Quantcast

SSL Bump issues

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

SSL Bump issues

mr_jrt
Hello all,

Brief version:
Can't get ssl_bump working to get an old XP system's schannel.dll (i.e. built-in SSL) talking to a TLS 1.2 server, but works with Firefox (which has it's own SSL stack).

Long version:
This afternoon's task was to try and solve the issue of an old internal legacy XP system (and thus stuck on TLS 1.0) that can't be upgraded, but needs to be able to speak to servers running TLS 1.2. I've tried several approaches, but using squid with ssl_bump seemed to be the most appropriate solution, but for the life of me, I've not been able to get it to work properly, so was hoping for a few pointers.

The software that needs to run uses the built-in schannel dll, but it can have a proxy specified, so things don't have to be transparent, ...but it does get stuck with all the limitations of the ancient schannel dll. Does however mean I can use the system's IE for testing.

First up, I'm running Debian on my squid server. That means the distro packages don't have ssl support compiled in, so I had to compile my own packages. The version is 3.5.23, and the relevant configure output is:

Squid Cache: Version 3.5.23
Service Name: squid
Debian linux
configure options:  '--build=i686-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid3' '--srcdir=.' '--disable-maintainer-mode' '--disable-dependency-tracking' '--disable-silent-rules' 'BUILDCXXFLAGS=-g -O2 -fdebug-prefix-map=/usr/local/src/squid3-3.5.23=. -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fPIE -pie -Wl,-z,relro -Wl,-z,now -Wl,--as-needed' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--libexecdir=/usr/lib/squid' '--mandir=/usr/share/man' '--enable-ssl' '--enable-ssl-crtd' '--with-openssl' '--enable-inline' '--disable-arch-native' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB' '--enable-auth-digest=file,LDAP' '--enable-auth-negotiate=kerberos,wrapper' '--enable-auth-ntlm=fake,smb_lm' '--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,time_quota,unix_group,wbinfo_group' '--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi' '--enable-icmp' '--enable-zph-qos' '--enable-ecap' '--disable-translation' '--with-swapdir=/var/spool/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--enable-build-info=Debian linux' '--enable-linux-netfilter' 'build_alias=i686-linux-gnu' 'CFLAGS=-g -O2 -fdebug-prefix-map=/usr/local/src/squid3-3.5.23=. -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wall' 'LDFLAGS=-fPIE -pie -Wl,-z,relro -Wl,-z,now -Wl,--as-needed' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fdebug-prefix-map=/usr/local/src/squid3-3.5.23=. -fPIE -fstack-protector-strong -Wformat -Werror=format-security'

I had to compile against the older version of openssl due to the changes in their locking API, so I installed https://packages.debian.org/stretch/libssl1.0-dev, which enabled me to compile successfully.

I've looked at countless examples, i.e. http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit

...but the only way I've got any successful SSL proxying is with:
http_access allow all
http_port 32123 ssl-bump cert=/etc/ssl/certs/jamie-thompson.co.uk.pem generate-host-certificates=on dynamic_cert_mem_cache_size=8MB

...but as expected, that's clearly not doing any bumping from the logs:
WARNING: No ssl_bump configured. Disabling ssl-bump on http_port
1489970297.321   6002 <s_ip> TCP_TUNNEL/200 882 CONNECT <target_host>:443 - HIER_DIRECT/<target_ip> -

When I put anything more in, i.e.
ssl_bump bump all

Then it turns on the mode:
Accepting SSL bumped HTTP Socket connections at local=[::]:<port> remote=[::] FD 22 flags=9

...but then I just get errors about no ciphers:
Error negotiating SSL connection on FD 10: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher (1/-1)

I have a test site I'm using that I can fiddle with the ciphers on, and I can access it fine from the legacy system directly when I enable the old stuff (TLS 1.0, etc), but even then it seems to be squid's encryption (or maybe, decryption from the client?) that isn't working as it still won't connect regardless of what I try.

Even if I throw in an explicit list of ciphers, copied from the target server (incidentally, the same host as squid, if that's relevant), still nada.

