[squid-users] Ssl-bump deep dive (sni and access control) some success

James Lay jlay at slave-tothe-box.net
Sat May 30 15:16:19 UTC 2015 

Config first:

####################################################
acl localnet src 192.168.1.0/24

acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 443

acl CONNECT method CONNECT

acl step1 at_step SslBump1
acl step2 at_step SslBump2

ssl_bump peek step1 all
#https_server_names.txt has \.google\.com, \.yahoo\.com, \.msn\.com
acl allowed_https_sites ssl::server_name_regex
"/opt/etc/squid/https_server_names.txt"

http_access allow all

ssl_bump bump allowed_https_sites
ssl_bump terminate !allowed_https_sites

sslproxy_cert_error allow all
sslproxy_capath /etc/ssl/certs
sslproxy_flags DONT_VERIFY_PEER 
sslproxy_options ALL

sslcrtd_program /opt/libexec/ssl_crtd -s /opt/var/ssl_db -M 4MB
sslcrtd_children 5

http_port 3128 intercept
https_port 3129 intercept ssl-bump
cert=/opt/etc/squid/certs/sslsplit_ca_cert.pem
cafile=/opt/etc/squid/certs/sslsplit_ca_cert.pem
key=/opt/etc/squid/certs/sslsplit_ca_key.pem
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
sslflags=NO_SESSION_REUSE

logformat mine %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %ssl::>sni %>Hs
%<st %Ss:%Sh %ssl::bump_mode 

access_log syslog:daemon.info mine

refresh_pattern -i (cgi-bin|\?)	0	0%	0
refresh_pattern .		0	20%	4320

coredump_dir /opt/var
####################################################


so the above works to bump and filter out (the order of these lines
absolutely seemed to matter) if the site you go to isn't in the
allowed_https_sites acl.  The sticking point is the http_access....the
above will filter https based on the allowed_https_server_names.txt, but
completely allows ALL http, so this isn't complete yet.  Below is going
to a site in the allowed_https_sites acl:

[08:59:44 jlay at powerbook:~/test$ wget
--ca-certificate=/etc/ssl/certs/sslsplit_ca_cert.pem -d
https://www.msn.com
DEBUG output created by Wget 1.16 on linux-gnu.

URI encoding = ‘UTF-8’
--2015-05-30 08:59:57--  https://www.msn.com/
Certificates loaded: 173
Resolving www.msn.com (www.msn.com)... 204.79.197.203
Caching www.msn.com => 204.79.197.203
Connecting to www.msn.com (www.msn.com)|204.79.197.203|:443...
connected.
Created socket 4.
Releasing 0x10503f98 (new refcount 1).

---request begin---
GET / HTTP/1.1
User-Agent: Wget/1.16 (linux-gnu)
Accept: */*
Host: www.msn.com
Connection: Keep-Alive

---request end---
HTTP request sent, awaiting response... 
---response begin---
HTTP/1.1 200 OK
<snip>

May 30 08:59:57 analysis squid: 192.168.1.73 - - [30/May/2015:08:59:57
-0600] "CONNECT 204.79.197.203:443 HTTP/1.1" www.msn.com 200 0
TAG_NONE:ORIGINAL_DST peek
May 30 08:59:58 analysis squid: 192.168.1.73 - - [30/May/2015:08:59:58
-0600] "GET https://www.msn.com/ HTTP/1.1" www.msn.com 200 38288
TCP_MISS:ORIGINAL_DST bump

Going to a site not in the allowed_https_sites acl:

[09:02:12 jlay at powerbook:~/test$ wget
--ca-certificate=/etc/ssl/certs/sslsplit_ca_cert.pem -d
https://www.weather.com
DEBUG output created by Wget 1.16 on linux-gnu.

URI encoding = ‘UTF-8’
--2015-05-30 09:04:57--  https://www.weather.com/
Certificates loaded: 173
Resolving www.weather.com (www.weather.com)... 96.17.8.161, 96.17.8.138,
96.17.8.178, ...
Caching www.weather.com => 96.17.8.161 96.17.8.138 96.17.8.178
96.17.8.171
Connecting to www.weather.com (www.weather.com)|96.17.8.161|:443...
connected.
Created socket 4.
Releasing 0x1098c108 (new refcount 1).
GnuTLS: The TLS connection was non-properly terminated.
Closed fd 4
Unable to establish SSL connection.

