Squid 4.5 and intermediate CA

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Squid 4.5 and intermediate CA

FredB-2

Hi all,

I'm testing squid 4.5 and facing two issues with intermediate CA download

At first there is no source IP and I don't know how to allow this kind of requests with an identification acl

172.23.0.9 - user2 [15/Jan/2019:16:34:51 +0100] "CONNECT bugs.squid-cache.org:443 HTTP/1.1" 407 4442 447 TCP_DENIED:HIER_NONE "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0" -
- - - [15/Jan/2019:16:34:51 +0100] "GET http://cert.int-x3.letsencrypt.org/ HTTP/1.1" 407 3536 0 TCP_DENIED:HIER_NONE "-" -
172.23.0.9 - user2 [15/Jan/2019:16:34:51 +0100] "CONNECT bugs.squid-cache.org:443 HTTP/1.1" 200 0 447 NONE:HIER_DIRECT "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0" bump

As you can see the request to letsencrypt is denied because a basic authentication is needed, how I can do a global ACL allow requests from squid ? I tested 127.0.0.1,local addresses but without any success

So for testing purpose I removed my identification rules

Now Squid can get the certificate

- - - [15/Jan/2019:16:33:43 +0100] "GET http://cert.int-x3.letsencrypt.org/ HTTP/1.1" 200 9737 0 NONE:HIER_NONE "-" -
172.23.0.9 - - [15/Jan/2019:16:33:43 +0100] "CONNECT bugs.squid-cache.org:443 HTTP/1.1" 200 0 447 NONE:HIER_DIRECT "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0" bump
172.23.0.9 - - [15/Jan/2019:16:33:43 +0100] "GET https://bugs.squid-cache.org/ HTTP/1.1" 503 353 349 NONE:HIER_NONE "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0" -

Cache.log

ssl3_get_server_certificate:certificate verify failed (1/-1/0)

I'm missing something?

Thanks

FredB



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid 4.5 and intermediate CA

Eliezer Croitoru

There should be a new acl names “certificate-fetching”

So I assume you can use something like:

 

acl certfetch transaction_initiator certificate-fetching

http_access allow certfetch

 

Eliezer

 

----

Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]

cid:image001.png@01D2675E.DCF360D0

 

From: squid-users <[hidden email]> On Behalf Of FredB
Sent: Tuesday, January 15, 2019 17:59
To: [hidden email]
Subject: [squid-users] Squid 4.5 and intermediate CA

 

Hi all,

I'm testing squid 4.5 and facing two issues with intermediate CA download

At first there is no source IP and I don't know how to allow this kind of requests with an identification acl

172.23.0.9 - user2 [15/Jan/2019:16:34:51 +0100] "CONNECT bugs.squid-cache.org:443 HTTP/1.1" 407 4442 447 TCP_DENIED:HIER_NONE "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0" -

- - - [15/Jan/2019:16:34:51 +0100] "GET http://cert.int-x3.letsencrypt.org/ HTTP/1.1" 407 3536 0 TCP_DENIED:HIER_NONE "-" -

172.23.0.9 - user2 [15/Jan/2019:16:34:51 +0100] "CONNECT bugs.squid-cache.org:443 HTTP/1.1" 200 0 447 NONE:HIER_DIRECT "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0" bump

As you can see the request to letsencrypt is denied because a basic authentication is needed, how I can do a global ACL allow requests from squid ? I tested 127.0.0.1,local addresses but without any success

So for testing purpose I removed my identification rules

Now Squid can get the certificate

- - - [15/Jan/2019:16:33:43 +0100] "GET http://cert.int-x3.letsencrypt.org/ HTTP/1.1" 200 9737 0 NONE:HIER_NONE "-" -

172.23.0.9 - - [15/Jan/2019:16:33:43 +0100] "CONNECT bugs.squid-cache.org:443 HTTP/1.1" 200 0 447 NONE:HIER_DIRECT "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0" bump

172.23.0.9 - - [15/Jan/2019:16:33:43 +0100] "GET https://bugs.squid-cache.org/ HTTP/1.1" 503 353 349 NONE:HIER_NONE "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0" -

Cache.log

ssl3_get_server_certificate:certificate verify failed (1/-1/0)

I'm missing something?

