Squid and SSLBump

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Squid and SSLBump

Monah Baki
Hi all,

I'm trying to configure my Centos 7 running:
Squid Cache: Version 3.5.28
configure options:  '--with-openssl' '--enable-ssl-crtd' --enable-ltdl-convenience

The certs/keys are legit from my company.

My squid.conf is very simple since it's for proof of concept

acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all

# Squid normally listens to port 3128
http_port 172.16.84.242:3128 ssl-bump \
  cert=/etc/squid/certs/wildcardcert.pem \
  key=/etc/squid/certs/wildcardkey.pem \
  generate-host-certificates=on dynamic_cert_mem_cache_size=16MB
acl step1 at_step SSlBump1
ssl_bump peek step1
ssl_bump bump all
sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /var/lib/ssl_db -M 16MB
sslcrtd_children 32 startup=5 idle=1

cache_dir ufs /var/spool/squid 100 16 256
coredump_dir /var/spool/squid
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

strip_query_terms off
# logformat squid %>a - %un [%{%d/%b/%Y:%H:%M:%S %z}tl] "%rm %ru" %Hs %st "%{Referer}>h" "%{User-agent}>h"
logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt [%>h] [%<h]
access_log  /var/log/squid/access.log squid


Browsing http sites works fine, but I am having issues with https

In my access.log I get:
1574346211.538     30 172.16.84.241 TAG_NONE/200 0 CONNECT www.cnn.com:443 - HIER_DIRECT/www.cnn.com - [User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko\r\nContent-Length: 0\r\nDNT: 1\r\nProxy-Connection: Keep-Alive\r\nPragma: no-cache\r\nHost: www.cnn.com:443\r\n] [-]


In Internet explorer I get the following:

Certificate Error: Navigation Blocked

There is a problem with this website’s security certificate.

 

The security certificate presented by this website is not secure.

Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.

 

We recommend that you close this webpage and do not continue to this website.


 


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid and SSLBump

Alex Rousskov
On 11/21/19 9:25 AM, Monah Baki wrote:

> The certs/keys are legit from my company.

Is your signing certificate (i.e. wildcardcert.pem) a CA certificate? If
not, then you cannot use it to sign other certificates. SslBump with
dynamic certificate generation requires a CA certificate to sign the
generated certificates.

CA certificates have a "true" CA basic constraint:

    $ openssl x509 -in wildcardcert.pem -noout -text | \
      grep -A1 'Basic Constraints'
                X509v3 Basic Constraints:
                   CA:TRUE


If they are CA certificates, did you import them into the browser/OS
trusted certificates store? In most environments, a browser will not. by
default, trust a CA certificate that Squid can use to sign dynamically
generated certificates.

Alex.


> My squid.conf is very simple since it's for proof of concept
>
> acl localnet src 10.0.0.0/8 <http://10.0.0.0/8>     # RFC1918 possible
> internal network
> acl localnet src 172.16.0.0/12 <http://172.16.0.0/12>  # RFC1918
> possible internal network
> acl localnet src 192.168.0.0/16 <http://192.168.0.0/16> # RFC1918
> possible internal network
> acl SSL_ports port 443
> acl Safe_ports port 80          # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 443         # https
> acl Safe_ports port 70          # gopher
> acl Safe_ports port 210         # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280         # http-mgmt
> acl Safe_ports port 488         # gss-http
> acl Safe_ports port 591         # filemaker
> acl Safe_ports port 777         # multiling http
> acl CONNECT method CONNECT
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost manager
> http_access deny manager
> http_access allow localnet
> http_access allow localhost
> http_access deny all
>
> # Squid normally listens to port 3128
> http_port 172.16.84.242:3128 <http://172.16.84.242:3128> ssl-bump \
>   cert=/etc/squid/certs/wildcardcert.pem \
>   key=/etc/squid/certs/wildcardkey.pem \
>   generate-host-certificates=on dynamic_cert_mem_cache_size=16MB
> acl step1 at_step SSlBump1
> ssl_bump peek step1
> ssl_bump bump all
> sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /var/lib/ssl_db -M 16MB
> sslcrtd_children 32 startup=5 idle=1
>
> cache_dir ufs /var/spool/squid 100 16 256
> coredump_dir /var/spool/squid
> refresh_pattern ^ftp:           1440    20%     10080
> refresh_pattern ^gopher:        1440    0%      1440
> refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
> refresh_pattern .               0       20%     4320
>
> strip_query_terms off
> # logformat squid %>a - %un [%{%d/%b/%Y:%H:%M:%S %z}tl] "%rm %ru" %Hs
> %st "%{Referer}>h" "%{User-agent}>h"
> logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A
> %mt [%>h] [%<h]
> access_log  /var/log/squid/access.log squid
>
>
> Browsing http sites works fine, but I am having issues with https
>
> In my access.log I get:
> 1574346211.538     30 172.16.84.241 TAG_NONE/200 0 CONNECT
> www.cnn.com:443 <http://www.cnn.com:443> - HIER_DIRECT/www.cnn.com
> <http://www.cnn.com> - [User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64;
> Trident/7.0; rv:11.0) like Gecko\r\nContent-Length: 0\r\nDNT:
> 1\r\nProxy-Connection: Keep-Alive\r\nPragma: no-cache\r\nHost:
> www.cnn.com:443 <http://www.cnn.com:443>\r\n] [-]
>
>
> In Internet explorer I get the following:
>
> Certificate Error: Navigation Blocked
>
>
>   There is a problem with this website’s security certificate.
>
>
>  
>
>
>
>       The security certificate presented by this website is not secure.
>
>       Security certificate problems may indicate an attempt to fool you
>       or intercept any data you send to the server.
>
>  
>
>
>     *We recommend that you close this webpage and do not continue to
>     this website.*
>
>
>     *
>     *
>
>
>     * *
>
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
>

