can't access https://www.finanzamt.bayern.de/ with sslbump (other sites works well)

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

can't access https://www.finanzamt.bayern.de/ with sslbump (other sites works well)

Dieter Bloms-2
Hello,

I've compiled squid 4.5 with openssl1.1 as shipped with debian9.
Sslbump works fine for all sides, but I can't access only one site
https://www.finanzamt.bayern.de/
and don't know the reason.
Ssllabs gives "A".
Here are the squid compile options:

--snip--
Squid Cache: Version 4.5
Service Name: squid

This binary uses OpenSSL 1.1.0j  20 Nov 2018. For legal restrictions on distribution see https://www.openssl.org/source/license.html

configure options:  '--build=x86_64-linux-gnu' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--libexecdir=${prefix}/lib/dv-squid4' '--srcdir=.' '--disable-maintainer-mode' '--disable-dependency-tracking' '--disable-silent-rules' '--prefix=/usr' '--sysconfdir=/etc/squid' '--bindir=/usr/sbin' '--sbindir=/usr/sbin' '--localstatedir=/var' '--libexecdir=/usr/sbin' '--datadir=/usr/share/squid' '--mandir=/usr/share/man' '--with-default-user=squid' '--with-filedescriptors=65536' '--disable-auto-locale' '--disable-auth-negotiate' '--disable-auth-ntlm' '--disable-eui' '--disable-carp' '--disable-htcp' '--disable-ident-lookups' '--disable-loadable-modules' '--disable-translation' '--disable-wccp' '--disable-wccpv2' '--enable-async-io=128' '--enable-auth' '--enable-auth-basic=LDAP NCSA' '--enable-auth-digest=LDAP file' '--enable-epoll' '--enable-log-daemon-helpers=file' '--enable-icap-client' '--enable-inline' '--enable-snmp' '--enable-disk-io=AIO,DiskThreads,IpcIo,Blocking' '--enable-storeio=ufs,aufs,rock' '--enable-referer-log' '--enable-useragent-log' '--enable-large-cache-files' '--enable-removal-policies=lru,heap' '--enable-follow-x-forwarded-for' '--enable-ssl-crtd' '--with-openssl' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fdebug-prefix-map=/usr/src/packages/BUILD=. -fstack-protector-strong -Wformat -Werror=format-security' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fdebug-prefix-map=/usr/src/packages/BUILD=. -fstack-protector-strong -Wformat -Werror=format-security' --enable-ltdl-convenience
--snip--

The access.log looks like:

--snip--
1546962078.461   4726 x.x.x.x NONE/200 0 CONNECT www.finanzamt.bayern.de:443 - HIER_DIRECT/193.34.207.31 -
1546962078.472      0 x.x.x.x NONE/500 8495 GET https://www.finanzamt.bayern.de/ - HIER_NONE/- text/html
--snip--

no entries in cache.log

Can anybody try this site to see whether it is my local installation, or the webserver.

Thank you very much.


--
Regards

  Dieter

--
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
From field.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: can't access https://www.finanzamt.bayern.de/ with sslbump (other sites works well)

Antony Stone
On Tuesday 08 January 2019 at 17:52:23, Dieter Bloms wrote:

> Hello,
>
> I've compiled squid 4.5 with openssl1.1 as shipped with debian9.
> Sslbump works fine for all sides, but I can't access only one site
> https://www.finanzamt.bayern.de/

Given who that is, I would not be at all surprised if they've used SSL pinning
or similar to ensure that no form of MITM attack can be used to intercept data
between clients and their website.

I can't test for this (I don't use SSL bump myself), but I wouldn't be
surprised if the Bayern finance ministry is rather keen to avoid data
interception.

No doubt others here can comment further, or advise where to look for positive
confirmation of this theory.


Antony.

--
This email was created using 100% recycled electrons.

                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: can't access https://www.finanzamt.bayern.de/ with sslbump (other sites works well)

Amos Jeffries
Administrator
In reply to this post by Dieter Bloms-2
On 9/01/19 5:52 am, Dieter Bloms wrote:
> Hello,
>
> I've compiled squid 4.5 with openssl1.1 as shipped with debian9.
> Sslbump works fine for all sides, but I can't access only one site
> https://www.finanzamt.bayern.de/
> and don't know the reason.
> Ssllabs gives "A".

That means they are using "Good Practice" with their use of TLS. The
better they use TLS the less likely that SSL-Bump works.


...

> The access.log looks like:
>
> --snip--
> 1546962078.461   4726 x.x.x.x NONE/200 0 CONNECT www.finanzamt.bayern.de:443 - HIER_DIRECT/193.34.207.31 -
> 1546962078.472      0 x.x.x.x NONE/500 8495 GET https://www.finanzamt.bayern.de/ - HIER_NONE/- text/html
> --snip--
>
> no entries in cache.log
>
> Can anybody try this site to see whether it is my local installation, or the webserver.
>

Please check your cache.log and the 500-status error page message to
find out what the problem is. TLS is such a complicated system that it
is unlikely others will be able to see the reason your system is failing
with the very few details you have provided.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: can't access https://www.finanzamt.bayern.de/ with sslbump (other sites works well)

Rafael Akchurin
Hello Dieter,

Just for the record, I have no problems accessing that site using SSL bumping AD integrated Squid 4.4 (coupled with web safety ICAP filter but that should not matter really). Squid conf is more or less default with usual peek-and-splice (bump all) directives.

Best regards,
Rafael Akchurin
Diladele B.V.


-----Original Message-----
From: squid-users <[hidden email]> On Behalf Of Amos Jeffries
Sent: Wednesday, 9 January 2019 13:25
To: [hidden email]
Subject: Re: [squid-users] can't access https://www.finanzamt.bayern.de/ with sslbump (other sites works well)

On 9/01/19 5:52 am, Dieter Bloms wrote:
> Hello,
>
> I've compiled squid 4.5 with openssl1.1 as shipped with debian9.
> Sslbump works fine for all sides, but I can't access only one site
> https://www.finanzamt.bayern.de/ and don't know the reason.
> Ssllabs gives "A".

That means they are using "Good Practice" with their use of TLS. The better they use TLS the less likely that SSL-Bump works.


...

> The access.log looks like:
>
> --snip--
> 1546962078.461   4726 x.x.x.x NONE/200 0 CONNECT www.finanzamt.bayern.de:443 - HIER_DIRECT/193.34.207.31 -
> 1546962078.472      0 x.x.x.x NONE/500 8495 GET https://www.finanzamt.bayern.de/ - HIER_NONE/- text/html
> --snip--
>
> no entries in cache.log
>
> Can anybody try this site to see whether it is my local installation, or the webserver.
>

Please check your cache.log and the 500-status error page message to find out what the problem is. TLS is such a complicated system that it is unlikely others will be able to see the reason your system is failing with the very few details you have provided.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users