Thanks

FredB

 


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid 4.5 and intermediate CA

FredB-2
Hi Eliezer

It's just what I'm seeing and it works well, so with fetched_certificate
rule the first point is now fixed



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid 4.5 and intermediate CA

FredB-2
Now squid can get directly the intermediate CA as a browser does, it's a
very interesting feature to me

Maybe I'm missing something, but I can see the request from squid now
(with squid 4) it's a good point, my sslbump config is very basic,
perhaps to basic cl step at_step SslBump1

ssl_bump peek step1 all

ssl_bump splice nobump -> just simple acl dstdomain

ssl_bump splice nobump


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid 4.5 and intermediate CA

Alex Rousskov
In reply to this post by FredB-2
On 1/15/19 8:59 AM, FredB wrote:

> I'm testing squid 4.5 and facing two issues with intermediate CA download
>
> At first there is no source IP and I don't know how to allow this kind
> of requests with an identification acl

How about using transaction_initiator ACL to identify requests generated
by Squid? This will not solve your
"ssl3_get_server_certificate:certificate verify failed (1/-1/0)"
problem, of course, but at least you would not have to disable
authentication.

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid 4.5 and intermediate CA

FredB-2

Yes it works, my first issue is now resolved

There is a 200 when automatic download occurs, so this part is good

Unfortunately still there is a code 503 at the third request, a specific bump configuration is needed ? 

- - - [15/Jan/2019:16:33:43 +0100] "GET http://cert.int-x3.letsencrypt.org/ HTTP/1.1" 200 9737 0 NONE:HIER_NONE "-" -
172.23.0.9 - - [15/Jan/2019:16:33:43 +0100] "CONNECT bugs.squid-cache.org:443 HTTP/1.1" 200 0 447 NONE:HIER_DIRECT "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0" bump
172.23.0.9 - - [15/Jan/2019:16:33:43 +0100] "GET https://bugs.squid-cache.org/ HTTP/1.1" 503 353 349 NONE:HIER_NONE "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0" -





_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid 4.5 and intermediate CA

Amos Jeffries
Administrator
On 16/01/19 8:30 pm, FredB wrote:
> Yes it works, my first issue is now resolved
>
> There is a 200 when automatic download occurs, so this part is good
>
> Unfortunately still there is a code 503 at the third request, a specific
> bump configuration is needed ? 
>

Have you double-checked that the certificate our server you are testing
against is presenting does actually validate using the CA chain
LetsEncrypt is currently presenting to your server at the D/L URL?

We have had a number of times when the update tools they provide fail to
set the server cert properly and it gets a non-validating one.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid 4.5 and intermediate CA

FredB-2
Hi Amos,

Yes it works, and I guess I found where the problem is, this is a
pkix-cert mime type and I wonder, but maybe I'm wrong, that Squid can't
use the file

openssl x509 -inform DER -in myfile shows the CA as text file, after
that I can use the CA file with browser unable to download CA (wget for
example)

Perhaps this is a "bug" because pkix-cert is used by browsers (or
clients software) to automatically adds CA

https://www.iana.org/assignments/media-types/application/pkix-cert

FredB


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid 4.5 and intermediate CA

Eliezer Croitoru
There is no way to automatically add ROOT CA into browsers or software....
If a software does that it's only based on a pre-defined rules.
At my page:
http://ngtech.co.il/static/myCA/autoinstaller/

There are three examples and one of them is for linux (Ubuntu,Debian,CentOS).

You can see the right mime headers for the der(also cer) and pem formats.
(use curl...)

Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]


-----Original Message-----
From: squid-users <[hidden email]> On Behalf Of FredB
Sent: Wednesday, January 16, 2019 17:48
To: [hidden email]
Subject: Re: [squid-users] Squid 4.5 and intermediate CA

Hi Amos,

Yes it works, and I guess I found where the problem is, this is a
pkix-cert mime type and I wonder, but maybe I'm wrong, that Squid can't
use the file

openssl x509 -inform DER -in myfile shows the CA as text file, after
that I can use the CA file with browser unable to download CA (wget for
example)

Perhaps this is a "bug" because pkix-cert is used by browsers (or
clients software) to automatically adds CA

https://www.iana.org/assignments/media-types/application/pkix-cert

FredB


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid 4.5 and intermediate CA

FredB-2
Hi,

I'm speaking about Intermediate CA (not root) with squid as client
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-4-and-missing-intermediate-certs-td4684653.html

Not directly related, how you usually update your root CA for squid ?
I'm just using ca-certificate directory from my system and it seems
pretty outdated (Debian 9) there is a link somewhere, for example,
using  the latest mozilla CA in Squid ?

FredB


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users