sslproxy_options on squid 3.5.20

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

sslproxy_options on squid 3.5.20

Nisa Balakrishnan
Hi,

I am trying to allow access for only tls versions 1.2 and above on Squid 3.5.20

For testing purposes, I have set options in squid config as follows.

```
https_port 3130 cert=/etc/squid/ssl/squid.pem ssl-bump intercept options=NO_SSLv2,NO_SSLv3,NO_TLSv1,NO_TLSv1_2

sslproxy_options NO_SSLv2,NO_SSLv3,NO_TLSv1,NO_TLSv1_2
```

I test using curl
```
curl -v https://api.github.com/users/xyz
```

I am able to access github and the ssl connection is tls 1.2

```
*   Trying 13.236.14.80...
* TCP_NODELAY set
* Connected to api.github.com (13.236.14.80) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=GitHub, Inc.; CN=*.github.com
*  start date: Jun 22 00:00:00 2020 GMT
*  expire date: Aug 17 12:00:00 2022 GMT
*  subjectAltName: host "api.github.com" matched cert's "*.github.com"
*  issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2 High Assurance Server CA
*  SSL certificate verify ok.
> GET /users/xyz HTTP/1.1
> Host: api.github.com
> User-Agent: curl/7.61.1
> Accept: */*
>
< HTTP/1.1 200 OK
< date: Mon, 05 Oct 2020 22:57:40 GMT
< content-type: application/json; charset=utf-8
< server: GitHub.com
< status: 200 OK
< cache-control: public, max-age=60, s-maxage=60
< vary: Accept, Accept-Encoding, Accept, X-Requested-With, Accept-Encoding
< etag: W/"3d107946387d86803650c009a9371dc5efd5ba2d670e838c30af583505243e83"
< last-modified: Wed, 23 May 2018 19:43:26 GMT
< x-github-media-type: github.v3; format=json
< access-control-expose-headers: ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, Deprecation, Sunset
< access-control-allow-origin: *
< strict-transport-security: max-age=31536000; includeSubdomains; preload
< x-frame-options: deny
< x-content-type-options: nosniff
< x-xss-protection: 1; mode=block
< referrer-policy: origin-when-cross-origin, strict-origin-when-cross-origin
< content-security-policy: default-src 'none'
< X-Ratelimit-Limit: 60
< X-Ratelimit-Remaining: 59
< X-Ratelimit-Reset: 1601942260
< X-Ratelimit-Used: 1
< Accept-Ranges: bytes
< Content-Length: 1220
< X-GitHub-Request-Id: A62E:3674:BB684:D9799:5F7BA4E4
<
{
  "login": "xyz",
  "id": 14513,
  "node_id": "MDQ6VXNlcjE0NTEz",
  "avatar_url": "https://avatars1.githubusercontent.com/u/14513?v=4",
  "gravatar_id": "",
  "url": "https://api.github.com/users/xyz",
  "html_url": "https://github.com/xyz",
  "followers_url": "https://api.github.com/users/xyz/followers",
  "following_url": "<a href="https://api.github.com/users/xyz/following{/other_user}">https://api.github.com/users/xyz/following{/other_user}",
  "gists_url": "<a href="https://api.github.com/users/xyz/gists{/gist_id}">https://api.github.com/users/xyz/gists{/gist_id}",
  "starred_url": "<a href="https://api.github.com/users/xyz/starred{/owner}{/repo}">https://api.github.com/users/xyz/starred{/owner}{/repo}",
  "subscriptions_url": "https://api.github.com/users/xyz/subscriptions",
  "organizations_url": "https://api.github.com/users/xyz/orgs",
  "repos_url": "https://api.github.com/users/xyz/repos",
  "events_url": "<a href="https://api.github.com/users/xyz/events{/privacy}">https://api.github.com/users/xyz/events{/privacy}",
  "received_events_url": "https://api.github.com/users/xyz/received_events",
  "type": "User",
  "site_admin": false,
  "name": "xyz",
  "company": null,
  "blog": "",
  "location": null,
  "email": null,
  "hireable": null,
  "bio": null,
  "twitter_username": null,
  "public_repos": 1,
  "public_gists": 0,
  "followers": 8,
  "following": 1,
  "created_at": "2008-06-21T11:58:01Z",
  "updated_at": "2018-05-23T19:43:26Z"
}
* Connection #0 to host api.github.com left intact
```
Despite setting no tls 1.2, I am able to successfully make a connection.
What am I missing here?
Any help much appreciated.

--

Nisa Balakrishnan      AutomationEngineer | m: <a href="tel:0473942819" style="color:rgb(17,85,204)" target="_blank">0473942819 | p: <a href="tel:+61390813700" style="color:rgb(17,85,204)" target="_blank">03 9081 3700
Level 20, Tower 5, Collins Square, 727 Collins Street, Docklands VIC 3008

Vibrato has merged with Servian! Check out the news article here


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: sslproxy_options on squid 3.5.20

Amos Jeffries
Administrator
On 6/10/20 1:35 pm, Nisa Balakrishnan wrote:
> Hi,
>
> I am trying to allow access for only tls versions 1.2 and above on Squid
> 3.5.20
>

Note that "above 1.2" are not supported by that ancient version of
Squid. Your test disables everything except SSLv1 code in the library.


