Squid Web Proxy Cache Squid - Users

acl aclname server_cert_fingerprint

classic Classic list List threaded Threaded
9 messages Options
Eliezer Croitoru-3
Reply | Threaded
Open this post in threaded view
|

acl aclname server_cert_fingerprint

Eliezer Croitoru-3
I'm trying to use:
acl aclname server_cert_fingerprint [-sha1] fingerprint


I have cerated the next file:
/etc/squid/no-ssl-bump-server-fingerprint.list

And trying to use the next line:
acl NoBump_certificate_fingerprint server_cert_fingerprint -sha1
"/etc/squid/no-ssl-bump-server-fingerprint.list"

To be explicit despite that only sha1 is a valid checksum.
Squid doesn't accept the above line but this one yes:
acl NoBump_certificate_fingerprint server_cert_fingerprint
"/etc/squid/no-ssl-bump-server-fingerprint.list"


Is there a reason for that?

Thanks,
Eliezer


----
Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: [hidden email]
Zoom: Coming soon



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Alex Rousskov
Reply | Threaded
Open this post in threaded view
|

Re: acl aclname server_cert_fingerprint

Alex Rousskov
On 1/25/21 6:03 AM, Eliezer Croitoru wrote:

> I'm trying to use:
> acl aclname server_cert_fingerprint [-sha1] fingerprint
>
>
> I have cerated the next file:
> /etc/squid/no-ssl-bump-server-fingerprint.list
>
> And trying to use the next line:
> acl NoBump_certificate_fingerprint server_cert_fingerprint -sha1
> "/etc/squid/no-ssl-bump-server-fingerprint.list"
>
> To be explicit despite that only sha1 is a valid checksum.
> Squid doesn't accept the above line


Does not accept how? What is the error message?


> but this one yes:
> acl NoBump_certificate_fingerprint server_cert_fingerprint
> "/etc/squid/no-ssl-bump-server-fingerprint.list"

> Is there a reason for that?


The use of ACL options and ACL parameter options is poorly documented.

Squid Bug 4847 is marked as fixed, but the corresponding commit d4c6aca
says that server_cert_fingerprint is still broken. Not sure whether that
was true, whether some other commit has fixed that ACL, and whether the
problem mentioned in the commit message is related to your troubles.
https://bugs.squid-cache.org/show_bug.cgi?id=4847
https://github.com/squid-cache/squid/pull/191

Also, according to my 2015 notes, server_cert_fingerprint happens to be
case sensitive. I consider that a bug. I am not sure, but I think Squid
expects uppercase hex letters (if any). I do not know whether that has
been fixed.


Finally, it is dangerous to list ACL parameter options like -sha1 in
front of parameter filename when that parameter file may contain its own
parameter options. A reader may think that -sha1 in squid.conf
overwrites, say, -sha256 in the parameter file, but that is not what
probably will happen when Squid starts supporting both options.

That consideration may actually be the reason why Squid rejects your
first configuration sample (or perhaps it should be the reason even if
it does not).

I am sure there are use cases where the admin wants to apply one
parameter option to the whole file, but the ambiguity is too dangerous
to allow IMO. We should make the choice explicit.


HTH,

Alex.




_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Eliezer Croitoru-3
Reply | Threaded
Open this post in threaded view
|

Re: acl aclname server_cert_fingerprint

Eliezer Croitoru-3
I will try to test it when users are not on the proxy later.

I have another issue with the "server_cert_fingerprint" directive.
I have a working setup which I am unable to make it work with "server_cert_fingerprint".
I'm not sure how and in what step or place in the config it should be used.

My squid conf attached and one server cert fingerprint is:
1C:8C:EC:C8:C4:7F:DF:36:62:69:B1:6A:92:5A:AE:4A:F2:06:E6:B2

Which is in the file:
no-ssl-bump-server-fingerprint.list

I'm trying to understand what I'm doing wrong in the config that stil lets edition.cnn.com be decrypted instead of spliced?

Thanks,
Eliezer

----
Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: [hidden email]
Zoom: Coming soon


-----Original Message-----
From: Alex Rousskov <[hidden email]>
Sent: Tuesday, January 26, 2021 6:22 AM
To: Eliezer Croitoru <[hidden email]>; [hidden email]
Subject: Re: [squid-users] acl aclname server_cert_fingerprint

On 1/25/21 6:03 AM, Eliezer Croitoru wrote:

> I'm trying to use:
> acl aclname server_cert_fingerprint [-sha1] fingerprint
>
>
> I have cerated the next file:
> /etc/squid/no-ssl-bump-server-fingerprint.list
>
> And trying to use the next line:
> acl NoBump_certificate_fingerprint server_cert_fingerprint -sha1
> "/etc/squid/no-ssl-bump-server-fingerprint.list"
>
> To be explicit despite that only sha1 is a valid checksum.
> Squid doesn't accept the above line

Does not accept how? What is the error message?


