[squid-users] ssl_bump with cache_peer problem: Handshake fail after Client Hello.

adam900710 adam900710 at gmail.com
Tue Jul 7 01:24:34 UTC 2015 

OK, it seems that CONNECT+SSL/TLS is really not supported yet...

So I use proxychains and allow_direct without cache_peer.
And things works:
------
* ALPN, server did not agree to a protocol
* Server certificate:
*      subject: CN=www.google.com
*      start date: 2015-07-06 07:17:41 GMT
*      expire date: 2018-04-25 07:17:41 GMT
*      issuer: C=XX; ST=XXXXX; L=XXXXX; O=XXXXX; OU=Linux; CN=Splice
SSL; emailAddress=XXXXX at XXXXX
*      SSL certificate verify result: self signed certificate in
certificate chain (19), continuing anyway.
------

Thanks everyone for the help.

2015-07-07 9:12 GMT+08:00 adam900710 <adam900710 at gmail.com>:
> Some extra clue:
>
> Cache log says:
> ------
> 2015/07/07 08:55:54 kid1| Accepting SSL bumped HTTP Socket connections
> at local=[::]:3128 remote=[::] FD 23 flags=9
> 2015/07/07 08:55:55 kid1| storeLateRelease: released 0 objects
> 2015/07/07 08:55:57 kid1| assertion failed: PeerConnector.cc:116:
> "peer->use_ssl"
> ------
>
> So I tried adding "ssl" at the end of "cache_peer" directive.
> And it still fails but with different error, squid error page now.
>
> Google also found some mail archive from Amos, which implies that,
> squid doesn't yet support
> CONNECT + SSL/TLS cache_peer.
> http://squid-web-proxy-cache.1019090.n4.nabble.com/Behind-enemy-lines-squid-behind-proxy-td4668223.html
>
> If so, I think I'd better seek other solutions like use direct_allow
> with tsocks/proxychains...
>
> Thanks.
>
> 2015-07-07 8:54 GMT+08:00 adam900710 <adam900710 at gmail.com>:
>> Tried your config in my environment.
>> Although curl can get to the sites through privoxy, just like the log says:
>> ------
>> 1436230195.213    432 ::1 TCP_TUNNEL/200 4146 CONNECT
>> www.google.com:443 - FIRSTUP_PARENT/127.0.0.1 -
>> ------
>>
>> But the certificate got is still the original one, not the fake one:
>> ------
>> * Server certificate:
>> *      subject: C=US; ST=California; L=Mountain View; O=Google Inc;
>> CN=www.google.com
>> *      start date: 2015-06-18 08:52:56 GMT
>> *      expire date: 2015-09-16 00:00:00 GMT
>> *      issuer: C=US; O=Google Inc; CN=Google Internet Authority G2
>> *      SSL certificate verify ok.
>> ------
>>
>> Does it works only in 3.4?
>> Anyway, I'll try to downgrade squid and try it again.
>>
>> Thanks
>>
>> 2015-07-06 22:23 GMT+08:00 Yuri Voinov <yvoinov at gmail.com>:
>>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA256
>>>
>>> I use 3.4 version. Yes, this is old directives.
>>>
>>> 3.5.x, on my opinion, don't do SSL Bump in NAT transparent interception
>>> environment.
>>>
>>> 06.07.15 20:21, adam900710 пишет:
>>>> 2015-07-06 22:05 GMT+08:00 Yuri Voinov <yvoinov at gmail.com>:
>>>>>
>>>> My own solution in conjunction with Tor + Privoxy looks like this (Note:
>>>> for Squid 3.4.13):
>>>>
>>>> # Tor acl
>>>> acl tor_url url_regex -i "/usr/local/squid/etc/url.tor"
>>>>
>>>> # SSL bump rules
>>>> sslproxy_cert_error allow all
>>>> ssl_bump none localhost
>>>> ssl_bump none url_nobump
>>>> ssl_bump none dst_nobump
>>>> ssl_bump server-first net_bump
>>>> > This seems to be old config directive.
>>>> > New corresponding one shoud be "ssl_bump bump net_bump"
>>>>
>>>> > And, no "peek" one? Or that's the problem?
>>>>
>>>> > Thanks.
>>>>
>>>> # Privoxy+Tor access rules
>>>> never_direct allow tor_url
>>>> always_direct deny tor_url
>>>> always_direct allow all
>>>>
>>>> # And finally deny all other access to this proxy
>>>> http_access deny all
>>>>
>>>> # Local Privoxy is cache parent
>>>> cache_peer 127.0.0.1 parent 8118 0 no-query no-digest default
>>>>
>>>> cache_peer_access 127.0.0.1 allow tor_url
>>>> cache_peer_access 127.0.0.1 deny all
>>>>
>>>> http_port 3127
>>>> http_port 3128 intercept
>>>> https_port 3129 intercept ssl-bump generate-host-certificates=on
