[squid-users] Ssl-Bump and revoked server certificates

[Amos Jeffries]

On 23/10/2015 12:02 a.m., Sebastian Kirschner wrote:
> Hi Amos ,
> 
> thanks for your reply.
> 
> Maybe we got an misunderstanding or I have an "false" opinion of the sentence I quoted before.
> 
> I thought you could say to me what for checks would definitely performed in "standard" installation with openssl,
> 
> not only that you believe that the X.509 certificate syntax and properties would be checked in correctness and the signer.
> 

Currently it is an "I believe" because I am only part way through
learning the SSL related code and refactoring it for TLS support. Those
are the checks I have seen being enabled to happen so far, there may yet
be some more hiding elsewhere later in the transaction handling.

They are all configurable, and in my experience it is a rarity for
people to actually use the default config settings. Normally we see
configs being posted disabling the verifications or restricting ciphers
and OpenSSL feature usage.

The X.509 syntax and TLS extension checks are all library dependent to
begin with. The squid default config just enables the library to do its
default of those, and to check the system CA signings. Everthing else,
including whether the helper is used is administrative choice.


> I´m sorry for these remark , but for me it's important to know what checks would performed to prevent another on the same thing and slow down the "process".
> 

Understood.

FWIW the result of the above checks (what gets done) gets passed to the
helper.

> 
> Another question regarding the Options from "sslcrtvalidator_program",
> ttl " TTL in seconds for cached results. The default is 60 secs"
> 
> Is the cached results referred to the sslhost ?

I'm not sure. I've not reached the validator helper code yet in my
refactoring. IIRC that is the helper lookup cache TTL. To prevent the
helper being queried for the identical work multiple times in a row. All
helpers have such a cache. The cache key is the exact byte sequence for
the "line" passed to the helper, excluding the channel-ID field.

> 
> For example , I configured that the TTL is 12 hours.
> A request from Client A is performed to https://www.google.com the validator report back to squid that the certificate is ok and the connection would be spliced/bumped,
> 1 hour later Client B perform a request again too https://www.google.com , would squid use the "cached" answer from the validator used ?
> 

If a) my recollection is right, and b) the internal validation results
in the same helper query details being passed to the helper, then yes.

If something happens like different TLS extensions being negotiated and
resulting in even slightly different error message from internal
validation - then the lookups will be different and a re-check will be
needed.


> 
> And another question regarding the cache option.
> What from the response would be cached , the complete one or maybe only the sslhost and response code ?

The helper response cache stores helper response "lines", excluding the
channel-ID. So it can act as if the helper was queried but produced the
same result as previous lookup.

> 
> Would it be defined as byte in as the validator and speak ?

8 bits is one byte. This is network terminology, not specific to the
helper. The helper protocol is UTF-8 capable, though usually only the
ASCII characters are used.

Amos