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid and SSLBump

Monah Baki
I added the following:

sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER

and it works now.

In my access.log:

172.16.84.241 - - [21/Nov/2019:15:15:05 -0500] "CONNECT static.xx.fbcdn.net:443" 200 4199 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko"
172.16.84.241 - - [21/Nov/2019:15:15:05 -0500] "CONNECT fbcdn.net:443" 200 5431 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko"
172.16.84.241 - - [21/Nov/2019:15:15:05 -0500] "CONNECT fbsbx.com:443" 200 5439 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko"
172.16.84.241 - - [21/Nov/2019:15:15:05 -0500] "CONNECT connect.facebook.net:443" 200 6085 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko"
172.16.84.241 - - [21/Nov/2019:15:15:05 -0500] "CONNECT www.cnn.com:443" 200 155123 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko"


So since I am new to sslbump, what am I benefiting from this? Will I be able to see unencrypted data?

Thanks


On Thu, Nov 21, 2019 at 1:18 PM Alex Rousskov <[hidden email]> wrote:
On 11/21/19 9:25 AM, Monah Baki wrote:

> The certs/keys are legit from my company.

Is your signing certificate (i.e. wildcardcert.pem) a CA certificate? If
not, then you cannot use it to sign other certificates. SslBump with
dynamic certificate generation requires a CA certificate to sign the
generated certificates.

CA certificates have a "true" CA basic constraint:

    $ openssl x509 -in wildcardcert.pem -noout -text | \
      grep -A1 'Basic Constraints'
                X509v3 Basic Constraints:
                   CA:TRUE


If they are CA certificates, did you import them into the browser/OS
trusted certificates store? In most environments, a browser will not. by
default, trust a CA certificate that Squid can use to sign dynamically
generated certificates.

Alex.