>>>> dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/rootCA.crt
>>>> key=/usr/local/squid/etc/rootCA.key
>>>> > I also tried such config.
>>>> > With such "http_port" and "http_port intercept" with ssl-bump at last.
>>>> > Although curl works under test, the certificate is not the fake one.
>>>> > (Issuer is not my fake one)
>>>> > So I consider the ssl-bump not working in that case.
>>>>
>>>> > I'd like to reply when I set it up later to test.
>>>>
>>>> > Thanks
>>>>
>>>> sslproxy_capath /etc/opt/csw/ssl/certs
>>>> sslproxy_options NO_SSLv2 NO_SSLv3
>>>> sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /var/lib/ssl_db -M
>>>> 4MB
>>>>
>>>> Generally,
>>>>
>>>> works like charm.
>>>>
>>>> 06.07.15 15:22, adam900710 пишет:
>>>> >>> Hi all,
>>>> >>>
>>>> >>> I tried to build a ssl bumping proxy with up level proxy, but client
>>>> >>> failed to connect like the following.
>>>> >>>
>>>> >>> The error:
>>>> >>> ---
>>>> >>> $ curl https://www.google.co.jp -vvvv -k
>>>> >>> * Rebuilt URL to: https://www.google.co.jp/
>>>> >>> * Trying ::1...
>>>> >>> * Connected to localhost (::1) port 3128 (#0)
>>>> >>> * Establish HTTP proxy tunnel to www.google.co.jp:443
>>>> >>>> CONNECT www.google.co.jp:443 HTTP/1.1
>>>> >>>> Host: www.google.co.jp:443
>>>> >>>> User-Agent: curl/7.43.0
>>>> >>>> Proxy-Connection: Keep-Alive
>>>> >>>>
>>>> >>> < HTTP/1.1 200 Connection established
>>>> >>> <
>>>> >>> * Proxy replied OK to CONNECT request
>>>> >>> * ALPN, offering http/1.1
>>>> >>> * Cipher selection:
>>>> ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
>>>> >>> * successfully set certificate verify locations:
>>>> >>> * CAfile: /etc/ssl/certs/ca-certificates.crt
>>>> >>> CApath: none
>>>> >>> * TLSv1.2 (OUT), TLS header, Certificate Status (22):
>>>> >>> * TLSv1.2 (OUT), TLS handshake, Client hello (1):
>>>> >>> * Unknown SSL protocol error in connection to www.google.co.jp:443
>>>> >>> * Closing connection 0
>>>> >>> curl: (35) Unknown SSL protocol error in connection to
>>>> www.google.co.jp:443
>>>> >>> ---
>>>> >>>
>>>> >>> My squid.conf:
>>>> >>> ---
>>>> >>> # default acls/configs are ignored
>>>> >>> cache_peer 127.0.0.1 parent 8118 0 default no-digest proxy-only
>>>> >>> never_direct allow all
>>>> >>> ssl_bump peek all
>>>> >>> ssl_bump bump all
>>>> >>> http_port 3128 ssl-bump \
>>>> >>> cert=/etc/squid/ssl/ca.crt \
>>>> >>> key=/etc/squid/ssl/ca.key \
>>>> >>> generate-host-certificates=on \
>>>> >>> dynamic_cert_mem_cache_size=4MB
>>>> >>> ---
>>>> >>>
>>>> >>> From the cache_peer port, someone may notice that I'm using privoxy.
>>>> >>> That's right, as I need to redirect the ssl traffic to SOCKS5 proxy,
>>>> >>> or I can't ever access some sites.
>>>> >>>
>>>> >>> Here is some of my experiments:
>>>> >>> 1) Remove "never_direct"
>>>> >>> Then ssl_bump works as expected, but all traffic doesn't goes through
>>>> >>> the SOCKS5 proxy. So a lot of sites I can't access.
>>>> >>>
>>>> >>> 2) Use local 8118 proxy
>>>> >>> That works fine without any problem, but SSL_dump is needed...
>>>> >>> So just prove privoxy are working.
>>>> >>>
>>>> >>> Any clue?
>>>> >>>
>>>> >>> Thanks
>>>> >>> _______________________________________________
>>>> >>> squid-users mailing list
>>>> >>> squid-users at lists.squid-cache.org
>>>> >>> http://lists.squid-cache.org/listinfo/squid-users
>>>>
>>>>>
>>>
>>>
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v2
>>>
>>> iQEcBAEBCAAGBQJVmo9ZAAoJENNXIZxhPexGjzsIALCunLEQOJGKkcm0V0wr3QTQ
>>> xdfkLvJTh9i5sJNaMGbfuE2SCYIERf7HOTu9vNFpFwZBZoQTiMqud1v8KQkzGXTC
>>> xXCjlLAu937DJ+cJoeWNw+wacCB5wBFp4GoonoF3zf2HdIu76u5BQn2WeFZEfnN0
>>> G1WNMh2j7BlCOgRzI7cPnFZPzomcwlCRm7VqfgmadBMU9NpP3w+iVlngGTbt0WOu
>>> Apf6ktZpumfvu68hu0I1Vtn746Dz/U+mmU8Ue+FBga5wyYW6JSMMAQOdsZTeXLnh
>>> Iyu56A47ouNkugcueeuLOXbVlE9N44KpBc96QkXdOvKyx+VemRzaCrMYlvaFO1U=
>>> =Mt1T
>>> -----END PGP SIGNATURE-----
>>>

More information about the squid-users mailing list