[squid-users] SSL-bump certificate issues (mostly on Chrome, when accessing Google websites)

Yuri Voinov yvoinov at gmail.com
Fri Feb 6 08:05:02 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
First. Where is you cache can found openssl public CA certs? To validate
connection from cache to server Squid must see root authority CA's.

I.e (from my configuration. Note: all google services bumped and works
perfectly):

https_port 3129 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/rootCA.crt
key=/usr/local/squid/etc/rootCA.key capath=/etc/opt/csw/ssl/certs

Second. OpenSSL CA's bundle is not complete. You must add ALL
intermediate and absent root CA's and make c_rehash.

Third.
Where is

sslproxy_cert_error allow all

and

sslproxy_flags DONT_VERIFY_PEER

in your configuration? Yes, this is dangerous, but permit to suppress
errors on some sites.

And finally - you can't bypass ssl bump on 3.4.x using dstdomain ACL's.
Only IP-based DST acl's usable.

Regards,
Yuri.

06.02.2015 11:10, Luis Miguel Silva пишет:
> Dear all,
>
> I recently compiled squid-3.4.9 with ssl-bump support and, although it
is working for the most part, I'm having some issues accessing some
websites.
>
> The behavior is REALLY weird so I'm going to try and describe it the
best I can:
> - If i access https://www.google.com/ in Chrome, I could see that it
was processing my certificate MOST of the times...
> *screenshot here*: http://imgur.com/JsNiqDL,Ned5zAU,nJjRPtg
> - some other times, it seemed to bypass my proxy altogether and I
finally figured out it was because Chrome will try to access QUIC
enabled websites using that protocol, so it would bypass my firewall
redirect rules! I believe I now have solved this by blocking FORWARDING
traffic on port 443 udp...
> - the weird thing is that, if I then try and access https://gmail.com
<https://gmail.com/>, I get a certificate error:
> *screenshot here*: http://imgur.com/JsNiqDL,Ned5zAU,nJjRPtg#1
> - ...though, sometimes, I can access https://mail.gmail.com/ just fine
(without any certificate errors), but stop being able to as soon as I
try to access https://gmail.com/ and the browser complains about the
certificate.
> -- and, according to my tests, I can access it from firefox just fine
MOST of the times:
> *screenshot here*: http://imgur.com/JsNiqDL,Ned5zAU,nJjRPtg#2
> -- though I have also seen situations where Firefox also complains
about a certificate error when connecting to gmail.com <http://gmail.com/>
> - and, although I cannot reproduce it 100% of the times, sometimes,
even though I have my iptables redirect rules ON, the browser still
seems to "connect direct" (or, at least, it shows it has the original
certificate)!
> -- like I said, at first, I was able to trace this back to QUIC in
Chrome but...I'm currently blocking traffic on port 443 udp so I don't
know what's happening here (does it use different ports?!)
> 
> So, here are *my questions*:
> - why am I able to successfully ssl-bump https://www.google.com
<https://www.google.com/> but not https://gmail.com/
> - why does the Chrome freakout about gmail but not Firefox?
> - Is there a way to fix it OR, at least, to bypass it? (I tried
creating an ACL for this and allowing direct traffic but it didn't seem
to work...)
> -- can we make the connection go direct when ssl certificate errors
are detected?
> - and has anyone else seen this problem where the browser seems to use
the original certificate, even though I'm redirecting traffic to Squid?
>
> Not sure if this is relevant, but here are some ssl errors I caught on
my cache.log file:
> root at server:/var/log/squid3# tail cache.log
> 2015/02/05 21:47:52 kid1| clientNegotiateSSL: Error negotiating SSL
connection on FD 30: Closed by client
> 2015/02/05 21:48:23 kid1| clientNegotiateSSL: Error negotiating SSL
