[squid-users] ssl_crtd breaks after short time

Amos Jeffries squid3 at treenet.co.nz
Thu Jun 4 11:24:56 UTC 2015 

On 4/06/2015 7:55 p.m., Klavs Klavsen wrote:
> Hi Amos,
> 
> I tried taking the config from James.. but I have the exact same issue
> as described below :(
> 
> After adding the extra logging from James config - I get this in
> access_log:
> 1433404085.331      0 10.47.171.244 TCP_DENIED/200 0 CONNECT
> 216.58.209.106:443 - HIER_NONE/- -
> 
> which makes it seem as if squid does NOT see the url I'm trying to
> access :(

That log line is generated *before* TLS bumping is started. All Squid is
working with at that point is the TCP SYN packet details.

The DENIED makes sense because all your http_access allow rules require
"scheme://..." absolute-URI syntax which never exists in CONNECT, even
if a domain name known. HTTP CONNECT requests *always* contains
authority-URI syntax URLs (IP:port or hostname:port).

The 200 is odd. It implies that Squid spliced or bumped the connection
despite the denial. Though its probably just a default value sliping in
wrongly from somewhere.


> 
> Remember all this worked with 3.4.12 :(

No, the code does not even exist in those older "working" versions.


Squid 3.1, 3.2 bumping:
 fetch the ClientHello and bump

Squid 3.3, 3.4 bumping:
 fetch the ClientHello and maybe bump, or ...
 fetch the ServerHello and bump with mimic certs.

Squid 3.5 bumping:
 fetch TCP details (fake a CONNECT IP:port request), check if pass-thru,
or ...
 fetch TLS ClientHello, check what to do and do it, or ...
 fetch TLS ServerHello, check what to do and do it.


What you are seeing in access.log is that new first step.


> 
> My config as it is now:
> acl localhost src 127.0.0.1/32 ::1
> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
> acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
> acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
> acl localnet src fc00::/7       # RFC 4193 local private network range
> acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged)
> machines
> acl SSL_ports port 443
> acl Safe_ports port 80          # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 443         # https
> acl Safe_ports port 70          # gopher
> acl Safe_ports port 210         # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280         # http-mgmt
> acl Safe_ports port 488         # gss-http
> acl Safe_ports port 591         # filemaker
> acl Safe_ports port 777         # multiling http
> acl CONNECT method CONNECT
> 
> #only contains one ip range - which I'm not accessing
> #I don't quite understand what the purpose of this "broken" thing
> # is and what it does :(

AFAIK it lists IPs of servers where TLS is being used properly so
bumping does not work, or TLS used so badly that they break when bumped.
Its hard to tell automatically, but if Squid can identify such by itself
it will just splice. This is to catch the other cases.

 Its your choice whether you allow them to try and bump based on server
cert details at step3, or to outright reject.

The way its used here those servers will always be spliced even if SNI
and/or cert domain are found. The breakage might be a cipher choice for
example.


> acl broken dst "/etc/squid/broken.txt"
> acl step1 at_step SslBump1
> acl step2 at_step SslBump2
> acl step3 at_step SslBump3
> 
> ssl_bump peek step1 broken
> ssl_bump peek step2 broken
> ssl_bump splice broken
> ssl_bump peek step1 all
> ssl_bump peek step2 all
> ssl_bump bump all
> 
> sslproxy_capath /etc/ssl/certs
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> 
> # user-defined ACLs
> acl okweb-urls url_regex ^http://www.youtube.com/
> ^http://vimeo.com/api/oembed.json$
> ^https://www.google.com/accounts/ClientLogin$
> ^https://www.googleapis.com/analytics/
> acl testurls url_regex ^http://www.dr.dk/$ ^https://www.google.dk/$
> acl testbox src 10.xx.138.168
> acl testsrv1 src 10.xx.130.50
> 
> http_access allow testurls testbox
> http_access allow testurls testsrv1
> http_access allow okweb-urls testsrv1


Where is the rules that will allow the CONNECT raw-IP:port request
through to start bumping? the url_regex ACLs do not match for them.

I suggest:
 acl bumpedPorts myportname 3129
 acl bumpedPorts myportname 3130
 http_access allow CONNECT bumpedPorts


> http_access deny all
> 
> http_port 3128
> coredump_dir                   /var/spool/squid
> maximum_object_size_in_memory  512 KB
> maximum_object_size            4096 KB
> ignore_expect_100              off
> cache_mgr                      root
> client_persistent_connections  on
> server_persistent_connections  on
> access_log                     /var/log/squid/access.log squid
> 
> # user-defined configuration settings from config_hash
> ssl_bump                       server-first all
> sslcrtd_children               8 startup=1 idle=1
> sslcrtd_program                /usr/lib64/squid/ssl_crtd -s
> /etc/ssl/certs/cache/ -M 4MB
> https_port                     3130 intercept ssl-bump
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> cert=/etc/squid/ca.cert cafile=/etc/squid/ca.cert
> key=/etc/squid/ca.private sslflags=NO_SESSION_REUSE
> http_port                      3129 intercept
> 
> logformat mine %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %ssl::>sni
> %ssl::>cert_subject %>Hs %<st %Ss:%Sh %ssl::bump_mode
> 
> access_log syslog:daemon.info mine
> 

Amos

More information about the squid-users mailing list