squid 4.5, can't download certificate?

classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

squid 4.5, can't download certificate?

Dmitry Melekhov
Hello!

While accessing site I can't access it through ssl bump.

See in cache log:

2019/01/17 09:18:21 kid1| ERROR: negotiating TLS on FD 55:
error:14090086:SSL routines:ssl3_get_server_certificate:certificate
verify failed (1/-1/0)


In access log:

1547702300.945      0 192.168.22.229 NONE/503 329 GET
https://lkk-udm.esplus.ru/Services/Auth.asmx/Safe? dm HIER_NONE/- text/html
1547702301.304     84 - TCP_MISS/404 162 GET
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt-/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff-GETmyip=-myport=0 
- HIER_DIRECT/91.199.212.52 text/h
tml


I can access site directly from browser.


Could you tell me why it doesn't work and how can I fix this?


Thank you!

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: squid 4.5, can't download certificate?

Alex Rousskov
On 1/16/19 10:30 PM, Dmitry Melekhov wrote:

> 2019/01/17 09:18:21 kid1| ERROR: negotiating TLS on FD 55: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (1/-1/0)


> In access log:

> 1547702300.945      0 192.168.22.229 NONE/503 329 GET https://lkk-udm.esplus.ru/Services/Auth.asmx/Safe? dm HIER_NONE/- text/html

> 1547702301.304     84 - TCP_MISS/404 162 GET http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt-/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff-GETmyip=-myport=0 - HIER_DIRECT/91.199.212.52 text/html

Your Squid (or some helper) appears to be adding an
"-/ffff...GETmyip=-myport=0" suffix to the crt.sectigo.com URL,
resulting in a 404 response from that server. That suffix is not present
in the lkk-udm.esplus.ru certificate AFAICT:

> $ openssl x509 -in cert.pem -noout -text | fgrep http:
> URI:http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl
> CA Issuers - URI:http://crt.comodoca.com/COMODORSADomainValidationSecureServerCA.crt
> OCSP - URI:http://ocsp.comodoca.com

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: squid 4.5, can't download certificate?

Dmitry Melekhov

17.01.2019 21:02, Alex Rousskov пишет:

> On 1/16/19 10:30 PM, Dmitry Melekhov wrote:
>
>> 2019/01/17 09:18:21 kid1| ERROR: negotiating TLS on FD 55: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (1/-1/0)
>
>> In access log:
>> 1547702300.945      0 192.168.22.229 NONE/503 329 GET https://lkk-udm.esplus.ru/Services/Auth.asmx/Safe? dm HIER_NONE/- text/html
>> 1547702301.304     84 - TCP_MISS/404 162 GET http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt-/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff-GETmyip=-myport=0 - HIER_DIRECT/91.199.212.52 text/html
> Your Squid (or some helper) appears to be adding an
> "-/ffff...GETmyip=-myport=0" suffix to the crt.sectigo.com URL,
> resulting in a 404 response from that server. That suffix is not present
> in the lkk-udm.esplus.ru certificate AFAICT:


Yes, I suspected this, there is no helper which can add this, as far as
I know, I'm out of office till Monday, I'll turn everything possible off
on Monday, and retest,

but I don't th think is is helper...

Could you tell me -  can squid add this and , if yes, how can I turn
this off?


Thank you!


>> $ openssl x509 -in cert.pem -noout -text | fgrep http:
>> URI:http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl
>> CA Issuers - URI:http://crt.comodoca.com/COMODORSADomainValidationSecureServerCA.crt
>> OCSP - URI:http://ocsp.comodoca.com
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: squid 4.5, can't download certificate?

