Quantcast

Squid generated certificate for IP rather than domain when using ssl_bump

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Squid generated certificate for IP rather than domain when using ssl_bump

Shanmugam Sundaram
Hi,

I'm new to Squid, and having trouble getting SSL filtering work.

I have a blanket block setup with Squid as Transparent proxy where access it allowed only to github.com. But, squid generates certificates for IP address instead of domain name and SSL validation fails.
Squid version: 3.5.25-20170408-r14154
When I use curl (I have imported my self signed SSL to the certificate store)
curl: (51) SSL: certificate subject name (192.30.255.112) does not match target host name 'github.com

How to configure properly to splice a whitelist and block all other domains. Below is my current configuration
http_port 3128
http_port 3129 intercept
https_port 3130intercept ssl-bump enerate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_certs/myca.pem key=/etc/squid/ssl_certs/myca.pem

acl whitelist ssl::server_name .github.com
acl step1 at_step SslBump1

ssl_bump peek step1
ssl_bump splice whitelist
ssl_bump bump all

Please help me fixing the issue.

thanks,
Shan

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid generated certificate for IP rather than domain when using ssl_bump

Alex Rousskov
On 04/17/2017 08:38 AM, Shanmugam Sundaram wrote:

> I have a blanket block setup with Squid as Transparent proxy where
> access it allowed only to github.com. But, squid generates certificates
> for IP address instead of domain name and SSL validation fails.

> Squid version: |3.5.25-20170408-r14154|
> When I use curl
> |curl: (51) SSL: certificate subject name (192.30.255.112) does not
> match target host name 'github.com|
>
> How to configure properly to splice a whitelist and block all other
> domains. Below is my current configuration
>
> http_port 3128
> http_port 3129 intercept
> https_port 3130intercept ssl-bump enerate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> cert=/etc/squid/ssl_certs/myca.pem key=/etc/squid/ssl_certs/myca.pem
>
> acl whitelist ssl::server_name .github.com
> acl step1 at_step SslBump1
>
> ssl_bump peek step1
> ssl_bump splice whitelist
> ssl_bump bump all
>
> Please help me fixing the issue.

Any http_access rules? Is it possible that Squid denies the fake CONNECT
request during step1 (before looking up SNI during step2)?

What does access.log say?

Alex.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid generated certificate for IP rather than domain when using ssl_bump

Shanmugam Sundaram
In reply to this post by Shanmugam Sundaram
Hi Alex,

Thank you. Yes, there are http_access rules

I have included the entire configuration file (Sorry, I'm new to Squid)
The goal is to splice only whitelist (github.com) and terminate all other domains.

http_port 3128
http_port 3129 intercept
https_port 3130 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_certs/myca.pem key=/etc/squid/ssl_certs/myca.pem

visible_hostname squid.internal

acl localnet src 172.16.0.0/16
acl http_whitelist dstdomain .github.com
acl whitelist ssl::server_name .github.com

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 1025-65535  # unregistered ports
acl step1 at_step SslBump1
acl step2 at_step SslBump2

acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager

http_access allow http_whitelist localnet
http_access deny all

acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump splice whitelist
ssl_bump bump all

via off
forwarded_for off
request_header_access Allow allow all
request_header_access Authorization allow all
request_header_access WWW-Authenticate allow all
request_header_access Proxy-Authorization allow all
request_header_access Proxy-Authenticate allow all
request_header_access Cache-Control allow all
request_header_access Content-Encoding allow all
request_header_access Content-Length allow all
request_header_access Content-Type allow all
request_header_access Date allow all
request_header_access Expires allow all
request_header_access Host allow all
request_header_access If-Modified-Since allow all
request_header_access Last-Modified allow all
request_header_access Location allow all
request_header_access Pragma allow all
request_header_access Accept allow all
request_header_access Accept-Charset allow all
request_header_access Accept-Encoding allow all
request_header_access Accept-Language allow all
request_header_access Content-Language allow all
request_header_access Mime-Version allow all
request_header_access Retry-After allow all
request_header_access Title allow all
request_header_access Connection allow all
request_header_access Proxy-Connection allow all
request_header_access User-Agent allow all
request_header_access Cookie allow all
request_header_access All deny all
 
-Shan


On Monday, April 17, 2017 10:10 PM, Alex Rousskov <[hidden email]> wrote:


On 04/17/2017 08:38 AM, Shanmugam Sundaram wrote:


> I have a blanket block setup with Squid as Transparent proxy where
> access it allowed only to github.com. But, squid generates certificates
> for IP address instead of domain name and SSL validation fails.

