SSL-BUMP 5.0.4 not working as expected

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

SSL-BUMP 5.0.4 not working as expected

Eliezer Croitoru-3

I am trying to configure 5.0.4 with sslbump to bump only a set of domains.

I am unsure about the right way it should be done.

The basic constrains are POLICY vs a set of rules.

  • Should I bump all connections with exceptions?
  • Should I bump non else then the exceptions?
  • Based on server_name regex and/or server_name domains

 

 

Squid Cache: Version 5.0.4-20201125-r5fadc09ee

Service Name: squid

 

This binary uses OpenSSL 1.1.1g FIPS  21 Apr 2020. For legal restrictions on distribution see https://www.openssl.org/source/license.html

 

configure options:  '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid' '--disable-dependency-tracking' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-auth-basic=DB,LDAP,NCSA,PAM,POP3,RADIUS,SASL,SMB,getpwnam,fake' '--enable-auth-ntlm=fake' '--enable-auth-digest=file,LDAP,eDirectory' '--enable-auth-negotiate=kerberos,wrapper' '--enable-external-acl-helpers=wbinfo_group,kerberos_ldap_group,LDAP_group,delayer,file_userip,SQL_session,unix_group,session,time_quota' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-icap-client' '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-storeio=aufs,diskd,ufs,rock' '--enable-wccpv2' '--enable-esi' '--enable-security-cert-generators' '--enable-security-cert-validators' '--enable-icmp' '--with-aio' '--with-default-user=squid' '--with-filedescriptors=16384' '--with-dl' '--with-openssl' '--enable-ssl-crtd' '--with-pthreads' '--with-included-ltdl' '--disable-arch-native' '--without-nettle' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CC=gcc' 'CFLAGS=-O2  -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1  -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection' 'LDFLAGS=-Wl,-z,relro -Wl,--as-needed  -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld ' 'CXX=g++' 'CXXFLAGS=-O2  -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1  -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -fPIC' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig' 'LT_SYS_LIBRARY_PATH=/usr/lib64:' --enable-ltdl-convenience

 

 

I have tried the next set of rules:

## START

acl step1 at_step SslBump1

acl step2 at_step SslBump2

acl step3 at_step SslBump3

 

acl NoBump_server_regex ssl::server_name_regex -i /etc/squid/server-regex.nobump

acl NoBump_server_name ssl::server_name /etc/squid/server-name.nobump

 

acl NoBump_ALL_regex ssl::server_name_regex -i /etc/squid/all_server-regex.nobump

 

acl MustBump_server_regex ssl::server_name_regex -i /etc/squid/must_server-regex.bump

acl MustBump_server_name ssl::server_name /etc/squid/must_server-name.bump

 

 

ssl_bump peek step1

 

ssl_bump splice NoBump_server_regex

ssl_bump splice NoBump_server_name

 

ssl_bump bump MustBump_server_regex

ssl_bump bump MustBump_server_name

 

ssl_bump splice NoBump_ALL_regex

 

ssl_bump bump all

##END

 

 

 

But the BoBump are not applied.

I tried to understand why squid is bumping despite the explicit splice action.

 

Thanks,

Eliezer

 

----

Eliezer Croitoru

Tech Support

Mobile: +972-5-28704261

Email: [hidden email]

Zoom: Coming soon

 

 


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: SSL-BUMP 5.0.4 not working as expected

Amos Jeffries
Administrator
On 3/01/21 9:08 am, ngtech1ltd wrote:

> I am trying to configure 5.0.4 with sslbump to bump only a set of domains.
>
> I am unsure about the right way it should be done.
>
> The basic constrains are POLICY vs a set of rules.
>
>   * Should I bump all connections with exceptions?
>   * Should I bump non else then the exceptions?
>   * Based on server_name regex and/or server_name domains
>

In regards to policy:

Security best-practice is to reject as early as possible. So for
transactions that early bump steps are indicating going to forbidden
places should reject immediately on that detection.

For transactions which appear to be not-bad, there is no "best" way.
That depends on your specific setup needs and the side-effects of making
a wrong deision.

I prefer to advise bump'ing at step 3 where the most information is
available for checks and correction of client claims.


...

> I have tried the next set of rules:
>
> ## START
>
> acl step1 at_step SslBump1
>
> acl step2 at_step SslBump2
>
> acl step3 at_step SslBump3
>
> acl NoBump_server_regex ssl::server_name_regex -i
> /etc/squid/server-regex.nobump
>
> acl NoBump_server_name ssl::server_name /etc/squid/server-name.nobump
>
> acl NoBump_ALL_regex ssl::server_name_regex -i
> /etc/squid/all_server-regex.nobump
>
> acl MustBump_server_regex ssl::server_name_regex -i
> /etc/squid/must_server-regex.bump
>
> acl MustBump_server_name ssl::server_name /etc/squid/must_server-name.bump
>
> ssl_bump peek step1
>
> ssl_bump splice NoBump_server_regex
>
> ssl_bump splice NoBump_server_name
>
> ssl_bump bump MustBump_server_regex
>
> ssl_bump bump MustBump_server_name
>
> ssl_bump splice NoBump_ALL_regex
>
> ssl_bump bump all
>
> ##END
>
> But the BoBump are not applied.
>
> I tried to understand why squid is bumping despite the explicit splice
> action.