> but this one yes:
> acl NoBump_certificate_fingerprint server_cert_fingerprint
> "/etc/squid/no-ssl-bump-server-fingerprint.list"

> Is there a reason for that?


The use of ACL options and ACL parameter options is poorly documented.

Squid Bug 4847 is marked as fixed, but the corresponding commit d4c6aca
says that server_cert_fingerprint is still broken. Not sure whether that
was true, whether some other commit has fixed that ACL, and whether the
problem mentioned in the commit message is related to your troubles.
https://bugs.squid-cache.org/show_bug.cgi?id=4847
https://github.com/squid-cache/squid/pull/191

Also, according to my 2015 notes, server_cert_fingerprint happens to be
case sensitive. I consider that a bug. I am not sure, but I think Squid
expects uppercase hex letters (if any). I do not know whether that has
been fixed.


Finally, it is dangerous to list ACL parameter options like -sha1 in
front of parameter filename when that parameter file may contain its own
parameter options. A reader may think that -sha1 in squid.conf
overwrites, say, -sha256 in the parameter file, but that is not what
probably will happen when Squid starts supporting both options.

That consideration may actually be the reason why Squid rejects your
first configuration sample (or perhaps it should be the reason even if
it does not).

I am sure there are use cases where the admin wants to apply one
parameter option to the whole file, but the ambiguity is too dangerous
to allow IMO. We should make the choice explicit.


HTH,

Alex.




_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

squid.conf (7K) Download Attachment
Alex Rousskov
Reply | Threaded
Open this post in threaded view
|

Re: acl aclname server_cert_fingerprint

Alex Rousskov
On 1/26/21 2:09 AM, Eliezer Croitoru wrote:

> I'm trying to understand what I'm doing wrong in the config that stil
> lets edition.cnn.com be decrypted instead of spliced?

If you still need help, please share the relevant parts of your
configuration and logs. I would start with ssl_bump rules and access log
records containing additional %error_code/%err_detail fields.

Alex.



> -----Original Message-----
> From: Alex Rousskov <[hidden email]>
> Sent: Tuesday, January 26, 2021 6:22 AM
> To: Eliezer Croitoru <[hidden email]>; [hidden email]
> Subject: Re: [squid-users] acl aclname server_cert_fingerprint
>
> On 1/25/21 6:03 AM, Eliezer Croitoru wrote:
>> I'm trying to use:
>> acl aclname server_cert_fingerprint [-sha1] fingerprint
>>
>>
>> I have cerated the next file:
>> /etc/squid/no-ssl-bump-server-fingerprint.list
>>
>> And trying to use the next line:
>> acl NoBump_certificate_fingerprint server_cert_fingerprint -sha1
>> "/etc/squid/no-ssl-bump-server-fingerprint.list"
>>
>> To be explicit despite that only sha1 is a valid checksum.
>> Squid doesn't accept the above line
>
>
> Does not accept how? What is the error message?
>
>
>> but this one yes:
>> acl NoBump_certificate_fingerprint server_cert_fingerprint
>> "/etc/squid/no-ssl-bump-server-fingerprint.list"
>
>> Is there a reason for that?
>
>
> The use of ACL options and ACL parameter options is poorly documented.
>
> Squid Bug 4847 is marked as fixed, but the corresponding commit d4c6aca
> says that server_cert_fingerprint is still broken. Not sure whether that
> was true, whether some other commit has fixed that ACL, and whether the
> problem mentioned in the commit message is related to your troubles.
> https://bugs.squid-cache.org/show_bug.cgi?id=4847
> https://github.com/squid-cache/squid/pull/191
>
> Also, according to my 2015 notes, server_cert_fingerprint happens to be
> case sensitive. I consider that a bug. I am not sure, but I think Squid
> expects uppercase hex letters (if any). I do not know whether that has
> been fixed.
>
>
> Finally, it is dangerous to list ACL parameter options like -sha1 in
> front of parameter filename when that parameter file may contain its own
> parameter options. A reader may think that -sha1 in squid.conf
> overwrites, say, -sha256 in the parameter file, but that is not what
> probably will happen when Squid starts supporting both options.
>
> That consideration may actually be the reason why Squid rejects your
> first configuration sample (or perhaps it should be the reason even if
> it does not).
>
> I am sure there are use cases where the admin wants to apply one
> parameter option to the whole file, but the ambiguity is too dangerous
> to allow IMO. We should make the choice explicit.
>
>
> HTH,
>
> Alex.
>
>
>
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
>

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Eliezer Croitoru-3
Reply | Threaded
Open this post in threaded view
|

Re: acl aclname server_cert_fingerprint

Eliezer Croitoru-3
Hey Alex,

I'm not sure I understood hat these errorcde and error detai.
I assume that there is a relevant debug_options for parsing the fingerprint.
The next thing I was thinking about was the fingerprint validation related debug.
To verify what might make squid to compare wrongly the SHA1 signature.