> Squid version: |3.5.25-20170408-r14154|
> When I use curl
> |curl: (51) SSL: certificate subject name (192.30.255.112) does not
> match target host name 'github.com|
>
> How to configure properly to splice a whitelist and block all other
> domains. Below is my current configuration
>
> http_port 3128
> http_port 3129 intercept
> https_port 3130intercept ssl-bump enerate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> cert=/etc/squid/ssl_certs/myca.pem key=/etc/squid/ssl_certs/myca.pem
>
> acl whitelist ssl::server_name .github.com
> acl step1 at_step SslBump1
>
> ssl_bump peek step1
> ssl_bump splice whitelist
> ssl_bump bump all
>
> Please help me fixing the issue.

Any http_access rules? Is it possible that Squid denies the fake CONNECT
request during step1 (before looking up SNI during step2)?

What does access.log say?

Alex.





_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid generated certificate for IP rather than domain when using ssl_bump

Alex Rousskov
On 04/17/2017 10:55 AM, Shanmugam Sundaram wrote:

> The goal is to splice only whitelist (github.com) and terminate all
> other domains.

FYI: I do not know what you mean by "terminate", but if you mean "close
the client-to-Squid connection _without_ serving a Squid-generated error
response to the user", then your ssl_bump configuration does not reflect
your intent. It is easier to terminate non-github connections than to
respond with blocking error messages to non-github requests.


> acl http_whitelist dstdomain .github.com
> acl whitelist ssl::server_name .github.com

> http_access allow http_whitelist localnet
> http_access deny all
>
> acl step1 at_step SslBump1
> ssl_bump peek step1
> ssl_bump splice whitelist
> ssl_bump bump all


Your Squid probably denies the fake CONNECT request during step1 (before
looking up SNI during step2). That fake CONNECT does not (and cannot)
have a host name (because you intercept) so it does not match your
"http_whitelist" ACL in the "http_access allow" rule quoted above,
following through to the "deny all" rule that always matches.

An access log may be used to confirm or descard the above theory. This
is why I have asked you about access log records in my previous email.

Alex.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid generated certificate for IP rather than domain when using ssl_bump

Shanmugam Sundaram
Hi Alex,

Thank you and Sorry for not including the access log earlier.

1492449506.087     16 172.27.3.236 TCP_DENIED/200 0 CONNECT 192.30.255.113:443 - HIER_NONE/- -
1492449521.807      5 172.27.3.236 TCP_DENIED/200 0 CONNECT 192.30.255.112:443 - HIER_NONE/- -
1492449528.794     41 172.27.3.236 TCP_MISS/301 280 GET http://github.com/ - ORIGINAL_DST/192.30.255.113 -
1492449528.799      0 172.27.3.236 TCP_DENIED/200 0 CONNECT 192.30.255.113:443 - HIER_NONE/- -

Seems to be the case. Please help me with getting the correct configuration.

Thanks you very much.

-Shan


On Monday, April 17, 2017 10:43 PM, Alex Rousskov <[hidden email]> wrote:


On 04/17/2017 10:55 AM, Shanmugam Sundaram wrote:

> The goal is to splice only whitelist (github.com) and terminate all
> other domains.

FYI: I do not know what you mean by "terminate", but if you mean "close
the client-to-Squid connection _without_ serving a Squid-generated error
response to the user", then your ssl_bump configuration does not reflect
your intent. It is easier to terminate non-github connections than to
respond with blocking error messages to non-github requests.


> acl http_whitelist dstdomain .github.com
> acl whitelist ssl::server_name .github.com

> http_access allow http_whitelist localnet
> http_access deny all
>
> acl step1 at_step SslBump1
> ssl_bump peek step1
> ssl_bump splice whitelist
> ssl_bump bump all


Your Squid probably denies the fake CONNECT request during step1 (before
looking up SNI during step2). That fake CONNECT does not (and cannot)
have a host name (because you intercept) so it does not match your
"http_whitelist" ACL in the "http_access allow" rule quoted above,
following through to the "deny all" rule that always matches.

An access log may be used to confirm or descard the above theory. This
is why I have asked you about access log records in my previous email.


Alex.




_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Loading...