Squid not coming up with dynamic host certificate on ssl bum

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Squid not coming up with dynamic host certificate on ssl bum

bandeep2000
Have squid in transparent, want to ssl bump all the connections which are not whitelisted, but when given generate-host-certificates=on , squid keeps crashing when trying to bring it up after service restart.



/var/log/messages

Jan 30 07:05:52 ban-squid-proxy22 squid[23323]: Squid Parent: (squid-1) process 23441 started

Jan 30 07:05:52 ban-squid-proxy22 (squid-1): The ssl_crtd helpers are crashing too rapidly, need help!

Jan 30 07:05:52 ban-squid-proxy22 squid[23323]: Squid Parent: (squid-1) process 23441 exited with status 1

Jan 30 07:05:52 ban-squid-proxy22 squid[23397]: Squid Parent: (squid-1) process 23449 started

Jan 30 07:05:52 ban-squid-proxy22 (squid-1): The ssl_crtd helpers are crashing too rapidly, need help!

Jan 30 07:05:52 ban-squid-proxy22 squid[23397]: Squid Parent: (squid-1) process 23449 exited with status 1


squid.conf details:

visible_hostname squid


cache deny all

#Handling HTTP requests

http_port 3128 intercept

acl allowed_http_sites dstdomain .amazonaws.com .bbc.com

acl blacklist url_regex -i /.(.*?)

#acl allowed_http_sites dstdomain [you can add other domains to permit]

http_access allow allowed_http_sites

http_access deny blacklist


#Handling HTTPS requests

#https_port 3130 cert=/etc/pki/tls/certs/squidCA.pem ssl-bump intercept

#/root/openssl/squid.crt  squid.csr  /root/openssl/squid.key

https_port 3130 cert=/root/openssl/squid.crt key=/root/openssl/squid.key ssl-bump intercept generate-host-certificates=on version=1 options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE

sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB


acl SSL_port port 443

http_access allow SSL_port

acl allowed_https_sites ssl::server_name .amazonaws.com .cnn.com .yahoo.com .bbc.com


acl step1 at_step SslBump1

acl step2 at_step SslBump2

acl step3 at_step SslBump3


ssl_bump peek step1 all

#ssl_bump peek all

ssl_bump splice step2 allowed_https_sites

ssl_bump splice step3 allowed_https_sites

ssl_bump bump step2 all




http_access deny all


coredump_dir /var/cache/squid



Command to generate SSL certificate:

sudo openssl genrsa -out squid.key 2048
sudo openssl req -new -key squid.key -out squid.csr -subj "/C=XX/ST=XX/L=squid/O=squid/CN=squid"
sudo openssl x509 -req -days 3650 -in squid.csr -signkey squid.key -out squid.crt


Squid and OS version:

squid -v

Squid Cache: Version 3.5.28

Service Name: squid


This binary uses OpenSSL 1.0.1e-fips 11 Feb 2013. For legal restrictions on distribution see https://www.openssl.org/source/license.html


configure options:  '--prefix=/usr' '--includedir=/usr/include' '--datadir=/usr/share' '--bindir=/usr/sbin' '--libexecdir=/usr/lib/squid' '--localstatedir=/var' '--sysconfdir=/etc/squid' '--with-logdir=/var/log/squid' '--with-openssl' '--enable-ssl-crtd' --enable-ltdl-convenience

[c5278791@ban-squid-proxy22 ~]$ cat /etc/redhat-release 

CentOS release 6.10 (Final)

[c5278791@ban-squid-proxy22 ~]$ 



Please let me know.

Thanks!
-Bandeep

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid not coming up with dynamic host certificate on ssl bum

Amos Jeffries
Administrator
On 30/01/19 8:11 pm, bandeep2000 wrote:

> Have squid in transparent, want to ssl bump all the connections which
> are not whitelisted, but when given *generate-host-certificates=on ,
> *squid keeps crashing when trying to bring it up after service restart.
>
>
>
> */var/log/messages*
>
> Jan 30 07:05:52 ban-squid-proxy22 squid[23323]: Squid Parent: (squid-1)
> process 23441 started
>
> Jan 30 07:05:52 ban-squid-proxy22 (squid-1): The ssl_crtd helpers are
> crashing too rapidly, need help!
>

There is the error. cache.log should contain more details and possibly
instructions about the error.

Probably you did not initialize the certificate database or it needs to
be purged and reinitialized.




>
> *squid.conf details:*
> *
> *
>
> visible_hostname squid
>


This name will clash with any other proxy calling itself "squid" and the
traffic may/will be rejected as forwarding loop.

Using the full hostname or FQDN is best to ensure the URLs of objects
provided direct from Squid to clients can be fetched by those clients.


>
> cache deny all
>
> #Handling HTTP requests
>
> http_port 3128 intercept
>
> acl allowed_http_sites dstdomain ...
> acl blacklist url_regex -i /.(.*?)

The above is equivalent to:

  acl blacklist url_regex /.

Meaning "blacklist" matches any URI containing a '/' character followed
by one other character...

>
>
> http_access allow allowed_http_sites
>
> http_access deny blacklist
>


... all URLs start with "scheme://" therefore the first '/' always
exists and is always followed by the second '/'.

... So any traffic with a URL is blacklisted.

The only traffic allowed is that on the whitelist or with URI or URN -
the latter two do not require the '//' scheme delimiters. So they
usually will not match, but may do so.


>
> #Handling HTTPS requests
>
> #https_port 3130 cert=/etc/pki/tls/certs/squidCA.pem ssl-bump intercept
>
> #/root/openssl/squid.crt  squid.csr  /root/openssl/squid.key
>
> *https_port 3130 cert=/root/openssl/squid.crt
> key=/root/openssl/squid.key ssl-bump intercept
> generate-host-certificates=on version=1
> options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE*
>

Please put the traffic mode ("intercept" for these) as the first option
after the port number. The Squid "-k parse" checks can only verify
correct operation and help instructions if the mode is known when the
other options are interpreted.



> sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB
>
>
> acl SSL_port port 443
>
> http_access allow SSL_port
>

So any attempt to open opaque tunnels (uses a URI not a URL) to port 443
to any domain is allowed by any client who can get TCP connections to
reach your proxy port 3128.
 Also to any server in the allowed_https_sites whitelist regardless of
whether the client is your LAN or an external attacker.

(NP: there are good reasons we recommend the default !Safe_ports and
"CONNECT !SSL_ports" ACL checks as to be used firs and your rules
second. Mostly it is about protecting your network from abusers.)


> acl allowed_https_sites ssl::server_name ...
>
>
> acl step1 at_step SslBump1
>
> acl step2 at_step SslBump2
>
> acl step3 at_step SslBump3
>
>
> ssl_bump peek step1 all
>
> #ssl_bump peek all
>
> ssl_bump splice step2 allowed_https_sites
>
> ssl_bump splice step3 allowed_https_sites
>

No traffic should ever reach the step3. Since step2 always finishes with
the above splice or the below bump actions. There are no other
possibilities at step2 which would ever lead to step3 (server
credentials) being checked.


> ssl_bump bump step2 all
>

Note: the "all" ACL is always pointless on ssl_bump lines and seems to
often confuse people into thinking that a line matches all traffic (it
does nothing). I recommend removing those and re-checking the rules
against your understanding of what your policy needs to make happen.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users