[squid-users] Deny Access based on SSL-Blacklists (SHA1-Fingerprint) with ssl_bump

Thu Dec 10 20:10:48 UTC 2015

Hi Alex

I've tested again. Squid (3.5.11) only terminates the connection
(based on SHA1-Fingerprint), *if* the fingerprint is delimited with
colons. If not, squid GET's the https-request as usual. I'll report a
bug.

With SHA1-FP (delimited):
41:30:72:F8:03:CE:96:12:10:E9:A4:5D:10:DA:14:B0:D2:D4:85:32 in the
config-file, Squid terminates the connection as expected:
$ curl -x proxy:3128 -I -k -L https://www.yahoo.com
HTTP/1.1 200 Connection established
curl: (35) Unknown SSL protocol error in connection to www.yahoo.com:443

With SHA1-FP (not delimited): 413072F803CE961210E9A45D10DA14B0D2D48532
in the config-file, squid GET's the site:
$ curl -x proxy:3128 -I -k -L https://www.yahoo.com
HTTP/1.1 200 Connection established

HTTP/1.1 200 OK
Date: Thu, 10 Dec 2015 20:06:11 GMT
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR
CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi
UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE
LOC GOV"
X-Frame-Options: DENY
Strict-Transport-Security: max-age=2592000
...
....

Kind regards,
Tom

On Mon, Dec 7, 2015 at 10:30 PM, Alex Rousskov
<rousskov at measurement-factory.com> wrote:
> On 12/07/2015 02:05 PM, Tom Tom wrote:
>> The configuration provided by Alex works for me (squid 3.5.11)
>
> Thank you for testing and helping expose problems.
>
>
>> if:
>> * the http_port-directive is configured with ssl-bump and a
>> certificate (ex. http_port 3128 ssl-bump generate-host-certificates=on
>> dynamic_cert_mem_cache_size=4MB cert=/usr/local/certs/myCA.pem)
>
> ssl-bump is required to access SSL/TLS peeking code. Now way around that
> today although future Squid versions may provide something like an
> ssl-peek port option that tells Squid that no bumping, for any reason
> (including error serving) is permitted on that port.
>
> Specifying root CA is required to serve certificate validation (and
> other) errors, but we probably should be more flexible and allow no-CA
> splice-or-terminate configurations as well.
>
> Related enhancement requests in bugzilla are welcomed, especially if
> they are followed by quality patches.
>
>
>> * the SHA1-fingerprint in the file SSL_BLACKLISTS is delimited after
>> two characters with a colon
>> (9E:C8:15:3F:27:C9:B5:BA:B9:17:49:C8:0A:D7:DF:21:D3:8C:80:50 for
>> ar***krebs.de)
>
> If Squid silently misinterprets colon-less fingerprints, it is a bug
> that should be reported and fixed. Squid should either interpret them
> correctly or exit with a configuration error.
>
>
> Thank you,
>
> Alex.
>
>
>
>> On Mon, Dec 7, 2015 at 4:02 PM, Alex Rousskov
>> <rousskov at measurement-factory.com> wrote:
>>> On 12/07/2015 04:37 AM, Ralf Hildebrandt wrote:
>>>> * Alex Rousskov <rousskov at measurement-factory.com>:
>>>>> Please note that if you do not want to bump anything, then the following
>>>>> should also work (bugs notwithstanding):
>>>>>
>>>>>     ssl_bump splice whitelist
>>>>>     ssl_bump peek all
>>>>>     ssl_bump terminate blacklist
>>>>>     ssl_bump splice all
>>>>
>>>> That doesn't seem to work for me (squid 3.5.2)
>>>
>>>> Yet I still can connect. What am I doing wrong?
>>>
>>> If you are indeed using v3.5.2, then that is a big red flag.
>>>
>>> If you are using the latest v3.5 release, then you should open a bug
>>> report, preferably with an ALL,9 log depicting a single failing
>>> transaction. AFAICT, the above is meant to work. If it does not, there
>>> is either a Squid bug or misconfiguration [that I cannot detect by
>>> reading email].
>>>
>>>
>>> Thank you,
>>>
>>> Alex.
>>>
>>> _______________________________________________
>>> squid-users mailing list
>>> squid-users at lists.squid-cache.org
>>> http://lists.squid-cache.org/listinfo/squid-users
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>