Squid 4.x acl server_cert_fingerprint for bump no matches

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Squid 4.x acl server_cert_fingerprint for bump no matches

David Touzeau-3

Hi, i'm trying to play with acl  "server_cert_fingerprint" for splicing websites.

First, get the fingerprint :

openssl s_client -host www.clubic.com -port 443 2> /dev/null | openssl x509 -fingerprint -noout


# Build the acl

acl TestFinger
server_cert_fingerprint 77:F6:8D:C1:0A:DF:94:8B:43:1F:8E:0E:91:5E:0C:32:42:8B:99:C9


#     I want squid to not bump this fingerprint.

acl ssl_step1 at_step SslBump1
acl ssl_step2 at_step SslBump2
acl ssl_step3 at_step SslBump3
ssl_bump peek ssl_step1
ssl_bump splice TestFinger
ssl_bump stare ssl_step2 all
ssl_bump bump all

But browsing on the website still receive squid certificate and not the original one.
Seems TestFinger Acls did not matches in any case

Did i'm wrong somewhere ?


Regards.



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid 4.x acl server_cert_fingerprint for bump no matches

David Touzeau-3

Thanks alex, made this one on squid 4.10


acl TestFinger
server_cert_fingerprint 77:F6:8D:C1:0A:DF:94:8B:43:1F:8E:0E:91:5E:0C:32:42:8B:99:C9
acl ssl_step1 at_step SslBump1
acl ssl_step2 at_step SslBump2
acl ssl_step3 at_step SslBump3
ssl_bump peek ssl_step2
ssl_bump splice
ssl_step3 TestFinger
ssl_bump stare ssl_step2 all
ssl_bump bump all

But no luck, website still decrypted.




Le 13/05/2020 à 21:33, Alex Rousskov a écrit :
On 5/12/20 7:42 AM, David Touzeau wrote:
ssl_bump peek ssl_step1
ssl_bump splice TestFinger
ssl_bump stare ssl_step2 all
ssl_bump bump all

      
Seems TestFinger Acls did not matches in any case
You are trying to use step3 information (i.e., the server certificate)
during SslBump step2: The "splice TestFinger" line is tested during
step2 and mismatches because the server certificate is still unknown
during that step. That mismatch results in Squid staring during step2.
The "splice TestFinger" line is not tested during step3 because splicing
is not possible after staring. Thus, Squid reaches "bump all" and bumps.

For a detailed description of what happens (and what information is
available) during each SslBump step, please see
https://wiki.squid-cache.org/Features/SslPeekAndSplice

Also, if you are running v4.9 or earlier, please upgrade. We fixed one
server_cert_fingerprint bug, and that fix became a part of the v4.10
release (commit e0eca4c).


HTH,

Alex.


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid 4.x acl server_cert_fingerprint for bump no matches

Amos Jeffries
Administrator
On 15/05/20 7:28 pm, David Touzeau wrote:
>
> Thanks alex, made this one on squid 4.10
>
>
> acl TestFinger server_cert_fingerprint
> 77:F6:8D:C1:0A:DF:94:8B:43:1F:8E:0E:91:5E:0C:32:42:8B:99:C9

Is that a SHA1 fingerprint or a newer algorithm?

AFAIK only SHA1 is supported by Squid currently.

Also, it is matched against what the server SSL certificate contains. So
that has to be a SHA1 fingerprint as well.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid 4.x acl server_cert_fingerprint for bump no matches

Alex Rousskov
In reply to this post by David Touzeau-3
On 5/15/20 3:28 AM, David Touzeau wrote:

> acl TestFinger server_cert_fingerprint 77:F6:8D:C1:0A:DF:94:8B:43:1F:8E:0E:91:5E:0C:32:42:8B:99:C9
> ssl_bump peek ssl_step2
> ssl_bump splice ssl_step3 TestFinger
> ssl_bump stare ssl_step2 all
> ssl_bump bump all

> But no luck, website still decrypted.

That should be expected: During step1, the only ssl_bump rule that
matches now is ... "bump all".

Also, you have two ssl_step2 rules but only the first one can match.
Perhaps the first one has a typo, and you meant to put ssl_step1 there?


Amos is correct that Squid uses SHA1. So does my openssl x509 (by
default). However, FWIW, I get a different SHA1 fingerprint when I run
your command:

> openssl s_client -host www.clubic.com -port 443 2> /dev/null | openssl x509 -fingerprint -noout
> SHA1 Fingerprint=2A:F4:A6:8E:31:15:AD:A5:52:A9:5F:03:80:42:BE:CA:01:12:2C:E7

Perhaps www.clubic.com uses different certificates for different clients.


HTH,

Alex.


> Le 13/05/2020 à 21:33, Alex Rousskov a écrit :
>> On 5/12/20 7:42 AM, David Touzeau wrote:
>>> ssl_bump peek ssl_step1
>>> ssl_bump splice TestFinger
>>> ssl_bump stare ssl_step2 all
>>> ssl_bump bump all
>>> Seems TestFinger Acls did not matches in any case
>> You are trying to use step3 information (i.e., the server certificate)
>> during SslBump step2: The "splice TestFinger" line is tested during
>> step2 and mismatches because the server certificate is still unknown
>> during that step. That mismatch results in Squid staring during step2.
>> The "splice TestFinger" line is not tested during step3 because splicing
>> is not possible after staring. Thus, Squid reaches "bump all" and bumps.
>>
>> For a detailed description of what happens (and what information is
>> available) during each SslBump step, please see
>> https://wiki.squid-cache.org/Features/SslPeekAndSplice
>>
>> Also, if you are running v4.9 or earlier, please upgrade. We fixed one
>> server_cert_fingerprint bug, and that fix became a part of the v4.10
>> release (commit e0eca4c).
>>
>>
>> HTH,
>>
>> Alex.
>
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
>

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users