squid 4.1 transparent https issue "curl: (60) SSL certificate problem: self signed certificate in certificate chain"

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

squid 4.1 transparent https issue "curl: (60) SSL certificate problem: self signed certificate in certificate chain"

Berger J Nicklas
Hello,
I want to start saying I'm new working with squid so bear with me. We are at my company trying to use squid as egress solution for our servers running in AWS.
We need to have a whitelisting function in place.

HTTP works fine but not HTTPS.

When trying to run curl from another server using squid to access internet we receive this message:
 #curl https://microsoft.com
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

When checking the squid cache log file this is showing:

# tail -f /var/log/squid/cache.log
2019/11/20 08:25:01 kid1| HTCP Disabled.
2019/11/20 08:25:01 kid1| Squid plugin modules loaded: 0
2019/11/20 08:25:01 kid1| Adaptation support is off.
2019/11/20 08:25:01 kid1| Accepting HTTP Socket connections at local=[::]:3128 remote=[::] FD 23 flags=9
2019/11/20 08:25:01 kid1| Accepting NAT intercepted HTTP Socket connections at local=[::]:3129 remote=[::] FD 24 flags=41
2019/11/20 08:25:01 kid1| Accepting NAT intercepted SSL bumped HTTPS Socket connections at local=[::]:3130 remote=[::] FD 25 flags=41
2019/11/20 08:25:02 kid1| storeLateRelease: released 0 objects
security_file_certgen helper database '/var/spool/squid/ssl_db' failed: Failed to open file /var/spool/squid/ssl_db/index.txt
2019/11/20 08:25:10 kid1| Error negotiating SSL connection on FD 12: error:00000001:lib(0):func(0):reason(1) (1/0)
2019/11/20 08:25:12 kid1| Error negotiating SSL connection on FD 12: error:00000001:lib(0):func(0):reason(1) (1/0)
2019/11/20 08:25:14 kid1| Error negotiating SSL connection on FD 12: error:00000001:lib(0):func(0):reason(1) (1/0)
2019/11/20 08:25:19 kid1| Error negotiating SSL connection on FD 12: error:00000001:lib(0):func(0):reason(1) (1/0)
2019/11/20 08:25:19 kid1| Error negotiating SSL connection on FD 12: error:00000001:lib(0):func(0):reason(1) (1/0)
2019/11/20 08:25:20 kid1| Error negotiating SSL connection on FD 12: error:00000001:lib(0):func(0):reason(1) (1/0)

The squid.conf looks like this:

#acl localnet src 10.0.0.0/8
visible_hostname centos-squid-4.1

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT


acl allowed_http_sites dstdomain .microsoft.com
acl allowed_http_sites dstdomain .google.com
acl allowed_http_sites dstdomain .redhat.com


http_access allow allowed_http_sites Safe_ports
http_port 3128
http_port 3129 intercept

#SSL Settings
acl allowed_https_sites dstdomain .microsoft.com

http_access allow CONNECT allowed_https_sites
options=SINGLE_DH_USE,SINGLE_ECDH_USE tls-dh=/etc/squid/dhparam.pem
https_port 3130 intercept ssl-bump generate-host-certificates=on cert=/etc/squid/fredrik_cert/squid.pem key=/etc/squid/fredrik_cert/squid.key options=SINGLE_DH_USE,SINGLE_ECDH_USE tls-dh=/etc/squid/dhparam
.pem

# And finally deny all other access to this proxy
http_access deny all
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
#refresh_pattern .


acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump peek step1 all
ssl_bump peek step2 allowed_https_sites
ssl_bump splice step2 allowed_https_sites
ssl_bump splice step3 allowed_https_sites
ssl_bump terminate step2 all

cache_mem 1024 MB
sslcrtd_program /usr/lib64/squid/security_file_certgen -s /var/spool/squid/ssl_db -M 16MB
sslcrtd_children 10
ssl_bump bump all

Please assist me!
Nick


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: squid 4.1 transparent https issue "curl: (60) SSL certificate problem: self signed certificate in certificate chain"

Alex Rousskov
On 11/20/19 3:31 AM, Berger J Nicklas wrote:

> squid 4.1

Start by upgrading to the latest Squid v4 available.


> curl: (60) SSL certificate problem: self signed certificate in
> certificate chain

What was Squid trying to tell curl? Was Squid sending an error response?
Tell curl to run --insecure to find out what happened.


> security_file_certgen helper database '/var/spool/squid/ssl_db' failed:
> Failed to open file /var/spool/squid/ssl_db/index.txt

You should fix this. Perhaps you did not initialize the database (see
"man security_file_certgen")? Or perhaps the permissions are wrong
(checks them using something like "ls -Rla /var/spool/squid/ssl_db")?

> acl allowed_http_sites dstdomain .microsoft.com
> acl allowed_http_sites dstdomain .google.com
> acl allowed_http_sites dstdomain .redhat.com

> http_access allow allowed_http_sites Safe_ports

This allows CONNECT to port 80, which is probably not what you want. See
squid.conf.default for the recommended layout of https_access rules.


> #SSL Settings
> acl allowed_https_sites dstdomain .microsoft.com

Do not add one site twice.