 I have attached the full squid.conf
The more relevant parts are:
## START
acl NoBump_server_regex ssl::server_name_regex -i "/etc/squid/no-ssl-bump-regex.list"
acl NoBump_server_regex_by_urls_domain ssl::server_name_regex -i "/etc/squid/no-ssl-bump-urls-domains-regex.list"
acl NoBump_server_name ssl::server_name "/etc/squid/no-ssl-bump-server-name.list"
acl NoBump_dst dst "/etc/squid/no-ssl-bump-server-dst-addresses.list"
acl NoBump_certificate_fingerprint server_cert_fingerprint "/etc/squid/no-ssl-bump-server-fingerprint.list"
acl NoBump_src src "/etc/squid/no-ssl-bump-client-src.list"

acl tls_to_splice any-of NoBump_src NoBump_server_name NoBump_server_regex_by_urls_domain NoBump_server_regex NoBump_dst NoBump_certificate_fingerprint bypass_src_helper


acl Bump_server_regex ssl::server_name_regex -i "/etc/squid/ssl-bump-regex.list"
acl Bump_server_regex_by_urls_domain ssl::server_name_regex -i "/etc/squid/ssl-bump-urls-domains-regex.list"
acl Bump_server_name ssl::server_name "/etc/squid/ssl-bump-server-name.list"
acl Bump_dst dst "/etc/squid/ssl-bump-server-dst-addresses.list"

acl tls_to_bump any-of Bump_server_name Bump_server_regex_by_urls_domain Bump_server_regex Bump_dst sni_matcher_helper yandex_bl_checker_helper


# TLS/SSL bumping definitions
acl tls_s1_connect at_step SslBump1
acl tls_s2_client_hello at_step SslBump2
acl tls_s3_server_hello at_step SslBump3

ssl_bump peek tls_s1_connect
ssl_bump splice tls_to_splice
ssl_bump stare tls_s2_client_hello
ssl_bump bump tls_to_bump
## END

The fingerprint contains only 3 signatures and one of them is (Quoted as is):
1C:8C:EC:C8:C4:7F:DF:36:62:69:B1:6A:92:5A:AE:4A:F2:06:E6:B2

My setup is working fine except this fingerprint part which is not always the best way to splice.
However it seems like it should be pretty straight forward.

I can dump the whole config into a tar file to try and understand better the setup if required.

Thanks,
Eliezer

----
Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: [hidden email]
Zoom: Coming soon


-----Original Message-----
From: Alex Rousskov <[hidden email]>
Sent: Wednesday, January 27, 2021 5:12 PM
To: Eliezer Croitoru <[hidden email]>; [hidden email]
Subject: Re: [squid-users] acl aclname server_cert_fingerprint

On 1/26/21 2:09 AM, Eliezer Croitoru wrote:

> I'm trying to understand what I'm doing wrong in the config that stil
> lets edition.cnn.com be decrypted instead of spliced?

If you still need help, please share the relevant parts of your
configuration and logs. I would start with ssl_bump rules and access log
records containing additional %error_code/%err_detail fields.

Alex.



> -----Original Message-----
> From: Alex Rousskov <[hidden email]>
> Sent: Tuesday, January 26, 2021 6:22 AM
> To: Eliezer Croitoru <[hidden email]>; [hidden email]
> Subject: Re: [squid-users] acl aclname server_cert_fingerprint
>
> On 1/25/21 6:03 AM, Eliezer Croitoru wrote:
>> I'm trying to use:
>> acl aclname server_cert_fingerprint [-sha1] fingerprint
>>
>>
>> I have cerated the next file:
>> /etc/squid/no-ssl-bump-server-fingerprint.list
>>
>> And trying to use the next line:
>> acl NoBump_certificate_fingerprint server_cert_fingerprint -sha1
>> "/etc/squid/no-ssl-bump-server-fingerprint.list"
>>
>> To be explicit despite that only sha1 is a valid checksum.
>> Squid doesn't accept the above line
>
>
> Does not accept how? What is the error message?
>
>
>> but this one yes:
>> acl NoBump_certificate_fingerprint server_cert_fingerprint
>> "/etc/squid/no-ssl-bump-server-fingerprint.list"
>
>> Is there a reason for that?
>
>
> The use of ACL options and ACL parameter options is poorly documented.
>
> Squid Bug 4847 is marked as fixed, but the corresponding commit d4c6aca
> says that server_cert_fingerprint is still broken. Not sure whether that
> was true, whether some other commit has fixed that ACL, and whether the
> problem mentioned in the commit message is related to your troubles.
> https://bugs.squid-cache.org/show_bug.cgi?id=4847
> https://github.com/squid-cache/squid/pull/191
>
> Also, according to my 2015 notes, server_cert_fingerprint happens to be
> case sensitive. I consider that a bug. I am not sure, but I think Squid
> expects uppercase hex letters (if any). I do not know whether that has
> been fixed.
>
>
> Finally, it is dangerous to list ACL parameter options like -sha1 in
> front of parameter filename when that parameter file may contain its own
> parameter options. A reader may think that -sha1 in squid.conf
> overwrites, say, -sha256 in the parameter file, but that is not what
> probably will happen when Squid starts supporting both options.
>
> That consideration may actually be the reason why Squid rejects your
> first configuration sample (or perhaps it should be the reason even if
> it does not).
>
> I am sure there are use cases where the admin wants to apply one
> parameter option to the whole file, but the ambiguity is too dangerous
> to allow IMO. We should make the choice explicit.
>
>
> HTH,
>
> Alex.
>
>
>
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
>

