[squid-users] How to have squid as safe as (e.g.) firefox?

Jeremie Rafin rafinjer-squid at yahoo.fr
Wed Aug 12 21:20:39 UTC 2015


Hello,

If I browse on the internet **without** a proxy like squid, and if I use a browser like firefox, the certificate management of SSL connections looks, as far as I feel it, safe and secure.

One of my favorite web pages to test this is: https://revoked.grc.com/
Going on this site must generate an error such as a "revoked certificate" reject.

But, if I browse with squid "behind", configured with SSL bumping and host certificate generation (in such a way my proxy works well for https), this site (https://revoked.grc.com/) is **not** filtered. Which is, to my eye, a big security hole...

Questions (I am searching for answers for several months, without success):

-while using squid, is it possible to have a SSL/HTTPS level of security at least as high as with a reference like firefox (assuming this is a reference; in my humble opinion, regarding certificate management, it is, as I don't know better)?

-do you know any implementation of NSS library (the security library of firefox, probably safer than openssl) for certificate checking helper (cf. sslcrtvalidator_program)?

-how to manage certificate lists, especially automatic updates of them (e.g. use of OSCP inside squid helpers)? Could we access to tweaks like maximum acceptable age of certificate validity, white and black lists of trust authorities, exclusion of autosigned certificate, etc?

Thanks for any help, any suggestion!
Jérémie


PS1: some of test web pages, for which, to my mind, security fails with squid:
-https://revoked.grc.com (my "favorite"; must fail browsing)
-https://www.ssllabs.com/ssltest/viewMyClient.html (to get a big picture, especially if OCSP stapling is active)
-https://www.howsmyssl.com/ (not as good as previous; provides another point of view)

PS2: my squid 3.5 works on a debian wheezy 7.6; here is my squid.conf (only my adds in top of the default file content); so far I try to have transparent (implicit) proxy but explicit proxy is not better (only simpler configuration):

# SSL bumping configuration
http_port 3126 intercept
https_port 3127 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myCA.pem
sslcrtd_program /usr/local/squid-3.5/lib/squid/ssl_crtd -s /var/spool/squid3_ssldb -M 4MB

# SSL Options - to mimic firefox; some of keys are weaks but some of my favorite websites need them :(
sslproxy_options NO_SSLv2,No_Compression
sslproxy_cipher ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-RC4-SHA:DHE-RSA-AES256-SHA:AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:DES-CBC3-SHA:RC4-SHA:RC4-MD5:!aNULL:!eNULL:!EXPORT:!DSS:!DES:!3DES:!PSK
sslproxy_cert_error deny all

# Splice access lists
acl splice_client src 192.168.2.30
acl splice_domain dstdomain .paypal.com
acl splice_dst dst 66.211.169.66 66.211.169.3

# HTTPS access
ssl_bump splice splice_client
ssl_bump splice splice_domain
ssl_bump splice splice_dst
ssl_bump server-first all

# Hide PROXY
via off
forwarded_for delete

# Cache management
cache_dir ufs /var/cache/squid 500 16 256


More information about the squid-users mailing list