> For testing purposes, I have set options in squid config as follows.
>
> ```
> https_port 3130 cert=/etc/squid/ssl/squid.pem ssl-bump intercept
> options=NO_SSLv2,NO_SSLv3,NO_TLSv1,NO_TLSv1_2
>
> sslproxy_options NO_SSLv2,NO_SSLv3,NO_TLSv1,NO_TLSv1_2
> ```
>

Support for all those options depends on the version, build options, and
global config settings of the OpenSSL library being used. They are just
flags Squid passes to the library on connection setup.


FWIW 3.1.20 is over 4 years old and a huge amount of change has happened
to TLS since then. Please try to upgrade to current Squid-4 stable, or
for best SSL-Bump behaviour the current Squid-5 beta.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: sslproxy_options on squid 3.5.20

Nisa Balakrishnan
Thanks Amos.

I have verified that squid build is done with openssl that supports 1.2 but not 1.3.
I am worried that squid does not pass the flag set via options.
I am able to lock squid to tls 1.2 only with sslproxy_version 

To be a bit more clear, the squid implementation is a whitelist filtering proxy. It does not bump ssl requests. It does peek and splice on intercept.

On Tue, 6 Oct 2020 at 20:34, Amos Jeffries <[hidden email]> wrote:
On 6/10/20 1:35 pm, Nisa Balakrishnan wrote:
> Hi,
>
> I am trying to allow access for only tls versions 1.2 and above on Squid
> 3.5.20
>

Note that "above 1.2" are not supported by that ancient version of
Squid. Your test disables everything except SSLv1 code in the library.


> For testing purposes, I have set options in squid config as follows.
>
> ```
> https_port 3130 cert=/etc/squid/ssl/squid.pem ssl-bump intercept
> options=NO_SSLv2,NO_SSLv3,NO_TLSv1,NO_TLSv1_2
>
> sslproxy_options NO_SSLv2,NO_SSLv3,NO_TLSv1,NO_TLSv1_2
> ```
>

Support for all those options depends on the version, build options, and
global config settings of the OpenSSL library being used. They are just
flags Squid passes to the library on connection setup.


FWIW 3.1.20 is over 4 years old and a huge amount of change has happened
to TLS since then. Please try to upgrade to current Squid-4 stable, or
for best SSL-Bump behaviour the current Squid-5 beta.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


--

Nisa Balakrishnan      AutomationEngineer | m: <a href="tel:0473942819" style="color:rgb(17,85,204)" target="_blank">0473942819 | p: <a href="tel:+61390813700" style="color:rgb(17,85,204)" target="_blank">03 9081 3700
Level 20, Tower 5, Collins Square, 727 Collins Street, Docklands VIC 3008

Vibrato has merged with Servian! Check out the news article here


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: sslproxy_options on squid 3.5.20

Eliezer Croitoru-3

Hey Nisa,

 

Just wondering, if it’s only a whitelist filtering proxy for TLS/SSL/443
Wouldn’t it be better to use a basic SNI proxy with a whitelist?

 

Eliezer

 

----

Eliezer Croitoru

Tech Support

Mobile: +972-5-28704261

Email: [hidden email]

 

From: squid-users <[hidden email]> On Behalf Of Nisa Balakrishnan
Sent: Wednesday, October 7, 2020 4:23 AM
To: Amos Jeffries <[hidden email]>
Cc: [hidden email]
Subject: Re: [squid-users] sslproxy_options on squid 3.5.20

 

Thanks Amos.

 

I have verified that squid build is done with openssl that supports 1.2 but not 1.3.

I am worried that squid does not pass the flag set via options.

I am able to lock squid to tls 1.2 only with sslproxy_version 

 

To be a bit more clear, the squid implementation is a whitelist filtering proxy. It does not bump ssl requests. It does peek and splice on intercept.

 

On Tue, 6 Oct 2020 at 20:34, Amos Jeffries <[hidden email]> wrote:

On 6/10/20 1:35 pm, Nisa Balakrishnan wrote:
> Hi,
>
> I am trying to allow access for only tls versions 1.2 and above on Squid
> 3.5.20
>

Note that "above 1.2" are not supported by that ancient version of
Squid. Your test disables everything except SSLv1 code in the library.


> For testing purposes, I have set options in squid config as follows.
>
> ```
> https_port 3130 cert=/etc/squid/ssl/squid.pem ssl-bump intercept
> options=NO_SSLv2,NO_SSLv3,NO_TLSv1,NO_TLSv1_2
>
> sslproxy_options NO_SSLv2,NO_SSLv3,NO_TLSv1,NO_TLSv1_2
> ```
>

Support for all those options depends on the version, build options, and
global config settings of the OpenSSL library being used. They are just
flags Squid passes to the library on connection setup.


FWIW 3.1.20 is over 4 years old and a huge amount of change has happened
to TLS since then. Please try to upgrade to current Squid-4 stable, or
for best SSL-Bump behaviour the current Squid-5 beta.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


 

--

 

Nisa Balakrishnan      AutomationEngineer | m: <a href="tel:0473942819" target="_blank">0473942819 | p: <a href="tel:+61390813700" target="_blank">03 9081 3700
Level 20, Tower 5, Collins Square, 727 Collins Street, Docklands VIC 3008

Vibrato has merged with Servian! Check out the news article here


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users