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

squid.conf (7K) Download Attachment
Alex Rousskov
Reply | Threaded
Open this post in threaded view
|

Re: acl aclname server_cert_fingerprint

Alex Rousskov
On 1/27/21 11:45 AM, Eliezer Croitoru wrote:

> I'm not sure I understood hat these errorcde and error detai.

FWIW, access log fields are configured using logformat %codes. Search
squid.conf.documented for the words "err_code" and "err_detail" (no quotes).


> acl tls_to_splice any-of ... NoBump_certificate_fingerprint

> acl tls_s1_connect at_step SslBump1
> acl tls_s2_client_hello at_step SslBump2

> ssl_bump peek tls_s1_connect
> ssl_bump splice tls_to_splice
> ssl_bump stare tls_s2_client_hello
> ssl_bump bump tls_to_bump

Bugs notwithstanding, the NoBump_certificate_fingerprint ACL will never
match in the above configuration AFAICT:

* step1 is excluded by the earlier "peek if tls_s1_connect" rule. The
server certificate is not yet available during that step anyway.

* step2 is reachable for a "splice" action, but the server certificate
is still not yet available during that step.

* step3 is unreachable for a "splice" action because the only non-final
action during step2 is "stare". Starting precludes splicing.


HTH,

Alex.


> -----Original Message-----
> From: Alex Rousskov <[hidden email]>
> Sent: Wednesday, January 27, 2021 5:12 PM
> To: Eliezer Croitoru <[hidden email]>; [hidden email]
> Subject: Re: [squid-users] acl aclname server_cert_fingerprint
>
> On 1/26/21 2:09 AM, Eliezer Croitoru wrote:
>
>> I'm trying to understand what I'm doing wrong in the config that stil
>> lets edition.cnn.com be decrypted instead of spliced?
>
> If you still need help, please share the relevant parts of your
> configuration and logs. I would start with ssl_bump rules and access log
> records containing additional %error_code/%err_detail fields.
>
> Alex.
>
>
>
>> -----Original Message-----
>> From: Alex Rousskov <[hidden email]>
>> Sent: Tuesday, January 26, 2021 6:22 AM
>> To: Eliezer Croitoru <[hidden email]>; [hidden email]
>> Subject: Re: [squid-users] acl aclname server_cert_fingerprint
>>
>> On 1/25/21 6:03 AM, Eliezer Croitoru wrote:
>>> I'm trying to use:
>>> acl aclname server_cert_fingerprint [-sha1] fingerprint
>>>
>>>
>>> I have cerated the next file:
>>> /etc/squid/no-ssl-bump-server-fingerprint.list
>>>
>>> And trying to use the next line:
>>> acl NoBump_certificate_fingerprint server_cert_fingerprint -sha1
>>> "/etc/squid/no-ssl-bump-server-fingerprint.list"
>>>
>>> To be explicit despite that only sha1 is a valid checksum.
>>> Squid doesn't accept the above line
>>
>>
>> Does not accept how? What is the error message?
>>
>>
>>> but this one yes:
>>> acl NoBump_certificate_fingerprint server_cert_fingerprint
>>> "/etc/squid/no-ssl-bump-server-fingerprint.list"
>>
>>> Is there a reason for that?
>>
>>
>> The use of ACL options and ACL parameter options is poorly documented.
>>
>> Squid Bug 4847 is marked as fixed, but the corresponding commit d4c6aca
>> says that server_cert_fingerprint is still broken. Not sure whether that
>> was true, whether some other commit has fixed that ACL, and whether the
>> problem mentioned in the commit message is related to your troubles.
>> https://bugs.squid-cache.org/show_bug.cgi?id=4847
>> https://github.com/squid-cache/squid/pull/191
>>
>> Also, according to my 2015 notes, server_cert_fingerprint happens to be
>> case sensitive. I consider that a bug. I am not sure, but I think Squid
>> expects uppercase hex letters (if any). I do not know whether that has
>> been fixed.
>>
>>
>> Finally, it is dangerous to list ACL parameter options like -sha1 in
>> front of parameter filename when that parameter file may contain its own
>> parameter options. A reader may think that -sha1 in squid.conf
>> overwrites, say, -sha256 in the parameter file, but that is not what
>> probably will happen when Squid starts supporting both options.
>>
>> That consideration may actually be the reason why Squid rejects your
>> first configuration sample (or perhaps it should be the reason even if
>> it does not).
>>
>> I am sure there are use cases where the admin wants to apply one
>> parameter option to the whole file, but the ambiguity is too dangerous
>> to allow IMO. We should make the choice explicit.
>>
>>
>> HTH,
>>
>> Alex.
>>
>>
>>
>>
>> _______________________________________________
>> squid-users mailing list
>> [hidden email]
>> http://lists.squid-cache.org/listinfo/squid-users
>>

