Squid 3.5.27 - While access https website, always "Your connection is not secure"

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Squid 3.5.27 - While access https website, always "Your connection is not secure"

fourirakbar
Maybe this is same with  this topic
<http://squid-web-proxy-cache.1019090.n4.nabble.com/option-to-auto-recreate-the-ssl-db-td4682130.html>
. But now I use squid version 3.5.27

Here my squid version
Squid Cache: Version 3.5.27
Service Name: squid
Ubuntu linux

This binary uses OpenSSL 1.0.2g  1 Mar 2016. For legal restrictions on
distribution see https://www.openssl.org/source/license.html

configure options:  '--build=x86_64-linux-gnu' '--prefix=/usr'
'--includedir=${prefix}/include' '--mandir=${prefix}/share/man'
'--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var'
'--libexecdir=${prefix}/lib/squid3' '--srcdir=.' '--disable-maintainer-mode'
'--disable-dependency-tracking' '--disable-silent-rules' 'BUILDCXXFLAGS=-g
-O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security
-Wdate-time -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -fPIE -pie
-Wl,-z,relro -Wl,-z,now -Wl,--as-needed' 'CXX=g++' 'CC=gcc'
'--datadir=/usr/share/squid' '--sysconfdir=/etc/squid'
'--libexecdir=/usr/lib/squid' '--mandir=/usr/share/man' '--enable-inline'
'--disable-arch-native' '--enable-async-io=8'
'--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap'
'--enable-delay-pools' '--enable-cache-digests' '--enable-icap-client'
'--enable-follow-x-forwarded-for'
'--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB'
'--enable-auth-digest=file,LDAP' '--enable-auth-negotiate=kerberos,wrapper'
'--enable-auth-ntlm=fake,smb_lm'
'--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,time_quota,unix_group,wbinfo_group'
'--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi'
'--enable-icmp' '--enable-zph-qos' '--enable-ecap' '--disable-translation'
'--with-swapdir=/var/spool/squid' '--with-logdir=/var/log/squid'
'--with-pidfile=/var/run/squid.pid' '--with-filedescriptors=65536'
'--with-large-files' '--with-default-user=proxy' '--with-openssl'
'--enable-ssl' '--enable-ssl-crtd' '--enable-build-info=Ubuntu linux'
'--enable-linux-netfilter' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2
-fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wall'
'LDFLAGS=-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now
-Wl,--as-needed' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2
-fPIE -fstack-protector-strong -Wformat -Werror=format-security'


I also make follow this tutorial:  Dynamic SSL Cert
<https://wiki.squid-cache.org/Features/DynamicSslCert>   from squid wiki.

*And my squid.conf*
    acl SSL_ports port 443
    acl Safe_ports port 80 # http
    acl Safe_ports port 21 # ftp
    acl Safe_ports port 443 # https
    acl Safe_ports port 70 # gopher
    acl Safe_ports port 210 # wais
    acl Safe_ports port 1025-65535 # unregistered ports
    acl Safe_ports port 280 # http-mgmt
    acl Safe_ports port 488 # gss-http
    acl Safe_ports port 591 # filemaker
    acl Safe_ports port 777 # multiling http
    acl Safe_ports port 445 # windows update
    acl CONNECT method CONNECT

    http_port 3128 ssl-bump \
        cert=/etc/squid/ssl_cert/myCA.pem \
        generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

    http_port 3129 intercept

    https_port 3130 intercept ssl-bump \
        cert=/etc/squid/ssl_cert/myCA.pem \
        generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

    http_access allow  all

    always_direct allow all
    ssl_bump server-first all

    sslproxy_flags DONT_VERIFY_PEER

    # Just try to open instagram.com, but it also can't work. Same problem
    # acl whitelist ssl::server_name .instagram.com
    # acl step1 at_step SslBump1
    # ssl_bump peek step1
    # ssl_bump splice whitelist
    # ssl_bump bump all

    http_access deny !Safe_ports
    http_access deny CONNECT !SSL_ports

    cache_mem 512 MB
    cache_swap_low 98
    cache_swap_high 99

    refresh_pattern ^ftp:           1440    20%     10080
    refresh_pattern ^gopher:        1440    0%      1440
    refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
    refresh_pattern .               0       20%     4320

    #sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s
/usr/local/squid/var/lib/ssl_db -M 4MB
    #sslcrtd_children 5

    shutdown_lifetime 8 second

    visible_hostname X450LD


Now I try to open https://about.gitlab.com

*There is an error on cache log:*
   ssl_crtd helper database '/var/lib/ssl_db' failed: Failed to open file
/var/lib/ssl_db/index.txt

In browser (I use firefox), it show an error "your connection is not
secure". I try add exception and view detail about certificate. And it show
like the picture below
<http://squid-web-proxy-cache.1019090.n4.nabble.com/file/t377437/gitlab5.png>

And I compare with other client that the traffic not through my squid proxy
<http://squid-web-proxy-cache.1019090.n4.nabble.com/file/t377437/gitlab4.png>

Its different. How can solved this?
Thank you very much





--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid 3.5.27 - While access https website, always "Your connection is not secure"

Amos Jeffries
Administrator
On 28/04/18 20:56, fourirakbar wrote:

> Maybe this is same with  this topic
> <http://squid-web-proxy-cache.1019090.n4.nabble.com/option-to-auto-recreate-the-ssl-db-td4682130.html>
> . But now I use squid version 3.5.27
>
> Here my squid version
> Squid Cache: Version 3.5.27
> Service Name: squid
> Ubuntu linux
>
> This binary uses OpenSSL 1.0.2g  1 Mar 2016. For legal restrictions on
> distribution see https://www.openssl.org/source/license.html
>
...
>
> I also make follow this tutorial:  Dynamic SSL Cert
> <https://wiki.squid-cache.org/Features/DynamicSslCert>   from squid wiki.
>
> *And my squid.conf*
...

