[squid-users] Squid 3 SSL bump: Google drive application could not connect

[Eliezer Croitoru]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/05/2015 05:18 PM, Yuri Voinov wrote:
> We haven't filtering non_HTTP over port-443. Just recognize and
> pass.

So let's separate security which is one of the goals of squid and
which some like and other don't.

For now squid 3.4 is stable and 3.5 is in beta and trunk is not for
the public use.
In 3.5 there will be present a new feature which called peek and
splice that can give an interface to squid and the admin which will
allow the admin to know couple things about the connection from squid
and specifically first the client TLS request.
Once squid bumped a connection there are couple steps until the
connection is fully established between the client and the server:
- - receive the TCP connection from client
- - BUMP server or client FIRST
- - determine what certificate to send to the client based on the server
initial ssl response
- - fake it
- - send to the client
- - MITM between two tls connections on the proxy while inspecting the
content in the software layer.

Peek and splice will add another step between the first part to the
second and which will allow SNI usage.
All the above is to allow better BUMPING.
There might be or will be probably an interface that will identify or
will try to identify inside the current stages of the connection
bumping if the connection is indeed a TLS or another one.
The first step of peek and splice can identify if the connection from
the client side has started using a valid TLS\SSL headers.

Leaving all the BUMPING yes or no You(Yuri) need a very specific tool
or want a very specific tool.
The basic interface of the external_acl can provide enough data on the
connection in order to enforce some rules.
You can either use the client IP address or just the destination IP
and PORT.

I cannot speak for the squid project but I am almost sure that the
squid project will not provide you with an official helper and will
not support it.
However squid external_acl is there especially to help others achieve
what they want using a variety of parameters from squid internals.
The external_acl interface provides internal caching which supports
caching ttl with different values for the two options either allow(OK)
or DENY(ERR).

My suggestions stays, don't use sqlite if possible.
There is a sketch for a helper like you seems to want.
Take the glove and write a pesudo code for the helper idea based on
the assumptions:
- - There is a DB which can store timestamps, ip, port, result of test, etc
- - There is a way to check if the certificate is valid and the server
works with TLS\SSL
- - There is no way for the helper to know that a certificate is pined
- - There is a way to add static records to the DB(web interface, cli)
- - All the requests will come from the proxy IP address and can by some
be identified as an attack.
- - ufdbguard does not provide your needs since it uses url_rewrite
interface and doesn't have the needed functionalities for you.

The best I have seen until now was the python helper.
If in couple(4-5) month nobody will do something with this I will see
then what can be done with this if at all.

Elizer
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJUqrvGAAoJENxnfXtQ8ZQUIDsH/iw82UdjIvwk/bycmuvTIgi2
FjgdXHcOP1EFi1aC6utgZ3ab8GVaOhV8PJpLpFSD3ZLbrFXfLg9c3ubY6EMHVxWz
HNgYBQ/MetSCTHwNKiKHiu8pqy0CR9aTth91KwArrWtXYBqeGyCVCRvyccHc07u4
QVE3rUTNX0ICAgvfrhyUsjgjZVUCRC1dvZT7c2aVeowR1qyvfpK2JRVJSuaUI2oU
HS2516qxzxHvyxJjjz1Cypn06BPiCp2wItIPdX9biEXid2DCJsGGrd9hjhkoZtgH
AiAf7mpFnWZybw4934S1ubUE5x59v8rzpZiuVTE/iSIpVzAci2moeijqosL2yEg=
=7quC
-----END PGP SIGNATURE-----