[squid-users] SSL-bump certificate issues (mostly on Chrome, when accessing Google websites)
Luis Miguel Silva
luismiguelferreirasilva at gmail.com
Fri Feb 6 05:10:00 UTC 2015
Dear all,
I recently compiled squid-3.4.9 with ssl-bump support and, although it is
working for the most part, I'm having some issues accessing some websites.
The behavior is REALLY weird so I'm going to try and describe it the best I
can:
- If i access https://www.google.com/ in Chrome, I could see that it was
processing my certificate MOST of the times...
*screenshot here*: http://imgur.com/JsNiqDL,Ned5zAU,nJjRPtg
- some other times, it seemed to bypass my proxy altogether and I finally
figured out it was because Chrome will try to access QUIC enabled websites
using that protocol, so it would bypass my firewall redirect rules! I
believe I now have solved this by blocking FORWARDING traffic on port 443
udp...
- the weird thing is that, if I then try and access https://gmail.com, I
get a certificate error:
*screenshot here*: http://imgur.com/JsNiqDL,Ned5zAU,nJjRPtg#1
- ...though, sometimes, I can access https://mail.gmail.com/ just fine
(without any certificate errors), but stop being able to as soon as I try
to access https://gmail.com/ and the browser complains about the
certificate.
-- and, according to my tests, I can access it from firefox just fine MOST
of the times:
*screenshot here*: http://imgur.com/JsNiqDL,Ned5zAU,nJjRPtg#2
-- though I have also seen situations where Firefox also complains about a
certificate error when connecting to gmail.com
- and, although I cannot reproduce it 100% of the times, sometimes, even
though I have my iptables redirect rules ON, the browser still seems to
"connect direct" (or, at least, it shows it has the original certificate)!
-- like I said, at first, I was able to trace this back to QUIC in Chrome
but...I'm currently blocking traffic on port 443 udp so I don't know what's
happening here (does it use different ports?!)
So, here are *my questions*:
- why am I able to successfully ssl-bump https://www.google.com but not
https://gmail.com/
- why does the Chrome freakout about gmail but not Firefox?
- Is there a way to fix it OR, at least, to bypass it? (I tried creating an
ACL for this and allowing direct traffic but it didn't seem to work...)
-- can we make the connection go direct when ssl certificate errors are
detected?
- and has anyone else seen this problem where the browser seems to use the
original certificate, even though I'm redirecting traffic to Squid?
Not sure if this is relevant, but here are some ssl errors I caught on my
cache.log file:
root at server:/var/log/squid3# tail cache.log
2015/02/05 21:47:52 kid1| clientNegotiateSSL: Error negotiating SSL
connection on FD 30: Closed by client
2015/02/05 21:48:23 kid1| clientNegotiateSSL: Error negotiating SSL
connection on FD 30: Closed by client
2015/02/05 21:48:36 kid1| clientNegotiateSSL: Error negotiating SSL
connection on FD 96: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1
alert unknown ca (1/0)
2015/02/05 21:48:54 kid1| clientNegotiateSSL: Error negotiating SSL
connection on FD 105: Closed by client
2015/02/05 21:49:15 kid1| clientNegotiateSSL: Error negotiating SSL
connection on FD 79: Broken pipe (32)
2015/02/05 21:49:15 kid1| clientNegotiateSSL: Error negotiating SSL
connection on FD 54: Broken pipe (32)
2015/02/05 21:49:24 kid1| clientNegotiateSSL: Error negotiating SSL
connection on FD 79: Closed by client
2015/02/05 21:49:55 kid1| clientNegotiateSSL: Error negotiating SSL
connection on FD 26: Closed by client
2015/02/05 21:50:26 kid1| clientNegotiateSSL: Error negotiating SSL
connection on FD 45: Closed by client
2015/02/05 21:50:56 kid1| clientNegotiateSSL: Error negotiating SSL
connection on FD 68: Closed by client
root at server:/var/log/squid3#
By the way, here's how I generated my certificate:
openssl req -new -newkey rsa:1024 -days 365 -nodes -x509 -keyout myCA.pem
-out myCA.pem
openssl x509 -in myCA.pem -outform DER -out certificate.der
(note: myCA.pem is the certificate that squid is using and certificate.der
is the one I've been installing on the client computers)
And here's what my current squid.conf looks like:
root at server:/etc/squid3/ssl_cert# cat /etc/squid3/squid.conf
#Access Lists
acl home_network src 192.168.200.0/24
#Ports allowed through Squid
acl Safe_ports port 80 #http
acl Safe_ports port 443 #https
acl SSL_ports port 443
acl SSL method CONNECT
acl CONNECT method CONNECT
#allow/deny
http_access allow home_network
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all
http_port 3128
http_port 3129 intercept
https_port 3130 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl_cert/myCA.pem
acl broken_sites dstdomain .gmail.com
ssl_bump none localhost
ssl_bump none broken_sites
ssl_bump server-first all
sslcrtd_program /usr/lib/squid3/ssl_crtd -s
/usr/share/squid3/var/lib/ssl_db -M 4MB
sslcrtd_children 5
#caching directory
cache_dir ufs /var/spool/squid3 1024 16 128
cache_mem 1024 MB
#refresh patterns for caching static files
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 10080 90% 43200
override-expire ignore-no-cache ignore-no-store ignore-private
refresh_pattern -i \.(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv)$ 43200 90%
432000 override-expire ignore-no-cache ignore-no-store ignore-private
refresh_pattern -i \.(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff)$
10080 90% 43200 override-expire ignore-no-cache ignore-no-store
ignore-private
refresh_pattern -i \.index.(html|htm)$ 0 40% 10080
refresh_pattern -i \.(html|htm|css|js)$ 1440 40% 40320
refresh_pattern . 0 40% 40320
dns_nameservers 8.8.8.8
#rewrite program
redirect_program /etc/squid3/filter.php
root at server:/etc/squid3/ssl_cert#
Thanks in advance,
Luis
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150205/faed45ed/attachment-0001.html>
More information about the squid-users
mailing list