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Eliezer Croitoru-3
Reply | Threaded
Open this post in threaded view
|

Re: acl aclname server_cert_fingerprint

Eliezer Croitoru-3
First thanks it helps.
The next thing is that I am still missing a way to make this work with the fingerprint.
We first need to know the fingerprint but when squid "knows" about it, it's already too late.
In what config scenario can it work?

Eliezer

* The error code are irrelevant since there aren't any errors.

----
Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: [hidden email]
Zoom: Coming soon


-----Original Message-----
From: Alex Rousskov <[hidden email]>
Sent: Wednesday, January 27, 2021 8:43 PM
To: [hidden email]
Cc: Eliezer Croitoru <[hidden email]>
Subject: Re: [squid-users] acl aclname server_cert_fingerprint

On 1/27/21 11:45 AM, Eliezer Croitoru wrote:

> I'm not sure I understood hat these errorcde and error detai.

FWIW, access log fields are configured using logformat %codes. Search
squid.conf.documented for the words "err_code" and "err_detail" (no quotes).


> acl tls_to_splice any-of ... NoBump_certificate_fingerprint

> acl tls_s1_connect at_step SslBump1
> acl tls_s2_client_hello at_step SslBump2

> ssl_bump peek tls_s1_connect
> ssl_bump splice tls_to_splice
> ssl_bump stare tls_s2_client_hello
> ssl_bump bump tls_to_bump

Bugs notwithstanding, the NoBump_certificate_fingerprint ACL will never
match in the above configuration AFAICT:

* step1 is excluded by the earlier "peek if tls_s1_connect" rule. The
server certificate is not yet available during that step anyway.

* step2 is reachable for a "splice" action, but the server certificate
is still not yet available during that step.

* step3 is unreachable for a "splice" action because the only non-final
action during step2 is "stare". Starting precludes splicing.


HTH,

Alex.


> -----Original Message-----
> From: Alex Rousskov <[hidden email]>
> Sent: Wednesday, January 27, 2021 5:12 PM
> To: Eliezer Croitoru <[hidden email]>; [hidden email]
> Subject: Re: [squid-users] acl aclname server_cert_fingerprint
>
> On 1/26/21 2:09 AM, Eliezer Croitoru wrote:
>
>> I'm trying to understand what I'm doing wrong in the config that stil
>> lets edition.cnn.com be decrypted instead of spliced?
>
> If you still need help, please share the relevant parts of your
> configuration and logs. I would start with ssl_bump rules and access log
> records containing additional %error_code/%err_detail fields.
>
> Alex.
>
>
>
>> -----Original Message-----
>> From: Alex Rousskov <[hidden email]>
>> Sent: Tuesday, January 26, 2021 6:22 AM
>> To: Eliezer Croitoru <[hidden email]>; [hidden email]
>> Subject: Re: [squid-users] acl aclname server_cert_fingerprint
>>
>> On 1/25/21 6:03 AM, Eliezer Croitoru wrote:
>>> I'm trying to use:
>>> acl aclname server_cert_fingerprint [-sha1] fingerprint
>>>
>>>
>>> I have cerated the next file:
>>> /etc/squid/no-ssl-bump-server-fingerprint.list
>>>
>>> And trying to use the next line:
>>> acl NoBump_certificate_fingerprint server_cert_fingerprint -sha1
>>> "/etc/squid/no-ssl-bump-server-fingerprint.list"
>>>
>>> To be explicit despite that only sha1 is a valid checksum.
>>> Squid doesn't accept the above line
>>
>>
>> Does not accept how? What is the error message?
>>
>>
>>> but this one yes:
>>> acl NoBump_certificate_fingerprint server_cert_fingerprint
>>> "/etc/squid/no-ssl-bump-server-fingerprint.list"
>>
>>> Is there a reason for that?
>>
>>
>> The use of ACL options and ACL parameter options is poorly documented.
>>
>> Squid Bug 4847 is marked as fixed, but the corresponding commit d4c6aca
>> says that server_cert_fingerprint is still broken. Not sure whether that
>> was true, whether some other commit has fixed that ACL, and whether the
>> problem mentioned in the commit message is related to your troubles.
>> https://bugs.squid-cache.org/show_bug.cgi?id=4847
>> https://github.com/squid-cache/squid/pull/191
>>
>> Also, according to my 2015 notes, server_cert_fingerprint happens to be
>> case sensitive. I consider that a bug. I am not sure, but I think Squid
>> expects uppercase hex letters (if any). I do not know whether that has
>> been fixed.
>>
>>
>> Finally, it is dangerous to list ACL parameter options like -sha1 in
>> front of parameter filename when that parameter file may contain its own
>> parameter options. A reader may think that -sha1 in squid.conf
>> overwrites, say, -sha256 in the parameter file, but that is not what
>> probably will happen when Squid starts supporting both options.
>>
>> That consideration may actually be the reason why Squid rejects your
>> first configuration sample (or perhaps it should be the reason even if
>> it does not).
>>
>> I am sure there are use cases where the admin wants to apply one
>> parameter option to the whole file, but the ambiguity is too dangerous
>> to allow IMO. We should make the choice explicit.
>>
>>
>> HTH,
>>
>> Alex.
>>
>>
>>
>>
>> _______________________________________________
>> squid-users mailing list
>> [hidden email]
>> http://lists.squid-cache.org/listinfo/squid-users
>>

