[squid-users] Squid ssl-bumping: how does squid verify certificates?

Fri Jan 23 18:10:48 UTC 2015

On 24/01/2015 6:20 a.m., agent_js03 wrote:
> Hi,
> 
> I am kind of a newbie to SSL, and have been tinkering with squid SSL bumping
> for https, so bear with me if this question has already been discussed. So
> here is my understanding of how HTTPS works: a browser has a sort of local
> repository of trusted certificates, correct?

Correct.

> And when you access an HTTPS
> website it searches through these certificates and determines whether one is
> to be trusted or not. So I've set up squid for SSL bumping and have added by
> squid certificate to my browser's list of trusted certificates. However, the
> way SSL now works is that squid intercepts my HTTPS request and I never
> actually see the certificate sent from the original server, correct?

Maybe. It depends on how the bumping is done.

The splice and none modes in ther respective Squid versions make it
pass-thru the SSL traffic from server to client, so you do see the
server details in full.

The mimic feature generates a certificate from Squid cloning as much as
possible from the original server cert, both good and bad details are
copied. So the client can see how broken the server cert is, and in
which ways, even if some particular values are slightly different.

> So what
> I want to know is how does squid know whether the certificate is valid or
> not?

The OpenSSL library used by Squid performs mostly the same checks the
browsers are doing to validate the certificate. Then Squid (recent
releases) also pass certificate chains through a configurable helper
validator that can perform additional checks if you so wish.

In theory the set of "Trusted Certificate Authorities" is a global set,
but it does vary depending on who provided the list and how up to date
your copy is. The browser vendors have their own processes of
determining trust and generate their own lists.

On your Squid machine it is probably in a system package called
"ca-certificates" or "snakeoil" provided by your OS vendor or OpenSSL
packager. The ones I see most mention of origins for are based on the
Mozilla projects trusted CA list - though yours may not be.

> I am afraid of getting a man-in-the-middle attack since it is squid
> that verifies certificates and not my client. Or is my understanding
> incorrect?

The one thing you can guarantee is that your *ARE* absolutely getting
MITM'd. By your Squid itelf if not some other way. The "SSL-Bump" is an
MITM on HTTPS protocol.

To ensure that Squid is at least doing its best to validate stay away
from the various DONT_VERIFY_* options you see some tutorials
recommending. They actively disable validation.

> Does squid have this same list of trusted sources and if not can
> I set it up myself?

See above and yes you can add/remove trusted CA entries yourself. I
believe the openssl UI tools have ways to do it, though I'm not familiar
enough with them to point you directly at how sorry.

Amos