> My squid.conf is very simple since it's for proof of concept
>
> acl localnet src 10.0.0.0/8 <http://10.0.0.0/8>     # RFC1918 possible
> internal network
> acl localnet src 172.16.0.0/12 <http://172.16.0.0/12>  # RFC1918
> possible internal network
> acl localnet src 192.168.0.0/16 <http://192.168.0.0/16> # RFC1918
> possible internal network
> acl SSL_ports port 443
> acl Safe_ports port 80          # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 443         # https
> acl Safe_ports port 70          # gopher
> acl Safe_ports port 210         # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280         # http-mgmt
> acl Safe_ports port 488         # gss-http
> acl Safe_ports port 591         # filemaker
> acl Safe_ports port 777         # multiling http
> acl CONNECT method CONNECT
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost manager
> http_access deny manager
> http_access allow localnet
> http_access allow localhost
> http_access deny all
>
> # Squid normally listens to port 3128
> http_port 172.16.84.242:3128 <http://172.16.84.242:3128> ssl-bump \
>   cert=/etc/squid/certs/wildcardcert.pem \
>   key=/etc/squid/certs/wildcardkey.pem \
>   generate-host-certificates=on dynamic_cert_mem_cache_size=16MB
> acl step1 at_step SSlBump1
> ssl_bump peek step1
> ssl_bump bump all
> sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /var/lib/ssl_db -M 16MB
> sslcrtd_children 32 startup=5 idle=1
>
> cache_dir ufs /var/spool/squid 100 16 256
> coredump_dir /var/spool/squid
> refresh_pattern ^ftp:           1440    20%     10080
> refresh_pattern ^gopher:        1440    0%      1440
> refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
> refresh_pattern .               0       20%     4320
>
> strip_query_terms off
> # logformat squid %>a - %un [%{%d/%b/%Y:%H:%M:%S %z}tl] "%rm %ru" %Hs
> %st "%{Referer}>h" "%{User-agent}>h"
> logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A
> %mt [%>h] [%<h]
> access_log  /var/log/squid/access.log squid
>
>
> Browsing http sites works fine, but I am having issues with https
>
> In my access.log I get:
> 1574346211.538     30 172.16.84.241 TAG_NONE/200 0 CONNECT
> www.cnn.com:443 <http://www.cnn.com:443> - HIER_DIRECT/www.cnn.com
> <http://www.cnn.com> - [User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64;
> Trident/7.0; rv:11.0) like Gecko\r\nContent-Length: 0\r\nDNT:
> 1\r\nProxy-Connection: Keep-Alive\r\nPragma: no-cache\r\nHost:
> www.cnn.com:443 <http://www.cnn.com:443>\r\n] [-]
>
>
> In Internet explorer I get the following:
>
> Certificate Error: Navigation Blocked
>
>
>   There is a problem with this website’s security certificate.
>
>
>  
>       
>
>
>       The security certificate presented by this website is not secure.
>
>       Security certificate problems may indicate an attempt to fool you
>       or intercept any data you send to the server.   
>
>       
>
>
>     *We recommend that you close this webpage and do not continue to
>     this website.*
>
>
>     *
>     *
>
>
>     * *
>
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
>

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid and SSLBump

Amos Jeffries
Administrator
On 22/11/19 9:19 am, Monah Baki wrote:

> I added the following:
>
> sslproxy_cert_error allow all
> sslproxy_flags DONT_VERIFY_PEER
>
> and it works now.
>
> In my access.log:
>
> 172.16.84.241 - - [21/Nov/2019:15:15:05 -0500] "CONNECT
> static.xx.fbcdn.net:443 <http://static.xx.fbcdn.net:443>" 200 4199 "-"
> "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko"
> 172.16.84.241 - - [21/Nov/2019:15:15:05 -0500] "CONNECT fbcdn.net:443
> <http://fbcdn.net:443>" 200 5431 "-" "Mozilla/5.0 (Windows NT 10.0;
> WOW64; Trident/7.0; rv:11.0) like Gecko"
> 172.16.84.241 - - [21/Nov/2019:15:15:05 -0500] "CONNECT fbsbx.com:443
> <http://fbsbx.com:443>" 200 5439 "-" "Mozilla/5.0 (Windows NT 10.0;
> WOW64; Trident/7.0; rv:11.0) like Gecko"
> 172.16.84.241 - - [21/Nov/2019:15:15:05 -0500] "CONNECT
> connect.facebook.net:443 <http://connect.facebook.net:443>" 200 6085 "-"
> "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko"
> 172.16.84.241 - - [21/Nov/2019:15:15:05 -0500] "CONNECT www.cnn.com:443
> <http://www.cnn.com:443>" 200 155123 "-" "Mozilla/5.0 (Windows NT 10.0;
> WOW64; Trident/7.0; rv:11.0) like Gecko"
>
>
> So since I am new to sslbump, what am I benefiting from this?

You are not benefiting. Problems the users ask you to track down with
TLS will now be hidden from your debugging attempts. Users TLS can now
be intercepted and the traffic replaced by anyone. You will not be shown
the signs of that happening since you told Squid to hide them.


> able to see unencrypted data?

No more than before. Its just that Squid will no longer attempt to
verify the certs are valid or report in logs etc about problems.
Basically your users traffic can now be intercepted by anybody, anywhere
along the Internet paths and replaced with other content - your Squid
will not report anything amiss.

Basically any TLS through your proxy is no longer secure.



In general you will always see sites having trouble with TLS. This is
normal, expected, and sometimes a *good* thing.

Change your focus to identifying *what* is failing for each site that
you want to work but fails. Sometimes it is a problem you can fix,
sometimes can be ignored (sslproxy_cert_error directive is for these).
But definitely decide what to do case-by-case instead of "allow all".


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users