SSL Bump: I have weekly more sites to whitelist due to HTTP Error 403 on opening site content

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

SSL Bump: I have weekly more sites to whitelist due to HTTP Error 403 on opening site content

Schroeffu


Hi Squid Community,

the last weeks it felt that more and more websites are going to be "incompatible" with Squid SSL bump.
Some Websites are not displayed at all and a "403 Forbidden" from their proxy is displayed, others are displayed very ugly because some CSS is missing due to HTTP Error 403 on CSS resources.

Is there any way to tune SSL Bump for less problems with websites?

Here some example websites which are not loading at all with SSL Bump:

- forcepoint.com (Their Proxy displays: 403 forbidden)
- itsg.de (Squid: Connect reset by peer)
- leica-geosystems.com (Bad Request)

Displayed very ugly because CSS Files gots HTTP Error 403 with SSL bump:

- pyur.com
- help.nextcloud.com
- it feels like all websites with Discourse Forums are having problems with ssl bump - css missing, very ugly
- many more

This are only some examples. Who can reproduce this problems with its own SSL Bump Squid? Am I doing something wrong with SSL Bump? Is Squid 5 alerady better for this?

Thanks for any help
Schroeffu

My current cump conf is extremely simple, just the default:

http_port proxy03bs.tld.com:8080 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/certs/subca.crt.pem key=/etc/squid/certs/subca.key.ohnersa.pem
sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/ssl_db -M 4MB
ssl_bump bump !domains_dont_sslbump


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: SSL Bump: I have weekly more sites to whitelist due to HTTP Error 403 on opening site content

Amos Jeffries
Administrator
On 28/08/20 8:12 pm, [hidden email] wrote:
>
> Hi Squid Community,
>
> the last weeks it felt that more and more websites are going to be
> "incompatible" with Squid SSL bump.

"feelings" aside, that is exactly the situation. SSL-Bump is literally a
security attack on clients traffic. Exactly the thing TLS is designed to
prevent.

As all our official SSL-Bump documentation says very prominently:
  "when used properly TLS cannot be bumped".

There was a long period where very few websites used TLS properly. The
"HTTPS Everywhere" project has forced a lot of sites admin to get
experience with HTTPS and over time more networks are actually starting
to use it properly.

Which version are you using now?


> Some Websites are not displayed at all and a "403 Forbidden" from their
> proxy is displayed, others are displayed very ugly because some CSS is
> missing due to HTTP Error 403 on CSS resources.

"their"? Whose proxy?

If the problem is coming from a proxy that is not yours, contact its'
sysadmin.

>
> Is there any way to tune SSL Bump for less problems with websites?
>

That depends on what you have configured (see below) and whether the
sites you are interested in are capable of being bumped (see above).


> Here some example websites which are not loading at all with SSL Bump:
>
> - forcepoint.com (Their Proxy displays: 403 forbidden)
> - itsg.de (Squid: Connect reset by peer)
> - leica-geosystems.com (Bad Request)
>
> Displayed very ugly because CSS Files gots HTTP Error 403 with SSL bump:
>
> - pyur.com
> - help.nextcloud.com
> - it feels like all websites with Discourse Forums are having problems
> with ssl bump - css missing, very ugly
> - many more
>
> This are only some examples. Who can reproduce this problems with its
> own SSL Bump Squid? Am I doing something wrong with SSL Bump? Is Squid 5
> alerady better for this?
>

Which version are you using now?
Exact version, as shown by squid -v, including OpenSSL library version.


> Thanks for any help
> Schroeffu
>
> My current cump conf is extremely simple, just the default:

FYI; the *default* for SSL-Bump is not to exist. So no your config is
way beyond default, simple as it is.


>
> http_port proxy03bs.tld.com:8080 ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB cert=/etc/squid/certs/subca.crt.pem
> key=/etc/squid/certs/subca.key.ohnersa.pem
> sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/ssl_db
> -M 4MB
> ssl_bump bump !domains_dont_sslbump
>

This performs the bump action without any actual info from the TLS
server being "bumped". So of course you can expect a lot of problems
with that.

A "reliable" (as much as it can be) configuration looks at the TLS
handshake from each endpoint before deciding which details to pass on
and which to change:


 acl step1 at_step SslBump1
 ssl_bump peek step1
 ssl_bump splice domains_dont_sslbump
 ssl_bump stare all
 ssl_bump bump all


Adding in your whitelist of non-bump domains would look like:

 acl step1 at_step SslBump1
 ssl_bump peek step1
 ssl_bump splice domains_dont_sslbump
 ssl_bump stare all
 ssl_bump bump all


HTH
Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users