squid 5.0.4 cache_peer bug on https outgoing

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
sec
Reply | Threaded
Open this post in threaded view
|

squid 5.0.4 cache_peer bug on https outgoing

sec
X-Squid-Error: ERR_SECURE_CONNECT_FAIL 71
Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)

### 0x01 squid version

squid -v

Squid Cache: Version 5.0.4

Service Name: squid


This binary uses OpenSSL 1.0.2g  1 Mar 2016. For legal restrictions on distribution see https://www.openssl.org/source/license.html


configure options:  '--prefix=/usr' '--exec-prefix=/usr' '--includedir=/usr/include' '--datadir=/usr/share' '--libdir=/usr/lib64' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--sysconfdir=/etc/squid' '--sharedstatedir=/var/lib' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid' '--with-default-user=squid' '--enable-silent-rules' '--enable-dependency-tracking' '--with-openssl' '--enable-icmp' '--enable-delay-pools' '--enable-useragent-log' '--enable-esi' '--disable-ipv6' '--enable-ssl-crtd' '--enable-follow-x-forwarded-for' '--enable-auth' --enable-ltdl-convenience


### 0x02  peers.conf

cache_peer 127.0.0.1 parent 3129 0 ssl weighted-round-robin login=admin:squid name=crawler1


curl http://google.com -x https://admin:squid@localhost:3128 -v  -k 

< HTTP/1.1 503 Service Unavailable

< Server: squid/5.0.4

< Mime-Version: 1.0

< Date: Sun, 27 Sep 2020 15:55:05 GMT

< Content-Type: text/html;charset=utf-8

< Content-Length: 1647

< X-Squid-Error: ERR_SECURE_CONNECT_FAIL 71

< Vary: Accept-Language

< Content-Language: en

< X-Cache: MISS from example.com

< Connection: keep-alive


proxy is ok. 3129 is glider
curl http://google.com -x https://admin:squid@localhost:3129 -v  -k 

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">

<TITLE>301 Moved</TITLE></HEAD><BODY>

<H1>301 Moved</H1>

The document has moved

<A HREF="http://www.google.com/">here</A>.

</BODY></HTML>



### 0x03 the possible solution. DONT_VERIFY_PEER

So.on squid 4/5,  The DONT_VERIFY_PEER flag is deprecated.
How to get the function on  squid 5.0.4 ?

### 0x04 squid.conf


acl SSL_ports port 443

acl Safe_ports port 1-65535     # unregistered ports

acl CONNECT method CONNECT

acl HEAD method HEAD


http_access deny !Safe_ports

http_access deny manager

http_access allow all




http_port 3128 ssl-bump generate-host-certificates=on \

dynamic_cert_mem_cache_size=100MB \

cert=/etc/squid/server.crt key=/etc/squid/server.key



ssl_bump allow all

#ssl_bump bump all

sslproxy_cert_error allow all



sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s /usr/local/squid/ssl_db -M 400MB          



#sslproxy_flags DONT_VERIFY_PEER

tls_outgoing_options options=ALL flags=DONT_VERIFY_PEER,DONT_VERIFY_DOMAIN

sslproxy_cert_error allow all





coredump_dir /var/spool/squid3


# based on http://code.google.com/p/ghebhes/downloads/detail?name=tunning.conf&can=2&q=


#All File

refresh_pattern -i \.(3gp|7z|ace|asx|avi|bin|cab|dat|deb|rpm|divx|dvr-ms)      1440 100129600 reload-into-ims

refresh_pattern -i \.(rar|jar|gz|tgz|tar|bz2|iso|m1v|m2(v|p)|mo(d|v)|(x-|)flv) 1440 100129600 reload-into-ims

refresh_pattern -i \.(jp(e?g|e|2)|gif|pn[pg]|bm?|tiff?|ico|swf|css|js)         1440 100129600 reload-into-ims

refresh_pattern -i \.(mp(e?g|a|e|1|2|3|4)|mk(a|v)|ms(i|u|p))                   1440 100129600 reload-into-ims

refresh_pattern -i \.(og(x|v|a|g)|rar|rm|r(a|p)m|snd|vob|wav)                  1440 100129600 reload-into-ims

refresh_pattern -i \.(pp(s|t)|wax|wm(a|v)|wmx|wpl|zip|cb(r|z|t))               1440 100129600 reload-into-ims


