squid & handling/propagating certificat revocations...?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

squid & handling/propagating certificat revocations...?

L. A. Walsh
How does squid 'normally' handle security revocations, like from
this test page?:

  https://revoked.grc.com/

Or how 'should' it be handling it (i.e. is my setup more broken
than most? ;^) )

Or, when squid fetches the page, does it do any checking before
sending it to the user?

Or, does it pass it through, w/o checking, to user, but check
revocation before storing it in the local disk cache.

In the above two cases, a client (say a browser) configured to
check revocations, would detect the revocations both on initial
connect as well as content served from cache.  That works, though
it _might_ be more efficient if squid didn't cache such pages.

However, in the case of squid using https-interception to allow
breaking open otherwise uncacheable streams, my configuration doesn't
seem to check if a remote site is using a revoked cert.

So question(s):  Is there anyway to configure squid to check and
either add a message to the page indicating the security revocation,
or, at least, fail in retrieving the message?

And, ideally, _could_ squid interactively prompt the user about
whether or not the specific cert should be used/allowed anyway,
*and* whether or not the cert should be _stored_ as an "exception"?
If so, then further connects would "just work", otherwise, clients
would get an error message)?

Ideas?  Anyone else solved this problem?

Thanks!
-linda


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: squid & handling/propagating certificat revocations...?

Alex Rousskov
On 02/18/2017 03:31 PM, L A Walsh wrote:
> How does squid 'normally' handle security revocations,

In the simplest case without SslBump, Squid does not see the server
certificate at all and, hence, cannot validate it. Squid simply tunnels
opaque bytes, including certificate bytes, from the server to the
client. You cannot customize this aspect of Squid behavior.

If an SslBump peeking or staring rule matches at step2, then Squid
receives the server certificate and asks OpenSSL to validate it before
sending/receiving any HTTP-level data to/from that server. If your
OpenSSL installation considers the certificate revoked, Squid will treat
it as such and, by default, terminate the connection to the origin
server without receiving an HTTP response.

You can customize that default using several configuration options
and/or a certificate validation helper. Search squid.conf.documented for
"certificate" and "sslcrtvalidator_program".


> However, in the case of squid using https-interception to allow
> breaking open otherwise uncacheable streams, my configuration doesn't
> seem to check if a remote site is using a revoked cert.

Squid does not validate server certificates that it does not see. For
example, if you splice the intercepted connections at SslBump step1 or
step2, then Squid will not see the server certificate and will just
forward all certificate bytes to the client "as is".


> And, ideally, _could_ squid interactively prompt the user about
> whether or not the specific cert should be used/allowed anyway,
> *and* whether or not the cert should be _stored_ as an "exception"?

Upon receiving a revoked certificate, a _browser_ can do that. Squid is
not a User Agent and does not talk to the user directly (although it
can, in some cases, respond with an error page that a user will see).

If you are bumping (rather than splicing) SSL connections, then the fake
certificate generated by Squid will not be revoked even if the origin
server certificate was -- I do not think Squid mimics that aspect of the
origin server certificate.


HTH,

Alex.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users