Squid works with ssl bump in intercept mode and root certificate in browser, but apps does not work

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Squid works with ssl bump in intercept mode and root certificate in browser, but apps does not work

arun.xavier
I have configured squid with ssl-bump (intercept mode) and it works as expected while accessing secure sites from browsers.

What I have done so far.

 - Configured squid.
 - created a root& intermediate certificate for dynamic cert generation in squid.
     installed the same root certificate in mobile device(iphone 6 -iOS-10).
 - Every website works on chrome/safari.

But apps like facebook,twitter are not working(showing network error).

When checking cache log of squid, I found the below log.

Error negotiating SSL connection on FD 12: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca (1/0)

It looks like initial CONNECT/Handshake is not working.

what I have changed in squid.conf
-----------------------------------------------------------------
acl localnet src 172.16.0.0/12
acl localnet src fe80::/10
acl allow localnet
ssl_bump bump all
always_direct allow all
http_port localhost:3128
http_port localhost:3129 intercept
https_port localhost:3130 intercept ssl-bump generate-host-certificates=on cert=/etc/squid/cert/cert.pem
key=/etc/squid/cert/key.pem
strip_query_terms off
----------------------------------------------------------------

Any idea how to fix this? or where to check? What might be my mistake ?
PS:
I use squid to get logs of all internet traffic from mobile devices.
Overview of my intented system is like this: SmartPhone---->VPN--->Squid--->Internet
- Arun Xavier
Reply | Threaded
Open this post in threaded view
|

Re: Squid works with ssl bump in intercept mode and root certificate in browser, but apps does not work

Marcus Kool
You have not stated which version of Squid you are using but my guess is that it is 3.5.x.

facebook app and other apps use port 443 but do not use HTTPS and therefore Squid does not how to bump it and consequently the app does not work.

What you need is the not yet stable Squid 4.0 and use the option
    on_unsupported_protocol tunnel all
so that the non-HTTPS protocols get through without being bumped.

Marcus


On 18/05/17 07:26, arun.xavier wrote:

> I have configured squid with ssl-bump (intercept mode) and it works as
> expected while accessing secure sites from browsers.
>
> What I have done so far.
>
>  - Configured squid.
>  - created a root& intermediate certificate for dynamic cert generation in
> squid.
>      installed the same root certificate in mobile device(iphone 6 -iOS-10).
>  - Every website works on chrome/safari.
>
> But apps like facebook,twitter are not working(showing network error).
>
> When checking cache log of squid, I found the below log.
>
> /Error negotiating SSL connection on FD 12: error:14094418:SSL
> routines:ssl3_read_bytes:tlsv1 alert unknown ca (1/0)
> /
> It looks like initial CONNECT/Handshake is not working.
>
> what I have changed in squid.conf
> -----------------------------------------------------------------
> acl localnet src 172.16.0.0/12
> acl localnet src fe80::/10
> acl allow localnet
> ssl_bump bump all
> always_direct allow all
> http_port localhost:3128
> http_port localhost:3129 intercept
> https_port localhost:3130 intercept ssl-bump generate-host-certificates=on
> cert=/etc/squid/cert/cert.pem
> key=/etc/squid/cert/key.pem
> strip_query_terms off
> ----------------------------------------------------------------
>
> Any idea how to fix this? or where to check? What might be my mistake ?
> PS:
> I use squid to get logs of all internet traffic from mobile devices.
> Overview of my intented system is like this:
> SmartPhone---->VPN--->Squid--->Internet
>
>
>
> --
> View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-works-with-ssl-bump-in-intercept-mode-and-root-certificate-in-browser-but-apps-does-not-work-tp4682451.html
> Sent from the Squid - Users mailing list archive at Nabble.com.
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
>
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid works with ssl bump in intercept mode and root certificate in browser, but apps does not work

Amos Jeffries
Administrator
On 18/05/17 22:59, Marcus Kool wrote:

> You have not stated which version of Squid you are using but my guess
> is that it is 3.5.x.
>
> facebook app and other apps use port 443 but do not use HTTPS and
> therefore Squid does not how to bump it and consequently the app does
> not work.
>
> What you need is the not yet stable Squid 4.0 and use the option
>    on_unsupported_protocol tunnel all
> so that the non-HTTPS protocols get through without being bumped.

Also apps are more likely to have certificate pinning in operation since
the domains they need to contact is much smaller than a general-use
browser. If that is done the traffic cannot be bump'ed (only peek,
stare, splice or terminate work).

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid works with ssl bump in intercept mode and root certificate in browser, but apps does not work

arun.xavier
In reply to this post by Marcus Kool
Thanks for the quick response, I have tried different versions of squid & luckily now I have already configured squid-4.0.19, so I will try on_unsupported_protocol directive.
- Arun Xavier
Reply | Threaded
Open this post in threaded view
|

Re: Squid works with ssl bump in intercept mode and root certificate in browser, but apps does not work

arun.xavier
In reply to this post by Amos Jeffries
Hello Amos,

The issue seems to be certificate pinning, is it possible to configure squid to peek/splice pinned requests and to bump all other requests?
- Arun Xavier
Reply | Threaded
Open this post in threaded view
|

Re: Squid works with ssl bump in intercept mode and root certificate in browser, but apps does not work

Yuri Voinov
In reply to this post by arun.xavier
The issue is crystal:

tlsv1 alert unknown ca

Check you configured CA bundle available for squid.

Either FB, Twitter works via browser.

Apps (usually uses from mobiles) also required to install proxy CA into devices. If they pinned, just write splice acl to pass it without bump.


18.05.2017 16:26, arun.xavier пишет:
> tlsv1 alert unknown ca



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Squid works with ssl bump in intercept mode and root certificate in browser, but apps does not work

Alex Rousskov
In reply to this post by arun.xavier
On 05/18/2017 06:46 AM, arun.xavier wrote:

> is it possible to configure squid to peek/splice pinned requests?

It is impossible. The TLS client decides which certificates are pinned
to which servers. Squid cannot know that because the client commitment
to pin is not expressed in the TLS protocol.

Said that, please do pay attention to Yuri's response quoted below. Yuri
has identified your immediate problem, which is _not_ pinning.

Alex.

> On 05/18/2017 07:55 AM, Yuri wrote:
>> The issue is crystal:
>>
>> tlsv1 alert unknown ca
>>
>> Check you configured CA bundle available for squid.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users