[squid-users] squid-3.4.8 sslbump breaks facebook
Jason Haar
Jason_Haar at trimble.com
Thu Oct 16 07:54:57 UTC 2014
Hi there
Weird. sslbump seems to be working well, even intercepts twitter.com
fine under FF-33 (with it's pinning support, due to
security.cert_pinning.enforcement_level=1)
However, facebook.com generates a "sec_error_inadequate_key_usage"
error. I cranked up debugging and see this. As you can see, the proxy
has ipv6 support and is actually intercepting google.com over ipv6
successfully, so I don't think it has anything to do with networking. I
can use "curl -v" to confirm it successfully downloaded the frontpage
over the same IPv6 address too. I also checked the ssl_db/certs dir and
removed the facebook certs and restarted - didn't help
If I look at the real www.facebook.com cert, I see
X509v3 Subject Alternative Name:
DNS:*.facebook.com, DNS:facebook.com, DNS:*.fbsbx.com,
DNS:*.fbcdn.net, DNS:*.xx.fbcdn.net, DNS:*.xy.fbcdn.net, DNS:fb.com,
DNS:*.fb.com
X509v3 Key Usage: critical
Digital Signature, Key Agreement
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
however, the squid-created cert, shows
X509v3 Subject Alternative Name:
DNS:*.facebook.com, DNS:facebook.com, DNS:*.fbsbx.com,
DNS:*.fbcdn.net, DNS:*.xx.fbcdn.net, DNS:*.xy.fbcdn.net, DNS:fb.com,
DNS:*.fb.com
X509v3 Key Usage: critical
.
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
So squid is failing to set "X509v3 Key Usage" correctly?
Jason
1413438531.233 2192 127.0.0.1 TAG_NONE/200 0 CONNECT
www.facebook.com:443 - HIER_DIRECT/2a03:2880:20:4f06:face:b00c:0:1 -
[User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:33.0)
Gecko/20100101 Firefox/33.0\r\nProxy-Connection:
keep-alive\r\nConnection: keep-alive\r\nHost: www.facebook.com:443\r\n] []
generates the following...
2014/10/16 18:40:16.194 kid1| dns_internal.cc(1092) idnsCallback:
Merging DNS results www.facebook.com A has 2 RR, AAAA has 2 RR
2014/10/16 18:40:16.194 kid1| ipcache.cc(498) ipcacheParse:
ipcacheParse: 4 answers for 'www.facebook.com'
2014/10/16 18:40:16.194 kid1| ipcache.cc(567) ipcacheParse:
ipcacheParse: www.facebook.com #0 [2a03:2880:20:4f06:face:b00c:0:1]
2014/10/16 18:40:16.194 kid1| ipcache.cc(556) ipcacheParse:
ipcacheParse: www.facebook.com #1 173.252.74.22
2014/10/16 18:40:16.194 kid1| peer_select.cc(286) peerSelectDnsPaths:
Found sources for 'www.facebook.com:443'
2014/10/16 18:40:16.194 kid1| FwdState.cc(373) startConnectionOrFail:
www.facebook.com:443
2014/10/16 18:40:16.194 kid1| FwdState.cc(1082) connectStart:
fwdConnectStart: www.facebook.com:443
2014/10/16 18:40:16.194 kid1| pconn.cc(340) key:
PconnPool::key(local=[::] remote=[2a03:2880:20:4f06:face:b00c:0:1]:443
flags=1, www.facebook.com) is
{[2a03:2880:20:4f06:face:b00c:0:1]:443/www.facebook.com}
2014/10/16 18:40:16.194 kid1| pconn.cc(436) pop: lookup for key
{[2a03:2880:20:4f06:face:b00c:0:1]:443/www.facebook.com} failed.