Note that all these splice/bump rules are being applied at step2. There
is no step3 taking place.


Does your actual config have the required "" marks around those filenames?

Without that all your ACLs will non-match (SNI vs name of the file) and
the last "bump all" will be applied below.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: SSL-BUMP 5.0.4 not working as expected

Eliezer Croitoru-3
Comments bellow

-----Original Message-----
From: squid-users <[hidden email]> On Behalf Of Amos Jeffries
Sent: Sunday, January 3, 2021 9:12 AM
To: [hidden email]
Subject: Re: [squid-users] SSL-BUMP 5.0.4 not working as expected

On 3/01/21 9:08 am, ngtech1ltd wrote:

> I am trying to configure 5.0.4 with sslbump to bump only a set of domains.
>
> I am unsure about the right way it should be done.
>
> The basic constrains are POLICY vs a set of rules.
>
>   * Should I bump all connections with exceptions?
>   * Should I bump non else then the exceptions?
>   * Based on server_name regex and/or server_name domains
>

In regards to policy:

Security best-practice is to reject as early as possible. So for
transactions that early bump steps are indicating going to forbidden
places should reject immediately on that detection.

For transactions which appear to be not-bad, there is no "best" way.
That depends on your specific setup needs and the side-effects of making
a wrong deision.

I prefer to advise bump'ing at step 3 where the most information is
available for checks and correction of client claims.


# How to do that? I tried to read the docs at:
https://wiki.squid-cache.org/Features/SslPeekAndSplice

But couldn't understand or grasp how to implement what you are talking about.
#

...

> I have tried the next set of rules:
>
> ## START
>
> acl step1 at_step SslBump1
>
> acl step2 at_step SslBump2
>
> acl step3 at_step SslBump3
>
> acl NoBump_server_regex ssl::server_name_regex -i
> /etc/squid/server-regex.nobump
>
> acl NoBump_server_name ssl::server_name /etc/squid/server-name.nobump
>
> acl NoBump_ALL_regex ssl::server_name_regex -i
> /etc/squid/all_server-regex.nobump
>
> acl MustBump_server_regex ssl::server_name_regex -i
> /etc/squid/must_server-regex.bump
>
> acl MustBump_server_name ssl::server_name /etc/squid/must_server-name.bump
>
> ssl_bump peek step1
>
> ssl_bump splice NoBump_server_regex
>
> ssl_bump splice NoBump_server_name
>
> ssl_bump bump MustBump_server_regex
>
> ssl_bump bump MustBump_server_name
>
> ssl_bump splice NoBump_ALL_regex
>
> ssl_bump bump all
>
> ##END
>
> But the BoBump are not applied.
>
> I tried to understand why squid is bumping despite the explicit splice
> action.

Note that all these splice/bump rules are being applied at step2. There
is no step3 taking place.


Does your actual config have the required "" marks around those filenames?

Without that all your ACLs will non-match (SNI vs name of the file) and
the last "bump all" will be applied below.

# I didn't understood how to separate the different steps and to make the right config which will either allow me bump or splice.
I want to be able to bump or splice by my acls and I couldn't make this happen.
Either I'm really confused or didn't understood how to do that.
With another software I was able to do that and more and this is why it's probably so hard for me.

Thanks,
Eliezer


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: SSL-BUMP 5.0.4 not working as expected

Alex Rousskov
In reply to this post by Eliezer Croitoru-3
On 1/2/21 3:08 PM, [hidden email] wrote:
> I am trying to configure 5.0.4 with sslbump to bump only a set of domains.

>   * Should I bump all connections with exceptions?
>   * Should I bump non else then the exceptions?
>   * Based on server_name regex and/or server_name domains

Policy-wise, you should bump as little as possible. The rest depends on
your local specifics/goals.

As for implementing any policy, here is a rule of thumb: Workarounds and
exceptions aside, make the splicing-vs-bumping _decision_ during step2:
stare if the transaction matches your bumping policy, and peek
otherwise. Trigger the final splice/bump action during step3 based on
the decision made during step2 (modern Squids will do that for you by
default).

Rationale:

* It is not possible to properly bump at step1 -- Squid usually does not
have enough details (e.g., SNI) to do it properly so early. Thus, it is
usually best to just peek at step1.

* It is not possible to make the splicing-vs-bumping _decision_ during
step3 -- Squid has to know your intent at the end of step2 because the
TLS Hello Squid sends at the beginning of step3 depends on that intent.
Thus, the decision has to be made during the only remaining step -- step2.

* Bumping may work better when Squid mimics the server certificate and
that can only happen during step3. Splicing works well at earlier steps,
but splicing later gives Squid access to the TLS server Hello details
that can be useful for logging/triage. Thus, it may be a good idea to
delay the splice/bump action until step3. Please keep in mind that the
step3 action itself is fully determined by your decision during step2.


> I tried to understand why squid is bumping despite the explicit splice
> action.

Squid bumps either when a bump rule matches OR when Squid decides to
serve an error response to the client. The latter often happens when
your http_access rules deny CONNECT requests, especially during step1.
Examine your http_access rules and study the response to the first
bumped request to confirm that it is a Squid error page.


HTH,

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users