Alex Rousskov
On 1/18/19 4:35 AM, Dmitry Melekhov wrote:

>
> 17.01.2019 21:02, Alex Rousskov пишет:
>> On 1/16/19 10:30 PM, Dmitry Melekhov wrote:
>>
>>> 2019/01/17 09:18:21 kid1| ERROR: negotiating TLS on FD 55:
>>> error:14090086:SSL routines:ssl3_get_server_certificate:certificate
>>> verify failed (1/-1/0)
>>
>>> In access log:
>>> 1547702300.945      0 192.168.22.229 NONE/503 329 GET
>>> https://lkk-udm.esplus.ru/Services/Auth.asmx/Safe? dm HIER_NONE/-
>>> text/html
>>> 1547702301.304     84 - TCP_MISS/404 162 GET
>>> http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt-/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff-GETmyip=-myport=0
>>> - HIER_DIRECT/91.199.212.52 text/html
>> Your Squid (or some helper) appears to be adding an
>> "-/ffff...GETmyip=-myport=0" suffix to the crt.sectigo.com URL,
>> resulting in a 404 response from that server.

> Yes, I suspected this, there is no helper which can add this, as far as
> I know

> can squid add this

Squid itself does not add non-trivial paths to URLs. If your Squid does
not have a URL rewriter or an adaptation service, and the certificate
your Squid receives does not containt that weird URL, then this is
probably a Squid bug such as using an "unterminated c-string" when
forming the request URL. If you can reproduce, it may be fairly easy to
distinguish bugs from helpers from certificates as the source of this
problem using an ALL,9 cache.log.
 Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: squid 4.5, can't download certificate?

Amos Jeffries
Administrator
On 19/01/19 4:31 am, Alex Rousskov wrote:

> On 1/18/19 4:35 AM, Dmitry Melekhov wrote:
>>
>> 17.01.2019 21:02, Alex Rousskov пишет:
>>> On 1/16/19 10:30 PM, Dmitry Melekhov wrote:
>>>
>>>> 2019/01/17 09:18:21 kid1| ERROR: negotiating TLS on FD 55:
>>>> error:14090086:SSL routines:ssl3_get_server_certificate:certificate
>>>> verify failed (1/-1/0)
>>>
>>>> In access log:
>>>> 1547702300.945      0 192.168.22.229 NONE/503 329 GET
>>>> https://lkk-udm.esplus.ru/Services/Auth.asmx/Safe? dm HIER_NONE/-
>>>> text/html
>>>> 1547702301.304     84 - TCP_MISS/404 162 GET
>>>> http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt-/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff-GETmyip=-myport=0
>>>> - HIER_DIRECT/91.199.212.52 text/html
>>> Your Squid (or some helper) appears to be adding an
>>> "-/ffff...GETmyip=-myport=0" suffix to the crt.sectigo.com URL,
>>> resulting in a 404 response from that server.
>
>> Yes, I suspected this, there is no helper which can add this, as far as
>> I know
>


These mangled URLs are the expected result of a URL-rewrite/redirector
helper written to use the long ago deprecated Squid-1.x version of
helper protocol. Being used in a Squid configured to allow whitespace in
URLs.

When those two features are combined there is no way for Squid to
identify garbage after the end of URL in helper 1.0 syntax response,
from a v2.x syntax response with whitespace in the URL.

Squid-3.5 and later are only backward compatible to the Squid-2.0 helper
protocol. The older syntax is no longer supported at all.


Details of the Squid helper protocol can be found at
<https://wiki.squid-cache.org/Features/AddonHelpers#URL_manipulation>.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: squid 4.5, can't download certificate?

Dmitry Melekhov
18.01.2019 21:08, Amos Jeffries пишет:

