.642     20 192.168.10.10 NONE_ABORTED/200 0 CONNECT 54.239.27.116:443 - HIER_NONE/- -

1589083942.645     48 192.168.10.10 NONE_ABORTED/200 0 CONNECT 52.94.224.113:443 - HIER_NONE/- -


What am I doing it wrong? I read everything about ssl bump, etc. with these links 

- https://wiki.squid-cache.org/Features/SslPeekAndSplice

- https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit

- http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-4-6-Transparent-HTTP-amp-HTTPS-Proxy-td4687578.html


If anyone can point to me what's wrong with my squid.conf configuration or can provide me with a working squid.conf for ssl_bump, I will be indebted to you. 


Thanks. 



Jeremy


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: (SQUID 4.11) SSl_bump Fails on IOS and Android devices

Amos Jeffries
Administrator
On 11/05/20 8:26 am, Allan Raymond Ignacio wrote:
> I have compiled and installed SQUID_4.11-3 with SSL, CRTD on debian10
> and here is my configuration - 
>
>
...
>
> ### I can browse https on laptops BUT when I used IOS devices or
> android, I get errors with this -
>
>
> 1589083941.053      1 192.168.10.15 NONE_ABORTED/200 0 CONNECT
> 157.240.18.35:443 <http://157.240.18.35:443> - HIER_NONE/- -
>

The client is disconnecting during the TLS handshake. Worth looking into
the TLS traffic to see what is going on, but expect good chances that
cert pinning or TLS/1.3 is being used here.


>
> If anyone can point to me what's wrong with my squid.conf configuration
> or can provide me with a working squid.conf for ssl_bump, I will be
> indebted to you. 
>

Looks like a reasonable config to me.

An always-working config is not possible at this time. TLS is still a
volatile environment and the SSL-Bump features constantly undergoing
improvements. Which some of its behaviours are gaining stability, the
SSL-Bump feature overall is still experimental.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: (SQUID 4.11) SSl_bump Fails on IOS and Android devices

jeremy42nyt
Any other suggestions besides TLS cause i need to have this running for my kids' home schooling as they rely on their ipads (schoology and seesaw)?

On Sun, May 10, 2020, 8:00 PM Amos Jeffries <[hidden email]> wrote:
On 11/05/20 8:26 am, Allan Raymond Ignacio wrote:
> I have compiled and installed SQUID_4.11-3 with SSL, CRTD on debian10
> and here is my configuration - 
>
>
...
>
> ### I can browse https on laptops BUT when I used IOS devices or
> android, I get errors with this -
>
>
> 1589083941.053      1 192.168.10.15 NONE_ABORTED/200 0 CONNECT
> 157.240.18.35:443 <http://157.240.18.35:443> - HIER_NONE/- -
>

The client is disconnecting during the TLS handshake. Worth looking into
the TLS traffic to see what is going on, but expect good chances that
cert pinning or TLS/1.3 is being used here.


>
> If anyone can point to me what's wrong with my squid.conf configuration
> or can provide me with a working squid.conf for ssl_bump, I will be
> indebted to you. 
>

Looks like a reasonable config to me.

An always-working config is not possible at this time. TLS is still a
volatile environment and the SSL-Bump features constantly undergoing
improvements. Which some of its behaviours are gaining stability, the
SSL-Bump feature overall is still experimental.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users