>
>     http_port 3128 ssl-bump \
>         cert=/etc/squid/ssl_cert/myCA.pem \
>         generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
>
>     http_port 3129 intercept
>
>     https_port 3130 intercept ssl-bump \
>         cert=/etc/squid/ssl_cert/myCA.pem \
>         generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
>
>     http_access allow  all

A bad idea. This disables ALL HTTP layer protections on traffic going
through this proxy.

>
>     always_direct allow all

No need to do this always_direct.

>     ssl_bump server-first all

This deprecated.

From <https://wiki.squid-cache.org/Features/SslPeekAndSplice> :
"
Old Squid-3.3 style bumping: Establish a secure connection with the
server first, then establish a secure connection with the client, using
a mimicked server certificate.

Does not support peeking, which causes various problems.

When used for intercepted traffic SNI is not available and the server
raw-IP will be used in certificates.
"

Also, the below DONT_VERIFY_PEER prevents Squid from checking that any
of those server details are in any way valid.

>
>     sslproxy_flags DONT_VERIFY_PEER

This disables all TLS/SSL security.

In short, do not do any of the above liens up to and including
"http_access allow all". 'insecure' is the least of your worries with
this as it currently is.

>
>     # Just try to open instagram.com, but it also can't work. Same problem

Please explain "can't work". The below config *does not* have any Squid
involvement with instagram traffic - it is spliced. Which means it acts
exactly as if the proxy were not even there, the TLS is ONLY between the
client and server.

Also, if you leave the server-first stuff above this it takes priority
and none of the below will actually happen.

>     # acl whitelist ssl::server_name .instagram.com
>     # acl step1 at_step SslBump1
>     # ssl_bump peek step1
>     # ssl_bump splice whitelist
>     # ssl_bump bump all
>
>     http_access deny !Safe_ports
>     http_access deny CONNECT !SSL_ports
>

You do not have any rules permitting access to HTTP(S) traffic here.
Please at least limit the traffic through the proxy to your LAN ranges,
if not something better.

...

>
>     #sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s
> /usr/local/squid/var/lib/ssl_db -M 4MB
>     #sslcrtd_children 5
>
>     shutdown_lifetime 8 second
>
>     visible_hostname X450LD
>
>
> Now I try to open https://about.gitlab.com
>
> *There is an error on cache log:*
>    ssl_crtd helper database '/var/lib/ssl_db' failed: Failed to open file
> /var/lib/ssl_db/index.txt
>
> In browser (I use firefox), it show an error "your connection is not
> secure". I try add exception and view detail about certificate. And it show
> like the picture below
> <http://squid-web-proxy-cache.1019090.n4.nabble.com/file/t377437/gitlab5.png>
>
> And I compare with other client that the traffic not through my squid proxy
> <http://squid-web-proxy-cache.1019090.n4.nabble.com/file/t377437/gitlab4.png>
>
> Its different. How can solved this?

The Browser needs to trust the CA "Internet Widgets Pty Ltd". One
assumes that is the name of the issuer CA you created and put in
/etc/squid/ssl_cert/myCA.pem.

This is why all our tutorials at some point mention** the requirement to
add your custom CA to the client machine/software. SSL-Bump decryption
(bump, client-first and server-first actions) *will not* work without
that having been done. If you do not do that part the result is exactly
what you see happening.


** if any don't that is an oversight, please let us know.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid 3.5.27 - While access https website, always "Your connection is not secure"

fourirakbar
Thank you Amos.

> In short, do not do any of the above liens up to and including
> "http_access allow all". 'insecure' is the least of your worries with
> this as it currently is

Why I use http_access allow all is, at least I can access https website
first. Then I certainly use acl, and didn't use http_access allow all again

> The Browser needs to trust the CA "Internet Widgets Pty Ltd". One
> assumes that is the name of the issuer CA you created and put in
> /etc/squid/ssl_cert/myCA.pem.

> This is why all our tutorials at some point mention** the requirement to
> add your custom CA to the client machine/software. SSL-Bump decryption
> (bump, client-first and server-first actions) *will not* work without
> that having been done. If you do not do that part the result is exactly
> what you see happening.

So how make the correct configuration in squid to let client access https
website? I've struggle about this configuration

Thank you very much



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid 3.5.27 - While access https website, always "Your connection is not secure"

Amos Jeffries
Administrator
On 29/04/18 15:52, fourirakbar wrote:
>
> So how make the correct configuration in squid to let client access https
> website? I've struggle about this configuration

The second block of config settings you had using peek/splice/bump
looked okay to me. It was just the "server-first" line probably causing
issues by its very existence.

(sorry for the slow reply, been a busy week IRL)
Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users