how to configure squid to check server certificate?

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

how to configure squid to check server certificate?

GeorgeShen

Is there a way, not using ssl-bump, on squid to verify the remote server has
the certificate signed by some well-known CA or self-signed? does that
change if the server is running TLS 1.2 or 1.3?

thanks.
George



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: how to configure squid to check server certificate?

Amos Jeffries
Administrator
On 1/03/20 3:57 pm, GeorgeShen wrote:
>
> Is there a way, not using ssl-bump, on squid to verify the remote server has
> the certificate signed by some well-known CA or self-signed?

What are you trying to do exactly?

All root CAs are self-signed, even the "well-known" ones. It is just a
matter of who did the self-sign.

So the answer you need may be one of several things - which may not even
involve cert inspection.


> does that
> change if the server is running TLS 1.2 or 1.3?
>

No.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: how to configure squid to check server certificate?

GeorgeShen

Sorry, I should have said 'Trusted self-signed' CA vs non-Trusted. I was in
one enterprise, they use proxy server, when I went to a non-trusted CA
server, I got TLS handshaking error; but it worked fine when going to a
'trusted' CA server. And I know my connection on the proxy was not a
SSL-Bump. I was trying to see how does the proxy server decide a server is a
trusted, vs non-trusted in splice. If I were going to implement this on the
squid, how to configure such a policy.

thanks.
George



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: how to configure squid to check server certificate?

Amos Jeffries
Administrator
On 2/03/20 11:32 am, GeorgeShen wrote:
>
> Sorry, I should have said 'Trusted self-signed' CA vs non-Trusted. I was in
> one enterprise, they use proxy server, when I went to a non-trusted CA
> server, I got TLS handshaking error; but it worked fine when going to a
> 'trusted' CA server. And I know my connection on the proxy was not a
> SSL-Bump. I was trying to see how does the proxy server decide a server is a
> trusted, vs non-trusted in splice. If I were going to implement this on the
> squid, how to configure such a policy.
>

*IF* that error was from the proxy and the proxy was a Squid, then it
can be done at step 3 with a helper after a peek or stare at step 2.

There should not need to be anything configured though. Rejecting
unknown root CAs is how TLS is designed to work. With splice the error
should be produced by your UA/Browser.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: how to configure squid to check server certificate?

GeorgeShen
>There should not need to be anything configured though. Rejecting
>unknown root CAs is how TLS is designed to work. With splice the error
>should be produced by your UA/Browser.

Although the client I have has the root cert of that untrusted CA from
server but getting the TLS handshaking error, it was not the client locally
rejects that. Does that change anything regarding the splice operation does
not need any configure for that operation (if it's a squid)?

thanks.
George



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: how to configure squid to check server certificate?

Amos Jeffries
Administrator
On 4/03/20 2:02 pm, GeorgeShen wrote:
>> There should not need to be anything configured though. Rejecting
>> unknown root CAs is how TLS is designed to work. With splice the error
>> should be produced by your UA/Browser.
>
> Although the client I have has the root cert of that untrusted CA from
> server but getting the TLS handshaking error, it was not the client locally
> rejects that. Does that change anything regarding the splice operation does
> not need any configure for that operation (if it's a squid)?

Splice means Squid has decided to have no part in the TLS or any of the
traffic. It blindly relays the exact bytes between client and upstream
server.

If Squid is doing *anything* to alter those bytes it is not splicing. It
is performing one of: stare, bump, terminate, or client-first.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: how to configure squid to check server certificate?

GeorgeShen

Understood. not altering the bytes. My question is simple:
if using squid to do splicing proxy action of https sessions, is there a
squid configuration to block/drop the session if the remote server's
certificate is signed by a 'untrusted' CA?

thanks.
George



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: how to configure squid to check server certificate?

Amos Jeffries
Administrator
On 13/03/20 12:44 pm, GeorgeShen wrote:
>
> Understood. not altering the bytes. My question is simple:
> if using squid to do splicing proxy action of https sessions, is there a
> squid configuration to block/drop the session if the remote server's
> certificate is signed by a 'untrusted' CA?


You should be able to do something like this:

 ssl_bump peek all
 ssl_bump terminate ssl::certUntrusted
 ssl_bump splice all

I have not tried that myself, so not sure if it would terminate on
client certs.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: how to configure squid to check server certificate?

GeorgeShen
thanks Amos.

- George



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users