refresh_pattern -i \.(doc|pdf)$           1440   5043200 reload-into-ims

refresh_pattern -i \.(html|htm)$          1440   5040320 reload-into-ims


refresh_pattern ^ftp:           1440    20%     10080

refresh_pattern ^gopher:        1440    0%      1440

refresh_pattern -i (/cgi-bin/|\?0     0%      0

refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880

refresh_pattern .               0       20%     4320





# http options

via off

forwarded_for off

vary_ignore_expire on



# memory cache options

cache_mem 512 MB

maximum_object_size_in_memory 256 KB




forwarded_for delete

ipcache_size 4096

dns_nameservers 8.8.8.8



# error page

cache_mgr [hidden email]

visible_hostname example.com

email_err_data off

err_page_stylesheet none



#include /etc/squid/peers.conf

# use glider to build an http(s)/socks5 proxy on same port 3129

https://github.com/nadoo/glider

# glider -listen admin:squid@0.0.0.0:3129


cache_peer 127.0.0.1 parent 3129 0 ssl weighted-round-robin login=admin:squid name=crawler1



# never_direct: outgoing only by peers

never_direct allow  all


cache_effective_user proxy






_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: squid 5.0.4 cache_peer bug on https outgoing

Alex Rousskov
On 9/27/20 12:07 PM, sec wrote:

> http_port 3128 ssl-bump ...

> curl http://google.com -x https://admin:squid@localhost:3128 -v  -k

The above two lines do not match AFAICT: You tell curl to use an HTTPS
proxy, but you tell Squid to expect plain HTTP proxy requests.

Also, please note that if you fix the above problem by moving "https"
from "-x" to the origin server URL, then you will probably face another
problem:

curl https://google.com -x http://admin:squid@localhost:3128 -v  -k

> ssl_bump allow all

> cache_peer 127.0.0.1 parent 3129 0 ssl

Squid does not (yet) support "TLS inside TLS": Talking TLS with the
origin server through a cache_peer that also expects a TLS connection.


HTH,

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
sec
Reply | Threaded
Open this post in threaded view
|

Re: squid 5.0.4 cache_peer bug on https outgoing

sec
Yes, I've tried all of these combinations.

### 0x00 cache_peer no ssl

> ssl_bump allow all
> cache_peer 127.0.0.1 parent 3129 0 【no ssl】


curl http://google.com -x http://admin:squid@localhost:3128 -v  -k   【it is ok】

curl https://google.com -x https://admin:squid@localhost:3128 -v  -k   【Get 502】
curl https://google.com -x http://admin:squid@localhost:3128 -v  -k     【Get 502】

< HTTP/1.1 502 Bad Gateway
< X-Cache: MISS from example.com
< Transfer-Encoding: chunked
< Connection: keep-alive

log json:

{ "clientip": "127.0.0.1", "ident": "-", "uname": "admin", "timestamp": "2020-09-28T04:16:28+0000", "verb": "CONNECT", "request": "google.com:443", "httpversion": "HTTP/1.1", "response": 200, "bytes": 0, "referer": "-", "agent": "curl/7.47.0", "request_status": "HIER_NONE", "hierarchy_status": "HIER_NONE" }

{ "clientip": "127.0.0.1", "ident": "-", "uname": "admin", "timestamp": "2020-09-28T04:16:28+0000", "verb": "GET", "request": "https://google.com/", "httpversion": "HTTP/1.1", "response": 502, "bytes": 117, "referer": "-", "agent": "curl/7.47.0", "request_status": "HIER_NONE", "hierarchy_status": "HIER_NONE" }


### 0x01 cache_peer with ssl

> ssl_bump allow all
> cache_peer 127.0.0.1 parent 3129 0  ssk


curl http://google.com -x http://admin:squid@localhost:3128 -v  -k   【Get 502
curl https://google.com -x https://admin:squid@localhost:3128 -v  -k   【Get 502】

< HTTP/1.1 503 Service Unavailable

< Server: squid/5.0.4

< Mime-Version: 1.0

< Date: Mon, 28 Sep 2020 04:21:00 GMT

< Content-Type: text/html;charset=utf-8

< Content-Length: 1649

< X-Squid-Error: ERR_SECURE_CONNECT_FAIL 71


<p>The system returned:</p>

<blockquote id="data">

<pre>(71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)</pre>

<p>Handshake with SSL server failed: [No Error]</p>

</blockquote>




### 0x02 how to outgoing https request by cache_peer (on squid 5.0.4/Chains proxy)

Similar features to Charles OR Fiddler. ( open http(s) proxy  on 8080, then capture the request , outgoing on another http(s)/socks4/5 proxy.)


curl https://google.com -x http://squid:3128 --> outgoing(cache_peer: like Fiddler gateway) --> google.com:443

The cache_peer should be ignore ssl VERIFY. !!! like other software.

