[squid-users] SSL bumping without faked server certificates

Stefan Kutzke stefan.kutzke at bettermarks.com
Sat Nov 14 19:42:21 UTC 2015 

Hi Alex,

okay, I think I understand a little more.

I am trying to get the old server-first method working with new peek and splice but without success.

I have built a RPM package with latest 3.5.11 source based on http://www1.ngtech.co.il/repo/centos/6/SRPMS/squid-3.5.9-1.el6.src.rpm
Squid is configured with SSL bump similar to the configuration suggested by Sebastian.

In my view it's a good idea to give a detailed description of my setup with real IPs and hostnames:

1. Client machine

OS: CentOS 6.6 x86_64
IP: 10.0.0.2/24 (internal network)
Default Gateway: 10.0.0.1 (= Squid machine)


2. Squid machine

OS: CentOS 6.6 x86_64
IP 1: 10.0.0.1/24 (internal network)
IP 2: 172.31.1.15/24 (outgoing interface, behind a router)

# iptables -L -n -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80 to:10.0.0.1:3129
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:443 to:10.0.0.1:3443

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

# squid -v
Squid Cache: Version 3.5.11
Service Name: squid
configure options:  '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=$(localstatedir)/log/squid' '--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-auth-basic=DB,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,getpwnam' '--enable-auth-ntlm=smb_lm,fake' '--enable-auth-digest=file,LDAP' '--enable-auth-negotiate=kerberos,wrapper' '--enable-external-acl-helpers=wbinfo_group,kerberos_ldap_group' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-icap-client' '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-storeio=aufs,diskd,ufs,rock' '--enable-wccpv2' '--enable-esi' '--enable-ssl-crtd' '--enable-icmp' '--with-aio' '--with-default-user=squid' '--with-filedescriptors=16384' '--with-dl' '--with-openssl' '--with-pthreads' '--with-included-ltdl' '--disable-arch-native' '--without-nettle' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fPIC' 'PKG_CONFIG_PATH=/usr/lib64/pkgconfig:/usr/share/pkgconfig' --enable-ltdl-convenience

# Squid configruation file
# Rules allowing access from your local networks
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# SSL Bump
acl step1 at_step SslBump1
acl MYSITE ssl::server_name school.bettermarks.com
ssl_bump peek step1
ssl_bump bump MYSITE
ssl_bump splice all
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
# Only allow purge from localhast (squidclient -m PURGE <object-url>
acl Purge method PURGE
http_access allow localhost Purge
http_access deny Purge
# Allow access from your local networks
http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3128
http_port 3128
http_port 10.0.0.1:3129 intercept
https_port 10.0.0.1:3443 intercept ssl-bump cert=/etc/squid/certs/bettermarks.com-chain.crt key=/etc/squid/certs/bettermarks.com-unsecure.key
## Memory only caching
# Cache memory size (default: 256 MB)
cache_mem 512 MB
# Max object size in memory (default: 512 KB)
maximum_object_size_in_memory 2 MB
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid
## Refresh patterns
# BM static
refresh_pattern -i ^https:\/\/(school|cdn)\.bettermarks\.com\/static\/.*? 1440 100% 1440
# BM dynamic
refresh_pattern -i ^https:\/\/school\.bettermarks\.com\/.*? 0 0% 0
# default
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
# Cache log
debug_options ALL,1 33,5  83,5 89,5


My first goal is to replace the old working server-first bumping method:
# SSL Bump
acl MYSITE dst 212.45.105.89
ssl_bump server-first MYSITE
ssl_bump none all
with the new peek and splice method:
# SSL Bump
acl step1 at_step SslBump1
acl MYSITE ssl::server_name school.bettermarks.com
ssl_bump peek step1
ssl_bump bump MYSITE
ssl_bump splice all


The hostname school.bettermarks.com has the dedicated IP address 212.45.105.89 and points to a F5 loadbalancer
that terminates SSL for *.bettermarks.com using the same certificate as Squid.


I have called the following command on the client machine:
# curl -v https://school.bettermarks.com/<https://school.bettermarks.com/static/flexclient4/bm_exerciseseries.swf><path-to-file> -o /dev/null
* About to connect() to school.bettermarks.com port 443 (#0)
*   Trying 212.45.105.89... connected
* Connected to school.bettermarks.com (212.45.105.89) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none

The command have failed  after a while with:
* NSS error -5938
* Closing connection #0
* SSL connect error


Squid's access.log:
1447179870.180    172 10.0.0.2 TAG_NONE/200 0 CONNECT 212.45.105.89:443 - ORIGINAL_DST/212.45.105.89 -


More information follows in my next post (to not exceed the maximum post size).

Stefan



Am Dienstag, den 10.11.2015, 08:49 -0700 schrieb Alex Rousskov:
On 11/10/2015 07:05 AM, Stefan Kutzke wrote:

My assumption is that I have to use in Squid's config:

acl MYSITE ssl:server_name .mydomain.com
ssl_bump bump MYSITE
ssl_bump splice all

This results in tunneling all https traffic, nothing will be bumped and
cached.

Yes, probably because MYSITE (ssl::server_name) often needs SNI and SNI
is not available during step1 when MYSITE is evaluated in your config.
In other words, your config is equivalent to

  ssl_bump splice all

unless reverse DNS works perfectly well.


I'm a little bit confused about the documentation:

Under the headline "Processing steps":
*Step 2:*
 1. Get TLS clientHello info, including *SNI* where available.


Under the headline "Actions":
peek/stare Receive client *SNI (step1)*, ...


I know it is confusing, but I cannot find a better way to explain this
in brief documentation without pictures. Improvements are welcomed. The
key here is that ssl_bump rules are evaluated at the end of a step and
usually allow Squid to do something at the beginning of the next step.

For example, during step1, Squid does not have SNI. If a peek rule
matches during step1, then Squid proceeds to step2. At the beginning of
step2, Squid gets SNI. Thus, a step1 peek rule controls whether Squid
will get SNI (during step2).


Is it possible to achieve my goal with Squid in transparent mode?

I should be possible, but I do not know whether anybody has done exactly
that so there could be some minor bugs along the way. You need
configuration suggested by Sebastian and the latest Squid you can build.


HTH,

Alex.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20151114/8afffae2/attachment-0001.html>

More information about the squid-users mailing list