> http_access allow CONNECT allowed_https_sites

This allows CONNECT to any port of the allowed_https_sites. See
squid.conf.default for the recommended layout of https_access rules.


> options=SINGLE_DH_USE,SINGLE_ECDH_USE tls-dh=/etc/squid/dhparam.pem

A copy-paste typo? There is no "options=..." directive.


> http_access deny all
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports

The last two lines are unreachable. You probably want to review how
http_access (and most other) ACL-driven directives work, including the
"first match ends the search" rule.

> ssl_bump peek step1 all
> ssl_bump peek step2 allowed_https_sites
> ssl_bump splice step2 allowed_https_sites
> ssl_bump splice step3 allowed_https_sites
> ssl_bump terminate step2 all
> ssl_bump bump all

To learn how ssl_bump rules work, please see
https://wiki.squid-cache.org/Features/SslPeekAndSplice

AFAICT, the above rules are equivalent to:

  ssl_bump peek step1
  ssl_bump peek step2 allowed_https_sites
  ssl_bump terminate step2
  ssl_bump splice all

or, roughly speaking, "splice allowed_https_sites (after peeking at
their server) and terminate everything else (ASAP)"

... which is rather different from what the original rules may have
tried to accomplish (whatever that was).


HTH,

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: squid 4.1 transparent https issue "curl: (60) SSL certificate problem: self signed certificate in certificate chain"

Berger J Nicklas
A colleague provided this squid.conf and now https working fine with curl as well!

visible_hostname localhost

# Handling HTTP requests
http_port 3128
http_port 3129 intercept

acl allowed_http_sites dstdomain .microsoft.com
acl allowed_http_sites dstdomain .google.com
acl allowed_http_sites dstdomain .redhat.com


http_access allow allowed_http_sites

# Handling HTTPS requests
acl SSL_port port 443
http_access allow SSL_port

acl allowed_https_sites ssl::server_name .microsoft.com
acl allowed_https_sites ssl::server_name .google.com
acl allowed_https_sites ssl::server_name .redhat.com

https_port 3130 intercept ssl-bump connection-auth=off generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/squid/ssl/squid.pem key=/etc/squid/ssl/squid.key

acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3

ssl_bump peek step1 all
ssl_bump peek step2 allowed_https_sites
ssl_bump splice step3 allowed_https_sites
ssl_bump terminate

http_access deny all

From: squid-users <[hidden email]> on behalf of Alex Rousskov <[hidden email]>
Sent: Wednesday, November 20, 2019 17:43
To: [hidden email] <[hidden email]>
Subject: Re: [squid-users] squid 4.1 transparent https issue "curl: (60) SSL certificate problem: self signed certificate in certificate chain"
 
On 11/20/19 3:31 AM, Berger J Nicklas wrote:

> squid 4.1

Start by upgrading to the latest Squid v4 available.


> curl: (60) SSL certificate problem: self signed certificate in
> certificate chain

What was Squid trying to tell curl? Was Squid sending an error response?
Tell curl to run --insecure to find out what happened.


> security_file_certgen helper database '/var/spool/squid/ssl_db' failed:
> Failed to open file /var/spool/squid/ssl_db/index.txt

You should fix this. Perhaps you did not initialize the database (see
"man security_file_certgen")? Or perhaps the permissions are wrong
(checks them using something like "ls -Rla /var/spool/squid/ssl_db")?

> acl allowed_http_sites dstdomain .microsoft.com
> acl allowed_http_sites dstdomain .google.com
> acl allowed_http_sites dstdomain .redhat.com

> http_access allow allowed_http_sites Safe_ports

This allows CONNECT to port 80, which is probably not what you want. See
squid.conf.default for the recommended layout of https_access rules.


> #SSL Settings
> acl allowed_https_sites dstdomain .microsoft.com

Do not add one site twice.


> http_access allow CONNECT allowed_https_sites

This allows CONNECT to any port of the allowed_https_sites. See
squid.conf.default for the recommended layout of https_access rules.


> options=SINGLE_DH_USE,SINGLE_ECDH_USE tls-dh=/etc/squid/dhparam.pem

A copy-paste typo? There is no "options=..." directive.


> http_access deny all
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports

The last two lines are unreachable. You probably want to review how
http_access (and most other) ACL-driven directives work, including the
"first match ends the search" rule.

> ssl_bump peek step1 all
> ssl_bump peek step2 allowed_https_sites
> ssl_bump splice step2 allowed_https_sites
> ssl_bump splice step3 allowed_https_sites
> ssl_bump terminate step2 all
> ssl_bump bump all

To learn how ssl_bump rules work, please see
https://wiki.squid-cache.org/Features/SslPeekAndSplice

AFAICT, the above rules are equivalent to:

  ssl_bump peek step1
  ssl_bump peek step2 allowed_https_sites
  ssl_bump terminate step2
  ssl_bump splice all

or, roughly speaking, "splice allowed_https_sites (after peeking at
their server) and terminate everything else (ASAP)"

... which is rather different from what the original rules may have
tried to accomplish (whatever that was).


HTH,

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users