On squid 5.0.4, http is ok, https will get ERR_SECURE_CONNECT_FAIL error.



Alex Rousskov <[hidden email]> 于2020年9月28日周一 上午6:48写道:
On 9/27/20 12:07 PM, sec wrote:

> http_port 3128 ssl-bump ...

> curl http://google.com -x https://admin:squid@localhost:3128 -v  -k

The above two lines do not match AFAICT: You tell curl to use an HTTPS
proxy, but you tell Squid to expect plain HTTP proxy requests.

Also, please note that if you fix the above problem by moving "https"
from "-x" to the origin server URL, then you will probably face another
problem:

curl https://google.com -x http://admin:squid@localhost:3128 -v  -k

> ssl_bump allow all

> cache_peer 127.0.0.1 parent 3129 0 ssl

Squid does not (yet) support "TLS inside TLS": Talking TLS with the
origin server through a cache_peer that also expects a TLS connection.


HTH,

Alex.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
sec
Reply | Threaded
Open this post in threaded view
|

Re: squid 5.0.4 cache_peer bug on https outgoing

sec
I located the bug and found a another way to deal with it.

The bug is that cache_peer https CONNECT drops the port number

If you do the compatibility treatment on the back of the agent software, you can solve this problem

However, it would be best if it was resolved on squid.

### 0x01 wireshare packet

1) squid cache_peer https CONNECT packet.

CONNECT d.qqq.win  HTTP/1.1 (bad format: without port)

0040   d1 d8 43 4f 4e 4e 45 43 54 20 64 2e 71 71 71 2e   ..CONNECT d.qqq.

0050   77 69 6e 20 48 54 54 50 2f 31 2e 31 0d 0a 55 73   win HTTP/1.1


2) glider verbose log

2020/09/28 17:19:58 forward.go:118: [forwarder] DIRECT recorded 1 failures, maxfailures: 0

2020/09/28 17:19:58 server.go:98: [http] *.*.*.*:53848 <-> d.qqq.win [c] via DIRECT, error in dial: dial tcp: address d.qqq.win: missing port in address


### 0x02 solution

Locate the cache_peer code in squid and add the missing port to the CONNETCT function.

or, you can do the compatibility treatment on the background proxy soft (bad idea)



openwrt <[hidden email]> 于2020年9月28日周一 下午1:41写道:
Yes, I've tried all of these combinations.

### 0x00 cache_peer no ssl

> ssl_bump allow all
> cache_peer 127.0.0.1 parent 3129 0 【no ssl】


curl http://google.com -x http://admin:squid@localhost:3128 -v  -k   【it is ok】

curl https://google.com -x https://admin:squid@localhost:3128 -v  -k   【Get 502】
curl https://google.com -x http://admin:squid@localhost:3128 -v  -k     【Get 502】

< HTTP/1.1 502 Bad Gateway
< X-Cache: MISS from example.com
< Transfer-Encoding: chunked
< Connection: keep-alive

log json:

{ "clientip": "127.0.0.1", "ident": "-", "uname": "admin", "timestamp": "2020-09-28T04:16:28+0000", "verb": "CONNECT", "request": "google.com:443", "httpversion": "HTTP/1.1", "response": 200, "bytes": 0, "referer": "-", "agent": "curl/7.47.0", "request_status": "HIER_NONE", "hierarchy_status": "HIER_NONE" }

{ "clientip": "127.0.0.1", "ident": "-", "uname": "admin", "timestamp": "2020-09-28T04:16:28+0000", "verb": "GET", "request": "https://google.com/", "httpversion": "HTTP/1.1", "response": 502, "bytes": 117, "referer": "-", "agent": "curl/7.47.0", "request_status": "HIER_NONE", "hierarchy_status": "HIER_NONE" }


### 0x01 cache_peer with ssl

> ssl_bump allow all
> cache_peer 127.0.0.1 parent 3129 0  ssk


curl http://google.com -x http://admin:squid@localhost:3128 -v  -k   【Get 502
curl https://google.com -x https://admin:squid@localhost:3128 -v  -k   【Get 502】

