Ssl bump tunneling connection by using Common Name

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Ssl bump tunneling connection by using Common Name

Hanoch Hanoch K
Greetings

We're using Squid 3.5.19 with ssl bump,
and we want to tunnel (not bump) applications such as skype, that use pinned ssl,
so we defined an acl for splicing skype's ssl_server_name.

However skype's client app uses client certificates that don't have SNI.
The only way to identify skype is its Common Name: *.dc.trouter.io

But the Common Name is available only in step3 of ssl bump,
where tunneling the connection is no longer possible (as documented in peek and splice step3 docs).
What we get is bumping.

Is there a way we can tunnel an acl based on Common Name?

ty


http_port 3127
http_port 3128 intercept
https_port 3129 ssl-bump intercept generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myCA.pem
always_direct allow all
acl DiscoverSNIHost at_step SslBump1
acl NoSSLIntercept ssl::server_name_regex -i (microsoft|msn|windows|update|skype.com|go.trouter.io|secure.adnxs.compipe.skype.com|skype-m.hotmail.com|mobile.pipe.aria.microsoft.com|edge.skype.com|api.cc.skype.com|a.config.skype.com|clientlogin.cdn.skype.com|.dc.trouter.io|ui.skype.com|apps.skype.com|registrar-rr.prod.registrar.skype.com|secure.skypeassets.com|c1.skype.com)
ssl_bump splice NoSSLIntercept
ssl_bump peek DiscoverSNIHost
ssl_bump bump all

sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 5


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Ssl bump tunneling connection by using Common Name

Alex Rousskov
On 03/06/2017 06:46 AM, Hanoch Hanoch K wrote:

> However skype's client app uses client certificates that don't have SNI.

SNI is not a property of a client certificate. It is a property of a
client Hello message. I do not know whether some Skype clients do not
send SNI with their Hellos, but I wanted to correct the above
misconception for the record.


> the Common Name is available only in step3 of ssl bump,

This part is correct. Squid receives the server handshake messages,
including the server certificate during step3.


> where tunneling the connection is no longer possible (as documented in
> peek and splice step3 docs).

This is somewhat misleading: Splicing after step3 works fine, provided
the "peek" action matched at step2. In other words, splicing works after
peeking.

Needless to say, bumping configurations cannot peek during step3 -- they
have to either stare or bump instead.

> acl DiscoverSNIHost at_step SslBump1
> acl NoSSLIntercept ssl::server_name_regex -i ...
> ssl_bump splice NoSSLIntercept
> ssl_bump peek DiscoverSNIHost
> ssl_bump bump all

Your configuration usually peeks [at the client Hello] during step2 and
either splices or bumps during step3.


> Is there a way we can tunnel an acl based on Common Name?

Yes, but you will not be able to bump then.

If some Skype clients do not send SNI, then your options include:

* do not bump any connections;

* match Skype connections using destination IP addresses (lots of
maintenance headaches and some errors, but doable);

* enhance Squid to detect something that is unique to Skype client
handshake messages sent _before_ the client receives the server Hello.
For example, if (and only if) the Skype client sends its certificate
before receiving the server Hello, then Squid can be enhanced to detect
and interrogate that client certificate using ACLs.

Pick your poison.

Alex.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Ssl bump tunneling connection by using Common Name

Eliezer Croitoru
In reply to this post by Hanoch Hanoch K
Hey,

There was something about it but I believe it's only on squid version 4.0.X.
The other options for such a thing is to use an external_acl helper that will try to initiate a connection to the destination host (like what is done in the happy eyeballs) to and to inspect the certificate to match a specific criteria.
I was working on such a helper a year ago but stopped touch it since there was something I didn't expected.
I can try to dig in my repository and see if I find the helper.

Let me know if to bother with it.

Eliezer

----
http://ngtech.co.il/lmgtfy/
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]


From: squid-users [mailto:[hidden email]] On Behalf Of Hanoch Hanoch K
Sent: Monday, March 6, 2017 3:47 PM
To: [hidden email]
Subject: [squid-users] Ssl bump tunneling connection by using Common Name

Greetings

We're using Squid 3.5.19 with ssl bump,
and we want to tunnel (not bump) applications such as skype, that use pinned ssl,
so we defined an acl for splicing skype's ssl_server_name.

However skype's client app uses client certificates that don't have SNI.
The only way to identify skype is its Common Name: *.http://dc.trouter.io/

But the Common Name is available only in step3 of ssl bump,
where tunneling the connection is no longer possible (as documented in peek and splice step3 docs).
What we get is bumping.

Is there a way we can tunnel an acl based on Common Name?

ty


http_port 3127
http_port 3128 intercept
https_port 3129 ssl-bump intercept generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myCA.pem
always_direct allow all
acl DiscoverSNIHost at_step SslBump1
acl NoSSLIntercept ssl::server_name_regex -i (microsoft|msn|windows|update|http://skype.com/|http://go.trouter.io/|http://secure.adnxs.compipe.skype.com/|http://skype-m.hotmail.com/|http://mobile.pipe.aria.microsoft.com/|http://edge.skype.com/|http://api.cc.skype.com/|http://a.config.skype.com/|http://clientlogin.cdn.skype.com/|.http://dc.trouter.io/|http://ui.skype.com/|http://apps.skype.com/|http://registrar-rr.prod.registrar.skype.com/|http://secure.skypeassets.com/|http://c1.skype.com/)
ssl_bump splice NoSSLIntercept
ssl_bump peek DiscoverSNIHost
ssl_bump bump all

sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 5


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Ssl bump tunneling connection by using Common Name

Amos Jeffries
Administrator
On 7/03/2017 5:41 a.m., Eliezer  Croitoru wrote:
> Hey,
>
> There was something about it but I believe it's only on squid version 4.0.X.

FTR; Squid-4 brings the ability to tunnel Skype clients that were using
something that looked a bit like TLS but wasn't (along with the many
port 443 non-TLS uses). If the Skype clients are now actually using TLS
messages, that is no longer as useful.

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Loading...