Squid SSL Intercept have issues apps on iOS

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Squid SSL Intercept have issues apps on iOS

prashantbhosale
This post was updated on .
I was trying to setup Squid transparent SSLBump on AWS EC2 instnaces and its working for most of the HTTPS websites, but it giving problem while using Apple apps.
According to threads on mailing list excluded domains (.apple.com .icloud.com .mzstatic.com .akamaihd.net .dropbox.com) then App Store works (browsing apps, searching apps) but app installation(from App store) fails with below squid access log:
1491910115.715     51 10.99.1.1 TAG_NONE/200 0 CONNECT 17.154.66.226:443 - ORIGINAL_DST/17.154.66.226 -
1491910116.537     52 10.99.1.1 TAG_NONE/200 0 CONNECT 17.154.66.74:443 - ORIGINAL_DST/17.154.66.74 -

Same issue is happening with Dropbox also, Dropbox app not syncing with server.


Conf:
http_port 3128 intercept ssl-bump \
  cert=/etc/squid/ssl_cert/myCA.pem \
  generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

acl local-servers dstdomain "/etc/squid/allowed.txt"

ssl_bump peek step1
ssl_bump splice local-servers
ssl_bump bump all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER

##squid -v
Squid Cache: Version 3.5.12
Service Name: squid
Ubuntu linux
configure options:  '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid3' '--srcdir=.' '--disable-maintainer-mode' '--disable-dependency-tracking' '--disable-silent-rules' 'BUILDCXXFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--libexecdir=/usr/lib/squid' '--mandir=/usr/share/man' '--enable-ssl' '--with-openssl' '--enable-ssl-crtd' '--enable-inline' '--disable-arch-native' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB' '--enable-auth-digest=file,LDAP' '--enable-auth-negotiate=kerberos,wrapper' '--enable-auth-ntlm=fake,smb_lm' '--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,unix_group,wbinfo_group' '--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi' '--enable-icmp' '--enable-zph-qos' '--enable-ecap' '--disable-translation' '--with-swapdir=/var/spool/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--enable-build-info=Ubuntu linux' '--enable-linux-netfilter' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wall' 'LDFLAGS=-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security'


Is anybody has working conf for sslbump with exclude the HTTP Public Key Pinning (HPKP) mechanism.
Reply | Threaded
Open this post in threaded view
|

Re: Squid SSL Intercept have issues apps on iOS

Amos Jeffries
Administrator
On 11/04/2017 11:38 p.m., prashantbhosale wrote:

> I was trying to setup Squid transparent SSLBump and its working. But it
> giving problem for Apple apps.
> According to threads on mailing list excluded domains (.apple.com
> .icloud.com .mzstatic.com .akamaihd.net .dropbox.com) then App Store works
> (browsing apps, searching apps) but app installation(from App store) fails
> with below squid access log:
> 1491910115.715     51 10.99.1.1 TAG_NONE/200 0 CONNECT 17.154.66.226:443 -
> ORIGINAL_DST/17.154.66.226 -
> 1491910116.537     52 10.99.1.1 TAG_NONE/200 0 CONNECT 17.154.66.74:443 -
> ORIGINAL_DST/17.154.66.74 -

Please read
<http://wiki.squid-cache.org/Features/SslPeekAndSplice#Processing_steps>

The above log enties look like the step 1.i CONNECT requests to me.
TLS/SSL has not started at that point and ssl_bump has not even been
considered.

Later on ...

> sslproxy_cert_error allow all

... you have disabled all errors from being visible to anyone.
*including you*.

> sslproxy_flags DONT_VERIFY_PEER

... and you have disabled all TLS security protections.

>
> Is anybody has working conf for sslbump with exclude the HTTP Public Key
> Pinning (HPKP) mechanism.

There is no way to know whether the pinning is being used, nor even what
software was being used. Some client IP connects and signals that it
needs TLS. Then exists as soon as TLS is sent ot it. End of story.

There are a large number of things that could be going on when a client
simply disappears like that. As humans we can know a lot of contextual
information about the whole situation and decide that its HPKP - but the
software on the spot when it happened does not have any of that extra
info to work with.

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users