> On 19/01/19 4:31 am, Alex Rousskov wrote:
>> On 1/18/19 4:35 AM, Dmitry Melekhov wrote:
>>> 17.01.2019 21:02, Alex Rousskov пишет:
>>>> On 1/16/19 10:30 PM, Dmitry Melekhov wrote:
>>>>
>>>>> 2019/01/17 09:18:21 kid1| ERROR: negotiating TLS on FD 55:
>>>>> error:14090086:SSL routines:ssl3_get_server_certificate:certificate
>>>>> verify failed (1/-1/0)
>>>>> In access log:
>>>>> 1547702300.945      0 192.168.22.229 NONE/503 329 GET
>>>>> https://lkk-udm.esplus.ru/Services/Auth.asmx/Safe? dm HIER_NONE/-
>>>>> text/html
>>>>> 1547702301.304     84 - TCP_MISS/404 162 GET
>>>>> http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt-/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff-GETmyip=-myport=0
>>>>> - HIER_DIRECT/91.199.212.52 text/html
>>>> Your Squid (or some helper) appears to be adding an
>>>> "-/ffff...GETmyip=-myport=0" suffix to the crt.sectigo.com URL,
>>>> resulting in a 404 response from that server.
>>> Yes, I suspected this, there is no helper which can add this, as far as
>>> I know
>
> These mangled URLs are the expected result of a URL-rewrite/redirector
> helper written to use the long ago deprecated Squid-1.x version of
> helper protocol. Being used in a Squid configured to allow whitespace in
> URLs.
>
> When those two features are combined there is no way for Squid to
> identify garbage after the end of URL in helper 1.0 syntax response,
> from a v2.x syntax response with whitespace in the URL.
>
> Squid-3.5 and later are only backward compatible to the Squid-2.0 helper
> protocol. The older syntax is no longer supported at all.
>
>
> Details of the Squid helper protocol can be found at
> <https://wiki.squid-cache.org/Features/AddonHelpers#URL_manipulation>.
>


Thank you!

You are absolutely right.

This is redirector, if I disable it, everything works.

Will contact redirector developer.



> Amos
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: squid 4.5, can't download certificate?

Dmitry Melekhov
21.01.2019 8:39, Dmitry Melekhov пишет:

> 18.01.2019 21:08, Amos Jeffries пишет:
>> On 19/01/19 4:31 am, Alex Rousskov wrote:
>>> On 1/18/19 4:35 AM, Dmitry Melekhov wrote:
>>>> 17.01.2019 21:02, Alex Rousskov пишет:
>>>>> On 1/16/19 10:30 PM, Dmitry Melekhov wrote:
>>>>>
>>>>>> 2019/01/17 09:18:21 kid1| ERROR: negotiating TLS on FD 55:
>>>>>> error:14090086:SSL routines:ssl3_get_server_certificate:certificate
>>>>>> verify failed (1/-1/0)
>>>>>> In access log:
>>>>>> 1547702300.945      0 192.168.22.229 NONE/503 329 GET
>>>>>> https://lkk-udm.esplus.ru/Services/Auth.asmx/Safe? dm HIER_NONE/-
>>>>>> text/html
>>>>>> 1547702301.304     84 - TCP_MISS/404 162 GET
>>>>>> http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt-/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff-GETmyip=-myport=0 
>>>>>>
>>>>>> - HIER_DIRECT/91.199.212.52 text/html
>>>>> Your Squid (or some helper) appears to be adding an
>>>>> "-/ffff...GETmyip=-myport=0" suffix to the crt.sectigo.com URL,
>>>>> resulting in a 404 response from that server.
>>>> Yes, I suspected this, there is no helper which can add this, as
>>>> far as
>>>> I know
>>
>> These mangled URLs are the expected result of a URL-rewrite/redirector
>> helper written to use the long ago deprecated Squid-1.x version of
>> helper protocol. Being used in a Squid configured to allow whitespace in
>> URLs.
>>
>> When those two features are combined there is no way for Squid to
>> identify garbage after the end of URL in helper 1.0 syntax response,
>> from a v2.x syntax response with whitespace in the URL.
>>
>> Squid-3.5 and later are only backward compatible to the Squid-2.0 helper
>> protocol. The older syntax is no longer supported at all.
>>
>>
>> Details of the Squid helper protocol can be found at
>> <https://wiki.squid-cache.org/Features/AddonHelpers#URL_manipulation>.
>>
>
>
> Thank you!
>
> You are absolutely right.
>
> This is redirector, if I disable it, everything works.
>
> Will contact redirector developer.


There is  new rejik (rejik.ru) version, if somebody uses it, you can
solve this problem by upgrade.


Thank you!



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: squid 4.5, can't download certificate?