connection on FD 30: Closed by client
> 2015/02/05 21:48:36 kid1| clientNegotiateSSL: Error negotiating SSL
connection on FD 96: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1
alert unknown ca (1/0)
> 2015/02/05 21:48:54 kid1| clientNegotiateSSL: Error negotiating SSL
connection on FD 105: Closed by client
> 2015/02/05 21:49:15 kid1| clientNegotiateSSL: Error negotiating SSL
connection on FD 79: Broken pipe (32)
> 2015/02/05 21:49:15 kid1| clientNegotiateSSL: Error negotiating SSL
connection on FD 54: Broken pipe (32)
> 2015/02/05 21:49:24 kid1| clientNegotiateSSL: Error negotiating SSL
connection on FD 79: Closed by client
> 2015/02/05 21:49:55 kid1| clientNegotiateSSL: Error negotiating SSL
connection on FD 26: Closed by client
> 2015/02/05 21:50:26 kid1| clientNegotiateSSL: Error negotiating SSL
connection on FD 45: Closed by client
> 2015/02/05 21:50:56 kid1| clientNegotiateSSL: Error negotiating SSL
connection on FD 68: Closed by client
> root at server:/var/log/squid3#
>
> By the way, here's how I generated my certificate:
> openssl req -new -newkey rsa:1024 -days 365 -nodes -x509 -keyout
myCA.pem -out myCA.pem
> openssl x509 -in myCA.pem -outform DER -out certificate.der
> (note: myCA.pem is the certificate that squid is using and
certificate.der is the one I've been installing on the client computers)
>
> And here's what my current squid.conf looks like:
> root at server:/etc/squid3/ssl_cert# cat /etc/squid3/squid.conf
> #Access Lists
> acl home_network src 192.168.200.0/24 <http://192.168.200.0/24>
>
> #Ports allowed through Squid
> acl Safe_ports port 80 #http
> acl Safe_ports port 443 #https
> acl SSL_ports port 443
> acl SSL method CONNECT
> acl CONNECT method CONNECT
>
> #allow/deny
> http_access allow home_network
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access deny all
>
> http_port 3128
> http_port 3129 intercept
> https_port 3130 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl_cert/myCA.pem
> acl broken_sites dstdomain .gmail.com <http://gmail.com/>
> ssl_bump none localhost
> ssl_bump none broken_sites
> ssl_bump server-first all
> sslcrtd_program /usr/lib/squid3/ssl_crtd -s
/usr/share/squid3/var/lib/ssl_db -M 4MB
> sslcrtd_children 5
>
> #caching directory
> cache_dir ufs /var/spool/squid3 1024 16 128
> cache_mem 1024 MB
>
> #refresh patterns for caching static files
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i \.(gif|png|jpg|jpeg|ico)$ 10080 90% 43200
override-expire ignore-no-cache ignore-no-store ignore-private
> refresh_pattern -i \.(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv)$ 43200
90% 432000 override-expire ignore-no-cache ignore-no-store ignore-private
> refresh_pattern -i
\.(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|doc|tiff)$ 10080 90% 43200
override-expire ignore-no-cache ignore-no-store ignore-private
> refresh_pattern -i \.index.(html|htm)$ 0 40% 10080
> refresh_pattern -i \.(html|htm|css|js)$ 1440 40% 40320
> refresh_pattern . 0 40% 40320
>
> dns_nameservers 8.8.8.8
>
> #rewrite program
> redirect_program /etc/squid3/filter.php
> root at server:/etc/squid3/ssl_cert#
>
> Thanks in advance,
> Luis
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
 
iQEcBAEBAgAGBQJU1HWtAAoJENNXIZxhPexGiRcH/A2QfRyPsmM9LhKR6ZuqTfhR
AWyg8omvGOeKwo5W0Czb/Qqo4XhtIe+jcXxFqmrvL+zxmrl66tRXp0mBDmp1FMPW
kC93hIYn72NZiThPmchqOZ/4IuUNOyJT1ll/Uef7Kr/saIF0zXMh2lkoNR5HCvhN
0nb3dW0QSSivASYB3/0Mm0szCQqLSx/zgIbdCvmlX9H3VwWM/uE88Nfp+CAHygIO
t5vioJbCTPjyFqV2QkX//fuU1ePZC1VrTw5//nMjXfCbpXjLZtgz15ubDcCH3vZ1
beMYpGYbvHUk+hxrwjW394Q+pSAso79x5hwUO3PlZAsKUx/RdhzI91VVRRO9mfE=
=N+mL
-----END PGP SIGNATURE-----

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150206/9e643d8a/attachment-0001.html>


More information about the squid-users mailing list