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Alex Rousskov
Reply | Threaded
Open this post in threaded view
|

Re: acl aclname server_cert_fingerprint

Alex Rousskov
On 1/27/21 1:50 PM, Eliezer Croitoru wrote:

> I am still missing a way to make this work with the fingerprint.

I do not know what you are trying to accomplish (i.e. what "this" is).


> We first need to know the fingerprint but when squid "knows" about
> it, it's already too late. In what config scenario can it work?

Knowing the fingerprint (or any other server-sent detail!) is indeed not
useful for making bump-vs-splice decisions. Fingerprint knowledge can be
useful for many other decisions, including whether to allow an HTTP
request, whether to cache an HTTP response, and whether to terminate a
TLS connection.


HTH,

Alex.


> -----Original Message-----
> From: Alex Rousskov <[hidden email]>
> Sent: Wednesday, January 27, 2021 8:43 PM
> To: [hidden email]
> Cc: Eliezer Croitoru <[hidden email]>
> Subject: Re: [squid-users] acl aclname server_cert_fingerprint
>
> On 1/27/21 11:45 AM, Eliezer Croitoru wrote:
>
>> I'm not sure I understood hat these errorcde and error detai.
>
> FWIW, access log fields are configured using logformat %codes. Search
> squid.conf.documented for the words "err_code" and "err_detail" (no quotes).
>
>
>> acl tls_to_splice any-of ... NoBump_certificate_fingerprint
>
>> acl tls_s1_connect at_step SslBump1
>> acl tls_s2_client_hello at_step SslBump2
>
>> ssl_bump peek tls_s1_connect
>> ssl_bump splice tls_to_splice
>> ssl_bump stare tls_s2_client_hello
>> ssl_bump bump tls_to_bump
>
> Bugs notwithstanding, the NoBump_certificate_fingerprint ACL will never
> match in the above configuration AFAICT:
>
> * step1 is excluded by the earlier "peek if tls_s1_connect" rule. The
> server certificate is not yet available during that step anyway.
>
> * step2 is reachable for a "splice" action, but the server certificate
> is still not yet available during that step.
>
> * step3 is unreachable for a "splice" action because the only non-final
> action during step2 is "stare". Starting precludes splicing.
>
>
> HTH,
>
> Alex.
>
>
>> -----Original Message-----
>> From: Alex Rousskov <[hidden email]>
>> Sent: Wednesday, January 27, 2021 5:12 PM
>> To: Eliezer Croitoru <[hidden email]>; [hidden email]
>> Subject: Re: [squid-users] acl aclname server_cert_fingerprint
>>
>> On 1/26/21 2:09 AM, Eliezer Croitoru wrote:
>>
>>> I'm trying to understand what I'm doing wrong in the config that stil
>>> lets edition.cnn.com be decrypted instead of spliced?
>>
>> If you still need help, please share the relevant parts of your
>> configuration and logs. I would start with ssl_bump rules and access log
>> records containing additional %error_code/%err_detail fields.
>>
>> Alex.
>>
>>
>>
>>> -----Original Message-----
>>> From: Alex Rousskov <[hidden email]>
>>> Sent: Tuesday, January 26, 2021 6:22 AM
>>> To: Eliezer Croitoru <[hidden email]>; [hidden email]
>>> Subject: Re: [squid-users] acl aclname server_cert_fingerprint
>>>
>>> On 1/25/21 6:03 AM, Eliezer Croitoru wrote:
>>>> I'm trying to use:
>>>> acl aclname server_cert_fingerprint [-sha1] fingerprint
>>>>
>>>>
>>>> I have cerated the next file:
>>>> /etc/squid/no-ssl-bump-server-fingerprint.list
>>>>
>>>> And trying to use the next line:
>>>> acl NoBump_certificate_fingerprint server_cert_fingerprint -sha1
>>>> "/etc/squid/no-ssl-bump-server-fingerprint.list"