< HTTP/1.1 503 Service Unavailable

< Server: squid/5.0.4

< Mime-Version: 1.0

< Date: Mon, 28 Sep 2020 04:21:00 GMT

< Content-Type: text/html;charset=utf-8

< Content-Length: 1649

< X-Squid-Error: ERR_SECURE_CONNECT_FAIL 71


<p>The system returned:</p>

<blockquote id="data">

<pre>(71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)</pre>

<p>Handshake with SSL server failed: [No Error]</p>

</blockquote>




### 0x02 how to outgoing https request by cache_peer (on squid 5.0.4/Chains proxy)

Similar features to Charles OR Fiddler. ( open http(s) proxy  on 8080, then capture the request , outgoing on another http(s)/socks4/5 proxy.)


curl https://google.com -x http://squid:3128 --> outgoing(cache_peer: like Fiddler gateway) --> google.com:443

The cache_peer should be ignore ssl VERIFY. !!! like other software.

On squid 5.0.4, http is ok, https will get ERR_SECURE_CONNECT_FAIL error.



Alex Rousskov <[hidden email]> 于2020年9月28日周一 上午6:48写道:
On 9/27/20 12:07 PM, sec wrote:

> http_port 3128 ssl-bump ...

> curl http://google.com -x https://admin:squid@localhost:3128 -v  -k

The above two lines do not match AFAICT: You tell curl to use an HTTPS
proxy, but you tell Squid to expect plain HTTP proxy requests.

Also, please note that if you fix the above problem by moving "https"
from "-x" to the origin server URL, then you will probably face another
problem:

curl https://google.com -x http://admin:squid@localhost:3128 -v  -k

> ssl_bump allow all

> cache_peer 127.0.0.1 parent 3129 0 ssl

Squid does not (yet) support "TLS inside TLS": Talking TLS with the
origin server through a cache_peer that also expects a TLS connection.


HTH,

Alex.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: squid 5.0.4 cache_peer bug on https outgoing

Amos Jeffries
Administrator
In reply to this post by sec
On 28/09/20 6:41 pm, openwrt wrote:
> Yes, I've tried all of these combinations.
>
> ### 0x00 cache_peer no ssl
>
>> ssl_bump allow all

"allow" is not a SSL-Bump action type for any version of Squid.
<https://wiki.squid-cache.org/Features/SslPeekAndSplice#Actions>

AFAIK, SSL-Bump falls back to default "bump all" as the action performed.


>> cache_peer 127.0.0.1 parent 3129 0 【no ssl】
>
> curl http://google.com <https://google.com/> -x
> http://admin:squid@localhost:3128 -v  -k   【it is ok】
>

This does HTTP(-over-TCP) to Squid asking for HTTP to origin. A
non-TLS/SSL peer is perfectly capable of fetching that.


> curl https://google.com <https://google.com/> -x
> https://admin:squid@localhost:3128 -v  -k   【Get 502】

This does HTTP(-over-TL)S to Squid which told to accept HTTP(-over-TCP).
Expect 502 generated by the frontend Squid.


> curl https://google.com <https://google.com/> -x
> http://admin:squid@localhost:3128 -v  -k     【Get 502】
>

This does HTTP(-over-TCP) to Squid asking for CONNECT tunnel
containing HTTP-over-TLS to origin.

Expect that the tunnel be accepted fro decryption by the frontend Squid
(200 status), then another CONNECT tunnel generated to fetch the
decrypted traffic via the insecure peer.


>
> log json:
>
> { "clientip": "127.0.0.1", "ident": "-", "uname": "admin", "timestamp":
> "2020-09-28T04:16:28+0000", "verb": "CONNECT", "request":
> "google.com:443 <http://google.com:443>", "httpversion": "HTTP/1.1",
> "response": 200, "bytes": 0, "referer": "-", "agent": "curl/7.47.0",
> "request_status": "HIER_NONE", "hierarchy_status": "HIER_NONE"}
>

CONNECT tunnel received and decrypted. This says that you actually
received a 200 status to at least one of your tests. I expect it was for
that third one.


> { "clientip": "127.0.0.1", "ident": "-", "uname": "admin", "timestamp":
> "2020-09-28T04:16:28+0000", "verb": "GET", "request":
> "https://google.com/", "httpversion": "HTTP/1.1", "response": 502,
> "bytes": 117, "referer": "-", "agent": "curl/7.47.0", "request_status":
> "HIER_NONE", "hierarchy_status": "HIER_NONE"}
>

Decrypted request was not able to be sent anywhere. This is your main
problem - made worse by the ssl_bump misconfiguration. The 502 message
contains a brief description about what went wrong. cache.log may
contain more details - if not, increase the verbosity for
troubleshooting with "debug_options ALL,2 83,7"


>
> ### 0x01 cache_peer with ssl
>
>> ssl_bump allow all
>> cache_peer 127.0.0.1 parent 3129 0  ssk
>
> curl http://google.com <https://google.com/> -x
> http://admin:squid@localhost:3128 -v  -k   【Get 502】
> curl https://google.com <https://google.com/> -x
> https://admin:squid@localhost:3128 -v  -k   【Get 502】
>
> < HTTP/1.1 503 Service Unavailable
>

This is 503, not the 502 you mention above.