Dmitry Melekhov


21.01.2019 14:30, Dmitry Melekhov пишет:
Your Squid (or some helper) appears to be adding an
"-/ffff...GETmyip=-myport=0" suffix to the crt.sectigo.com URL,
resulting in a 404 response from that server.
Yes, I suspected this, there is no helper which can add this, as far as
I know

These mangled URLs are the expected result of a URL-rewrite/redirector
helper written to use the long ago deprecated Squid-1.x version of
helper protocol. Being used in a Squid configured to allow whitespace in
URLs.

When those two features are combined there is no way for Squid to
identify garbage after the end of URL in helper 1.0 syntax response,
from a v2.x syntax response with whitespace in the URL.

Squid-3.5 and later are only backward compatible to the Squid-2.0 helper
protocol. The older syntax is no longer supported at all.


Details of the Squid helper protocol can be found at
<https://wiki.squid-cache.org/Features/AddonHelpers#URL_manipulation>.



Thank you!

You are absolutely right.

This is redirector, if I disable it, everything works.

Will contact redirector developer.


There is  new rejik (rejik.ru) version, if somebody uses it, you can solve this problem by upgrade.


btw, according to redirector developer problem is in lack of ipv6 support.

Is there any reasons squid sends ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff to redirector?


Thank you!



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: squid 4.5, can't download certificate?

Alex Rousskov
On 1/21/19 9:08 AM, Dmitry Melekhov wrote:

>> Your Squid (or some helper) appears to be adding an
>> "-/ffff...GETmyip=-myport=0" suffix to the crt.sectigo.com URL,
>> resulting in a 404 response from that server.

> Is there any reasons squid sends ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
> to redirector?

What Squid logformat %code or url_rewrite_extras %code does that address
come from? Should the corresponding request have that address? For
example, internally-generated requests do not have HTTP client addresses.

Will the redirector work if that address is sent as a "-" instead of
"ff...fff"?


Cheers,

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: squid 4.5, can't download certificate?

Dmitry Melekhov
21.01.2019 22:29, Alex Rousskov пишет:
> On 1/21/19 9:08 AM, Dmitry Melekhov wrote:
>
>>> Your Squid (or some helper) appears to be adding an
>>> "-/ffff...GETmyip=-myport=0" suffix to the crt.sectigo.com URL,
>>> resulting in a 404 response from that server.
>> Is there any reasons squid sends ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
>> to redirector?
> What Squid logformat %code or url_rewrite_extras %code does that address
> come from?


default on my case

>   Should the corresponding request have that address? For
> example, internally-generated requests do not have HTTP client addresses.
>
> Will the redirector work if that address is sent as a "-" instead of
> "ff...fff"?

rejik redirector developer thinks its better to use 127.0.0.1 as squid
address,

but said that this is squid preference...

if can read discussion here
https://rejik.ru/bb_rus/viewtopic.php?f=1&t=1979 in russian.

Thank you!



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: squid 4.5, can't download certificate?

Alex Rousskov
On 1/21/19 10:52 PM, Dmitry Melekhov wrote:
> 21.01.2019 22:29, Alex Rousskov пишет:
>>>> Your Squid (or some helper) appears to be adding an
>>>> "-/ffff...GETmyip=-myport=0" suffix to the crt.sectigo.com URL,
>>>> resulting in a 404 response from that server.

>>> Is there any reasons squid sends ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
>>> to redirector?

>> What Squid logformat %code or url_rewrite_extras %code does that address
>> come from?

> default on my case

>> Should the corresponding request have that address? For
>> example, internally-generated requests do not have HTTP client addresses.

>> Will the redirector work if that address is sent as a "-" instead of
>> "ff...fff"?


> rejik redirector developer thinks its better to use 127.0.0.1 as squid
> address,

It sounds like you misunderstood my questions. I will detail them below.

I suspect that fff...fff comes from %>A (whether that %code comes from
the default url_rewrite_extras in your configuration is unimportant).

%>A is documented to to be a client FQDN. I am not sure, and this is not
documented, but perhaps when the client IP address does not point back
to a domain name, %>A should be a client IP address.