>>>>
>>>> To be explicit despite that only sha1 is a valid checksum.
>>>> Squid doesn't accept the above line
>>>
>>>
>>> Does not accept how? What is the error message?
>>>
>>>
>>>> but this one yes:
>>>> acl NoBump_certificate_fingerprint server_cert_fingerprint
>>>> "/etc/squid/no-ssl-bump-server-fingerprint.list"
>>>
>>>> Is there a reason for that?
>>>
>>>
>>> The use of ACL options and ACL parameter options is poorly documented.
>>>
>>> Squid Bug 4847 is marked as fixed, but the corresponding commit d4c6aca
>>> says that server_cert_fingerprint is still broken. Not sure whether that
>>> was true, whether some other commit has fixed that ACL, and whether the
>>> problem mentioned in the commit message is related to your troubles.
>>> https://bugs.squid-cache.org/show_bug.cgi?id=4847
>>> https://github.com/squid-cache/squid/pull/191
>>>
>>> Also, according to my 2015 notes, server_cert_fingerprint happens to be
>>> case sensitive. I consider that a bug. I am not sure, but I think Squid
>>> expects uppercase hex letters (if any). I do not know whether that has
>>> been fixed.
>>>
>>>
>>> Finally, it is dangerous to list ACL parameter options like -sha1 in
>>> front of parameter filename when that parameter file may contain its own
>>> parameter options. A reader may think that -sha1 in squid.conf
>>> overwrites, say, -sha256 in the parameter file, but that is not what
>>> probably will happen when Squid starts supporting both options.
>>>
>>> That consideration may actually be the reason why Squid rejects your
>>> first configuration sample (or perhaps it should be the reason even if
>>> it does not).
>>>
>>> I am sure there are use cases where the admin wants to apply one
>>> parameter option to the whole file, but the ambiguity is too dangerous
>>> to allow IMO. We should make the choice explicit.
>>>
>>>
>>> HTH,
>>>
>>> Alex.
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> squid-users mailing list
>>> [hidden email]
>>> http://lists.squid-cache.org/listinfo/squid-users
>>>

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Eliezer Croitoru-3
Reply | Threaded
Open this post in threaded view
|

Re: acl aclname server_cert_fingerprint

Eliezer Croitoru-3
Thanks Alex,

I had a bit trouble understanding while now it seems more clear.
I was a bit confused with the certificate validator.
I got the terminology a bit confused but now it's much clear to me.

Not directly related I hope I can write the relevant validator code.

Eliezer

----
Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: [hidden email]
Zoom: Coming soon


-----Original Message-----
From: Alex Rousskov <[hidden email]>
Sent: Wednesday, January 27, 2021 10:07 PM
To: [hidden email]
Cc: Eliezer Croitoru <[hidden email]>
Subject: Re: [squid-users] acl aclname server_cert_fingerprint

On 1/27/21 1:50 PM, Eliezer Croitoru wrote:

> I am still missing a way to make this work with the fingerprint.

I do not know what you are trying to accomplish (i.e. what "this" is).


> We first need to know the fingerprint but when squid "knows" about
> it, it's already too late. In what config scenario can it work?

Knowing the fingerprint (or any other server-sent detail!) is indeed not
useful for making bump-vs-splice decisions. Fingerprint knowledge can be
useful for many other decisions, including whether to allow an HTTP
request, whether to cache an HTTP response, and whether to terminate a
TLS connection.


HTH,

Alex.