 * Which of the two different test commands produced it?

 * It says that there is a TLS protocol syntax problem talking TLS/SSL
to the server or peer.

>
> < X-Squid-Error: ERR_SECURE_CONNECT_FAIL 71
>
>
> <p>The system returned:</p>
>
> <blockquote id="data">
>
> <pre>(71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)</pre>
>
> <p>Handshake with SSL server failed: [No Error]</p>
>
> </blockquote>
>


>
> ### 0x02 how to outgoing https request by cache_peer (on squid
> 5.0.4/Chains proxy)
>
> Similar features to Charles OR Fiddler. ( open http(s) proxy  on 8080,
> then capture the request , outgoing on another http(s)/socks4/5 proxy.)
>
> 1. Fiddler
> gateway: https://docs.telerik.com/fiddler-everywhere/user-guide/settings/gateway
>
> curl https://google.com -x http://squid:3128 --> outgoing(cache_peer:
> like Fiddler gateway) --> google.com:443 <http://google.com:443>
>
> The cache_peer should be ignore ssl VERIFY. !!! like other software.
>

No. There is no use using TLS if you are going to disable *all* the
security.

What Squid should actually happen is that you configure Squid to know
what CA signed the peer SSL certificate (with cache_peer tls-cafile=
option). So that connections properly going to that peer will verify
successfully. The default you have with just the "ssl "flag (FYI: that
should be "tls" nowdays) uses the operating systems default Global
Trusted CA's to verify.

Allowing interception attacks and transfer corruption on the peer
traffic to be identified if/when any happen is the entire purpose of
using TLS/SSL on peer connections.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: squid 5.0.4 cache_peer bug on https outgoing

Amos Jeffries
Administrator
In reply to this post by sec
On 28/09/20 10:39 pm, openwrt wrote:

> I located the bug and found a another way to deal with it.
>
> The bug is that cache_peer https CONNECT drops the port number
>
> If you do the compatibility treatment on the back of the agent software,
> you can solve this problem
>
> However, it would be best if it was resolved on squid.
>
> ### 0x01 wireshare packet
>
> 1) squid cache_peer https CONNECT packet.
>
> CONNECT d.qqq.win  HTTP/1.1 (bad format: without port)
>

Aha. Thank you for finding this. Can you please open a bug in our
bugzilla with the details so this does not get lost.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: squid 5.0.4 cache_peer bug on https outgoing

Alex Rousskov
In reply to this post by sec
On 9/28/20 5:39 AM, openwrt wrote:

> The bug is that cache_peer https CONNECT drops the port number

Please try the attached patch.

Thank you,

Alex.


> squid cache_peer https CONNECT packet.
>
> CONNECT d.qqq.win  HTTP/1.1 (bad format: without port)
>
> 0040   d1 d8 43 4f 4e 4e 45 43 54 20 64 2e 71 71 71 2e   ..CONNECT d.qqq.
> 0050   77 69 6e 20 48 54 54 50 2f 31 2e 31 0d 0a 55 73   win HTTP/1.1

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

SQUID-111-peer-connect-port-t1.patch (652 bytes) Download Attachment
sec
Reply | Threaded
Open this post in threaded view
|

Re: squid 5.0.4 cache_peer bug on https outgoing

sec
It worked. thanks. 

Alex Rousskov <[hidden email]> 于2020年9月28日周一 下午9:52写道:
On 9/28/20 5:39 AM, openwrt wrote:

> The bug is that cache_peer https CONNECT drops the port number

Please try the attached patch.

Thank you,

Alex.


> squid cache_peer https CONNECT packet.
>
> CONNECT d.qqq.win  HTTP/1.1 (bad format: without port)
>
> 0040   d1 d8 43 4f 4e 4e 45 43 54 20 64 2e 71 71 71 2e   ..CONNECT d.qqq.
> 0050   77 69 6e 20 48 54 54 50 2f 31 2e 31 0d 0a 55 73   win HTTP/1.1

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users