May 30 09:04:57 analysis squid: 192.168.1.73 - - [30/May/2015:09:04:57
-0600] "CONNECT 96.17.8.161:443 HTTP/1.1" www.weather.com 200 0
TAG_NONE:HIER_NONE peek

However, changing http_access to http_access allow allowed_https_sites I
get:

[08:59:58 jlay at powerbook:~/test$ wget
--ca-certificate=/etc/ssl/certs/sslsplit_ca_cert.pem -d
https://www.msn.com
DEBUG output created by Wget 1.16 on linux-gnu.

URI encoding = ‘UTF-8’
--2015-05-30 09:02:12--  https://www.msn.com/
Certificates loaded: 173
Resolving www.msn.com (www.msn.com)... 204.79.197.203
Caching www.msn.com => 204.79.197.203
Connecting to www.msn.com (www.msn.com)|204.79.197.203|:443...
connected.
Created socket 4.
Releasing 0x10515f98 (new refcount 1).
The certificate's owner does not match hostname ‘www.msn.com’

May 30 09:02:12 analysis squid: 192.168.1.73 - - [30/May/2015:09:02:12
-0600] "CONNECT 204.79.197.203:443 HTTP/1.1" - 200 0
TCP_DENIED:HIER_NONE peek

Notice that peek did not get the SNI name per my %ssl::>sni in my
logging statement.  So as of now I have been unable to figure out how to
use access control with both http and https.  I can do one or the other,
but not both so far.  Of interest, redirects from http to https do not
appear to work

[08:37:39 jlay at powerbook:~/test$ wget www.yahoo.com
--2015-05-30 08:37:44--  http://www.yahoo.com/
Resolving www.yahoo.com (www.yahoo.com)... 206.190.36.45,
206.190.36.105, 2001:4998:c:a06::2:4008
Connecting to www.yahoo.com (www.yahoo.com)|206.190.36.45|:80...
connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://www.yahoo.com/ [following]
--2015-05-30 08:37:44--  https://www.yahoo.com/
Connecting to www.yahoo.com (www.yahoo.com)|206.190.36.45|:443...
connected.
ERROR: The certificate of ‘www.yahoo.com’ is not trusted.
ERROR: The certificate of ‘www.yahoo.com’ hasn't got a known issuer.

May 30 08:37:44 analysis squid: 192.168.1.73 - - [30/May/2015:08:37:44
-0600] "GET http://www.yahoo.com/ HTTP/1.1" - 301 1812
TCP_MISS:ORIGINAL_DST -
May 30 08:37:45 analysis squid: 192.168.1.73 - - [30/May/2015:08:37:45
-0600] "CONNECT 206.190.36.45:443 HTTP/1.1" www.yahoo.com 200 0
TAG_NONE:ORIGINAL_DST peek

Whereas direct does:

[08:37:45 jlay at powerbook:~/test$ wget
--ca-certificate=/etc/ssl/certs/sslsplit_ca_cert.pem -d
https://www.yahoo.com
DEBUG output created by Wget 1.16 on linux-gnu.

URI encoding = ‘UTF-8’
--2015-05-30 08:38:27--  https://www.yahoo.com/
Certificates loaded: 173
Resolving www.yahoo.com (www.yahoo.com)... 206.190.36.105,
206.190.36.45, 2001:4998:c:a06::2:4008
Caching www.yahoo.com => 206.190.36.105 206.190.36.45
2001:4998:c:a06::2:4008
Connecting to www.yahoo.com (www.yahoo.com)|206.190.36.105|:443...
connected.
Created socket 4.
Releasing 0x107800d8 (new refcount 1).

---request begin---
GET / HTTP/1.1
User-Agent: Wget/1.16 (linux-gnu)
Accept: */*
Host: www.yahoo.com
Connection: Keep-Alive

<snip>

---response end---
200 OK
cdm: 1cdm: 1cdm: 1Registered socket 4 for persistent reuse.
URI content encoding = ‘utf-8’
Length: unspecified [text/html]
Saving to: ‘index.html’

May 30 08:38:27 analysis squid: 192.168.1.73 - - [30/May/2015:08:38:27
-0600] "CONNECT 206.190.36.105:443 HTTP/1.1" www.yahoo.com 200 0
TAG_NONE:ORIGINAL_DST peek
May 30 08:38:28 analysis squid: 192.168.1.73 - - [30/May/2015:08:38:28
-0600] "GET https://www.yahoo.com/ HTTP/1.1" www.yahoo.com 200 325776
TCP_MISS:ORIGINAL_DST bump

I'm getting close...Amos if you're out there maybe you can shed some
light on the above.  Been at this for 5 hours now..happy Saturday!

James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150530/5d188703/attachment.html>

More information about the squid-users mailing list