> -----Original Message-----
> From: Alex Rousskov <[hidden email]>
> Sent: Wednesday, January 27, 2021 8:43 PM
> To: [hidden email]
> Cc: Eliezer Croitoru <[hidden email]>
> Subject: Re: [squid-users] acl aclname server_cert_fingerprint
>
> On 1/27/21 11:45 AM, Eliezer Croitoru wrote:
>
>> I'm not sure I understood hat these errorcde and error detai.
>
> FWIW, access log fields are configured using logformat %codes. Search
> squid.conf.documented for the words "err_code" and "err_detail" (no quotes).
>
>
>> acl tls_to_splice any-of ... NoBump_certificate_fingerprint
>
>> acl tls_s1_connect at_step SslBump1
>> acl tls_s2_client_hello at_step SslBump2
>
>> ssl_bump peek tls_s1_connect
>> ssl_bump splice tls_to_splice
>> ssl_bump stare tls_s2_client_hello
>> ssl_bump bump tls_to_bump
>
> Bugs notwithstanding, the NoBump_certificate_fingerprint ACL will never
> match in the above configuration AFAICT:
>
> * step1 is excluded by the earlier "peek if tls_s1_connect" rule. The
> server certificate is not yet available during that step anyway.
>
> * step2 is reachable for a "splice" action, but the server certificate
> is still not yet available during that step.
>
> * step3 is unreachable for a "splice" action because the only non-final
> action during step2 is "stare". Starting precludes splicing.
>
>
> HTH,
>
> Alex.
>
>
>> -----Original Message-----
>> From: Alex Rousskov <[hidden email]>
>> Sent: Wednesday, January 27, 2021 5:12 PM
>> To: Eliezer Croitoru <[hidden email]>; [hidden email]
>> Subject: Re: [squid-users] acl aclname server_cert_fingerprint
>>
>> On 1/26/21 2:09 AM, Eliezer Croitoru wrote:
>>
>>> I'm trying to understand what I'm doing wrong in the config that stil
>>> lets edition.cnn.com be decrypted instead of spliced?
>>
>> If you still need help, please share the relevant parts of your
>> configuration and logs. I would start with ssl_bump rules and access log
>> records containing additional %error_code/%err_detail fields.
>>
>> Alex.
>>
>>
>>
>>> -----Original Message-----
>>> From: Alex Rousskov <[hidden email]>
>>> Sent: Tuesday, January 26, 2021 6:22 AM
>>> To: Eliezer Croitoru <[hidden email]>; [hidden email]
>>> Subject: Re: [squid-users] acl aclname server_cert_fingerprint
>>>
>>> On 1/25/21 6:03 AM, Eliezer Croitoru wrote:
>>>> I'm trying to use:
>>>> acl aclname server_cert_fingerprint [-sha1] fingerprint
>>>>
>>>>
>>>> I have cerated the next file:
>>>> /etc/squid/no-ssl-bump-server-fingerprint.list
>>>>
>>>> And trying to use the next line:
>>>> acl NoBump_certificate_fingerprint server_cert_fingerprint -sha1
>>>> "/etc/squid/no-ssl-bump-server-fingerprint.list"
>>>>
>>>> To be explicit despite that only sha1 is a valid checksum.
>>>> Squid doesn't accept the above line
>>>
>>>
>>> Does not accept how? What is the error message?
>>>
>>>
>>>> but this one yes:
>>>> acl NoBump_certificate_fingerprint server_cert_fingerprint
>>>> "/etc/squid/no-ssl-bump-server-fingerprint.list"
>>>
>>>> Is there a reason for that?
>>>
>>>
>>> The use of ACL options and ACL parameter options is poorly documented.
>>>
>>> Squid Bug 4847 is marked as fixed, but the corresponding commit d4c6aca
>>> says that server_cert_fingerprint is still broken. Not sure whether that
>>> was true, whether some other commit has fixed that ACL, and whether the
>>> problem mentioned in the commit message is related to your troubles.
>>> https://bugs.squid-cache.org/show_bug.cgi?id=4847
>>> https://github.com/squid-cache/squid/pull/191
>>>
>>> Also, according to my 2015 notes, server_cert_fingerprint happens to be
>>> case sensitive. I consider that a bug. I am not sure, but I think Squid
>>> expects uppercase hex letters (if any). I do not know whether that has
>>> been fixed.
>>>
>>>
>>> Finally, it is dangerous to list ACL parameter options like -sha1 in
>>> front of parameter filename when that parameter file may contain its own
>>> parameter options. A reader may think that -sha1 in squid.conf
>>> overwrites, say, -sha256 in the parameter file, but that is not what
>>> probably will happen when Squid starts supporting both options.
>>>
>>> That consideration may actually be the reason why Squid rejects your
>>> first configuration sample (or perhaps it should be the reason even if
>>> it does not).
>>>
>>> I am sure there are use cases where the admin wants to apply one
>>> parameter option to the whole file, but the ambiguity is too dangerous
>>> to allow IMO. We should make the choice explicit.
>>>
>>>
>>> HTH,
>>>
>>> Alex.
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> squid-users mailing list
>>> [hidden email]
>>> http://lists.squid-cache.org/listinfo/squid-users
>>>

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Free forum by Nabble Edit this page