2014/10/16 18:40:16.194 kid1| peer_select.cc(94) ~ps_state:
www.facebook.com:443
2014/10/16 18:40:16.194 kid1| fd.cc(221) fd_open: fd_open() FD 33
www.facebook.com
2014/10/16 18:40:16.426 kid1| FwdState.cc(1029) connectDone:
local=[2001:470:828b:0:c460:6ed8:7e00:e8f4]:52765
remote=[2a03:2880:20:4f06:face:b00c:0:1]:443 FD 33 flags=1:
'www.facebook.com:443'
2014/10/16 18:40:17.698 kid1| support.cc(260) ssl_verify_cb: SSL
Certificate signature OK: /C=US/ST=CA/L=Menlo Park/O=Facebook,
Inc./CN=*.facebook.com
2014/10/16 18:40:17.698 kid1| support.cc(260) ssl_verify_cb: SSL
Certificate signature OK: /C=US/ST=CA/L=Menlo Park/O=Facebook,
Inc./CN=*.facebook.com
2014/10/16 18:40:17.698 kid1| support.cc(260) ssl_verify_cb: SSL
Certificate signature OK: /C=US/ST=CA/L=Menlo Park/O=Facebook,
Inc./CN=*.facebook.com
2014/10/16 18:40:17.698 kid1| support.cc(214) check_domain: Verifying
server domain www.facebook.com to certificate name/subjectAltName
*.facebook.com
2014/10/16 18:40:17.950 kid1| FwdState.cc(1218) dispatch:
local=127.0.0.1:3128 remote=127.0.0.1:49230 FD 24 flags=1: Fetching
'CONNECT www.facebook.com:443'
2014/10/16 18:40:17.950 kid1| FwdState.cc(433) unregister:
www.facebook.com:443
2014/10/16 18:40:17.950 kid1| FwdState.cc(458) complete:
www.facebook.com:443
2014/10/16 18:40:17.950 kid1| FwdState.cc(1355) reforward:
www.facebook.com:443?
2014/10/16 18:40:17.950 kid1| client_side.cc(4045) httpsPeeked: HTTPS
server CN: *.facebook.com bumped:
local=[2001:470:828b:0:c460:6ed8:7e00:e8f4]:52765
remote=[2a03:2880:20:4f06:face:b00c:0:1]:443 FD 33 flags=1
2014/10/16 18:40:17.951 kid1| client_side.cc(4049) httpsPeeked: bumped
HTTPS server: www.facebook.com
2014/10/16 18:40:17.951 kid1| client_side_request.cc(265)
~ClientHttpRequest: httpRequestFree: www.facebook.com:443
2014/10/16 18:40:17.951 kid1| client_side.cc(617) logRequest: logging
half-baked transaction: www.facebook.com:443
2014/10/16 18:40:17.951 kid1| client_side.cc(621) logRequest:
clientLogRequest: al.url='www.facebook.com:443'
2014/10/16 18:40:17.951 kid1| HttpHeader.cc(1531) ~HttpHeaderEntry:
destroying entry 0x30c5fd0: 'Host: www.facebook.com:443'
2014/10/16 18:40:17.951 kid1| client_side.cc(3899) getSslContextStart:
Finding SSL certificate for /C=US/ST=CA/L=Menlo Park/O=Facebook,
Inc./CN=*.facebook.com+Sign=signTrusted in cache
2014/10/16 18:40:17.951 kid1| client_side.cc(3904) getSslContextStart:
SSL certificate for /C=US/ST=CA/L=Menlo Park/O=Facebook,
Inc./CN=*.facebook.com+Sign=signTrusted have found in cache
2014/10/16 18:40:17.952 kid1| client_side.cc(3906) getSslContextStart:
Cached SSL certificate for /C=US/ST=CA/L=Menlo Park/O=Facebook,
Inc./CN=*.facebook.com+Sign=signTrusted is valid
2014/10/16 18:40:17.956 kid1| ctx: enter level 0: 'www.facebook.com:443'
2014/10/16 18:40:17.956 kid1| HttpHeader.cc(1531) ~HttpHeaderEntry:
destroying entry 0x30c0810: 'Host: www.facebook.com:443'
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
More information about the squid-users
mailing list