Interestingly, ssl_bump seems to work perfectly fine from Firefox from the same machine, even when crippled down to TLS 1.0 only with the server set to restrict to TLS 1.2. So it seems to be doing what I want, just not for schannel.dll? I'm suspecting that openssl as used by squid can't speak any ciphers that schannel can, so it seems the issue isn't actually between squid and the target server, but between squid and the old client...
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SSL Bump issues

Tim Bates
Ignoring the Squid part, is it TLS 1.2 that's the root problem, or the
ciphers?
Are you aware XP schannel.dll has some ciphers and protocols disabled by
default, even though they're supported?

See here:
https://support.microsoft.com/en-au/help/245030/how-to-restrict-the-use-of-certain-cryptographic-algorithms-and-protocols-in-schannel.dll

TB


On 20/03/2017 12:58 PM, mr_jrt wrote:

> Hello all,
>
> Brief version:
> Can't get ssl_bump working to get an old XP system's schannel.dll (i.e.
> built-in SSL) talking to a TLS 1.2 server, but works with Firefox (which has
> it's own SSL stack).
>
> Long version:
> This afternoon's task was to try and solve the issue of an old internal
> legacy XP system (and thus stuck on TLS 1.0) that can't be upgraded, but
> needs to be able to speak to servers running TLS 1.2. I've tried several
> approaches, but using squid with ssl_bump seemed to be the most appropriate
> solution, but for the life of me, I've not been able to get it to work
> properly, so was hoping for a few pointers.
>
> The software that needs to run uses the built-in schannel dll, but it can
> have a proxy specified, so things don't have to be transparent, ...but it
> does get stuck with all the limitations of the ancient schannel dll. Does
> however mean I can use the system's IE for testing.
>
> First up, I'm running Debian on my squid server. That means the distro
> packages don't have ssl support compiled in, so I had to compile my own
> packages. The version is 3.5.23, and the relevant configure output is:
>
>
>
> I had to compile against the older version of openssl due to the changes in
> their locking API, so I installed
> https://packages.debian.org/stretch/libssl1.0-dev, which enabled me to
> compile successfully.
>
> I've looked at countless examples, i.e.
> http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
>
> ...but the only way I've got any successful SSL proxying is with:
>
>
> ...but as expected, that's clearly not doing any bumping from the logs:
>
>
>
> When I put anything more in, i.e.
>
>
> Then it turns on the mode:
>
>
> ...but then I just get errors about no ciphers:
>
>
> I have a test site I'm using that I can fiddle with the ciphers on, and I
> can access it fine from the legacy system directly when I enable the old
> stuff (TLS 1.0, etc), but even then it seems to be squid's encryption (or
> maybe, decryption from the client?) that isn't working as it still won't
> connect regardless of what I try.
>
> Even if I throw in an explicit list of ciphers, copied from the target
> server (incidentally, the same host as squid, if that's relevant), still
> nada.
>
> Interestingly, ssl_bump seems to work perfectly fine from Firefox from the
> same machine, even when crippled down to TLS 1.0 only with the server set to
> restrict to TLS 1.2. So it seems to be doing what I want, just not for
> schannel.dll? I'm suspecting that openssl as used by squid can't speak any
> ciphers that schannel can, so it seems the issue isn't actually between
> squid and the target server, but between squid and the old client...
>
>
>
> --
> View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/SSL-Bump-issues-tp4681843.html
> Sent from the Squid - Users mailing list archive at Nabble.com.
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
>

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SSL Bump issues

Alex Rousskov
In reply to this post by mr_jrt
On 03/19/2017 07:58 PM, mr_jrt wrote:

> ...but the only way I've got any successful SSL proxying is with:
>
>
> ...but as expected, that's clearly not doing any bumping from the logs:
>
>
>
> When I put anything more in, i.e.
>
>
> Then it turns on the mode:
>
>
> ...but then I just get errors about no ciphers:
>

Please note that your configuration and other details in the post did
not get through to the mailing list (probably due to some fancy quoting
provided by Nabble that does not get through to the actual squid-users
mailing list).

Alex.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Loading...