[squid-users] Ssl-Bump and revoked server certificates

Wed Oct 7 14:48:58 UTC 2015

On 8/10/2015 3:17 a.m., Walter H. wrote:
> On 07.10.2015 11:05, Amos Jeffries wrote:
>> On 7/10/2015 4:27 a.m., Alex Rousskov wrote:
>>> On 10/06/2015 01:27 AM, Jason Haar wrote:
>>>> Good catch - I don't think squid does CRL/OCSP checks
>>>> But this is a bug in squid - this means untrustworthy certs become
>>>> trusted again - not a good look
>>>
>>> IIRC, Squid relies on OpenSSL to perform CRL checks. OpenSSL is
>>> difficult to configure to do CRL checks. If my recollection is correct,
>>> then this is not exactly a Squid bug but more like a missing convenience
>>> feature.
>> Exactly. All thats missing is the squid.conf directive in Squid-3.x.
>> That has been added in Squid-4.
>>
>>> Squid does not know about OCSP. Another missing feature.
>>>
>>> One may perform all those checks using a custom certificate validator
>>> helper, of course.
>>>
>> Amos
>>
> Hi Amos,
> 
> what about these two directives in squid.conf?
> 
> sslcrtvalidator_program and sslcrtvalidator_children
> 

They are the configuration of that custom helper Alex mentioned. The one
bundled with Squid does not do those checks either AFAIK. But should be
easily modifiable if you know Perl.

> or
> 
> sslcrtvalidator_program cache=8192 ttl=240 /usr/lib64/squid/cert_valid.pl
> sslcrtvalidator_children 12 startup=5 idle=1 concurrency=1
> 
> can I have a working sample of valid_cert.pl that results
> in an "access denied" or any other error page of squid?

An ERR result from the helper should result in the invalid certificate
handling happening in Squid. Whether that results in a particular error
page (or not) depends on several things I'm not completely certain about.

> (it may bring this on any page that is ssl_bumped,
> so I know the interface, because this here:
> http://wiki.squid-cache.org/Features/SslServerCertValidator
> is wrong;

Ah. I see the concurrency channel is not documented, but is being sent.
What Squid version are you using?

> 
> instead of
> /usr/lib64/squid/cert_valid.pl
> I used a bash-script with this content
> 
> #!/bin/bash
> 
> myprog 2>>/tmp/pre.log |/usr/lib64/squid/cert_valid.pl
> 
> and the C source of myprog:
> 
> 
> #include<fcntl.h>
> #include<stdio.h>
> int main( int argc, char* argv[ ] )
> {
>         static char szBuf[ 260 ];
>         int nLen;
>         while( ( nLen = read( 0, (void*) szBuf, 256 ) )>  0 )
>         {
>                 write( 1, (void*) szBuf, nLen );
>                 write( 2, (void*) szBuf, nLen );
>         }
>         return 0;
> }

This helper is broken. The protocol here or even other helpers, has
never been to dump the input back to Squid.
Input and output "lines" have different syntax and contents.

> 
> so I got the ident content as stdout and stderr and there I catched e.g.
> this:
> 
> <CATCH CONTENT>
> 0 cert_validate 3373 host=revoked.grc.com
> cert_0=-----BEGIN CERTIFICATE-----
<snip>
> -----END CERTIFICATE-----
> </CATCH CONTENT>
> 
> with this I could programme a correct certificate validator using OpenSSL,
> but I MUST have a little bit more precise knowledge about the correct
> interface;
> 
> can someone please explain how the 3373 of the CATCH CONTENT above is
> calculated?

Documented in the wiki:
"Total size of the following request bytes taken by the key=pair
parameters."

That is the byte size of the "host=...END CERTIFICATE-----" key-pair
part of the message.

> 
> and how the following could deal in connection with this certificate
> validator
> 
> acl certHasExpired ssl_error X509_V_ERR_CERT_HAS_EXPIRED
> acl certNotValid ssl_error X509_V_ERR_CERT_NOT_YET_VALID
> acl certRevoked ssl_error X509_V_ERR_CERT_REVOKED
> 
> sslproxy_cert_error deny certRevoked
> sslproxy_cert_error deny certHasExpired
> sslproxy_cert_error deny certNotValid
> sslproxy_cert_error allow all
> 
> the generic fake sample /usr/lib64/squid/cert_valid.pl
> 
> returns always "0 OK 0 \1"
> what does \1 mean here?

The first '0' is concurrency channel ID. It is just an echo of the
channel-ID received on the request.

The other fields are as documented in the wiki. In this example there
are no key-pair values being sent back to Squid. Thus the "0" in the
size field.

\1 is the binary code (0x01) for end of line/message this helper
requires. We cannot use \n like other helpers since several \n are part
of the cert PEM format.

Amos