For intermediate certificate downloading transactions, Squid does not
have a client address because those transactions are not initiated by a
client connection to Squid. They are generated internally by Squid. In
such cases, Squid should be sending a dash (-), not 127.0.0.1, not
fff...fff, not localhost, and not anything else that might be
misinterpreted as a client IP address or domain name.

I have not investigated why Squid does not send a dash, or what it would
take to fix Squid, but it is likely that this will be eventually fixed
because lying about client address is a bug. To plan the deployment of
that future fix, it may be useful to know whether the redirector you use
handles a dash value for %>A correctly. You may be able to test that by
configuring url_rewrite_extras explicitly and replacing %>A with a dash.

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: squid 4.5, can't download certificate?

Dmitry Melekhov
22.01.2019 19:51, Alex Rousskov пишет:

>
> It sounds like you misunderstood my questions. I will detail them below.
>
> I suspect that fff...fff comes from %>A (whether that %code comes from
> the default url_rewrite_extras in your configuration is unimportant).
>
> %>A is documented to to be a client FQDN. I am not sure, and this is not
> documented, but perhaps when the client IP address does not point back
> to a domain name, %>A should be a client IP address.
>
> For intermediate certificate downloading transactions, Squid does not
> have a client address because those transactions are not initiated by a
> client connection to Squid. They are generated internally by Squid. In
> such cases, Squid should be sending a dash (-), not 127.0.0.1, not
> fff...fff, not localhost, and not anything else that might be
> misinterpreted as a client IP address or domain name.
>
> I have not investigated why Squid does not send a dash, or what it would
> take to fix Squid, but it is likely that this will be eventually fixed
> because lying about client address is a bug. To plan the deployment of
> that future fix, it may be useful to know whether the redirector you use
> handles a dash value for %>A correctly. You may be able to test that by
> configuring url_rewrite_extras explicitly and replacing %>A with a dash.


Thank you for explanation, it is easier for me to contact rejik
developer and ask him to pass traffic if client address is "-" as he
already did for

fff...fff.  So, I'll inform him that such change is planned and he will be ready :-)

Thank you!


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: squid 4.5, can't download certificate?

Amos Jeffries
Administrator
On 23/01/19 5:40 pm, Dmitry Melekhov wrote:
>
> Thank you for explanation, it is easier for me to contact rejik
> developer and ask him to pass traffic if client address is "-" as he
> already did for
>
> fff...fff.  So, I'll inform him that such change is planned and he will
> be ready :-)


Um, to be more prescriptive ...

The (%>a) part *before* the '/' is the actual "client IP address".

If that is '-' (like your logs show it already is) then the reverse-DNS
FQDN part *after* the '/' cannot be relied upon at all so should
generally be ignored.


Whether or not we change the FQDN parts display, it could still have an
IPv6 address when a real IPv6 client arrives - and the IP part before
the '/' would then also still have an IPv6 address too. So IPv6 support
is needed regardless.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: squid 4.5, can't download certificate?

Dmitry Melekhov
23.01.2019 8:53, Amos Jeffries пишет:

> On 23/01/19 5:40 pm, Dmitry Melekhov wrote:
>> Thank you for explanation, it is easier for me to contact rejik
>> developer and ask him to pass traffic if client address is "-" as he
>> already did for
>>
>> fff...fff.  So, I'll inform him that such change is planned and he will
>> be ready :-)
>
> Um, to be more prescriptive ...
>
> The (%>a) part *before* the '/' is the actual "client IP address".
>
> If that is '-' (like your logs show it already is) then the reverse-DNS
> FQDN part *after* the '/' cannot be relied upon at all so should
> generally be ignored.


Thank you!

Looks like it's better to wait until it will be fixed, because rejik
developer is very responsive and , I guess, will provide fix very soon.

>
> Whether or not we change the FQDN parts display, it could still have an
> IPv6 address when a real IPv6 client arrives - and the IP part before
> the '/' would then also still have an IPv6 address too. So IPv6 support
> is needed regardless.
>
Yes, sure, but , really, here we have no ISP which provides ipv6,

so it is not problem for next several years.

Thank you!



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users