[squid-users] Ssl-Bump and revoked server certificates

Sebastian Kirschner s.kirschner at afa-finanz.de
Mon Oct 26 16:43:16 UTC 2015


Hi,

in my squid setup the sslcrtvalidator_program doesn’t send the data´s that I expect to the helper :-) .
The helper receive the data´s as described in the wiki , expect the "form" of the domain,
here I would expect a FQDN or domain like google.de or ca.google.de but the helper receive a IP.

I create the helper (in my case main.sh) that send all Data´s from stdin to a file ( I wanted to see what the "live" helper would receive).
Below you could see my squid build options and squid.conf ( @ Amos I didn’t implement your tips regarding the acl yet)

On the same machine where squid runs , run an dns server , so I tried with dig to resolve google.de and it resolved without issues.
Also I tried to let squid use another dnsserver without success.
If I should attach the cache.log please say with which debug_options.


<main.sh>
#!/bin/sh
cat >> /tmpfs/debug.log
</main.sh>

< debug.log>
0 cert_validate 5564 host=173.194.116.184
proto_version=TLSv1.2
cipher=ECDHE-RSA-CHACHA20-POLY1305
cert_0=-----BEGIN CERTIFICATE-----
snipped
-----END CERTIFICATE-----
cert_1=-----BEGIN CERTIFICATE-----
snipped
-----END CERTIFICATE-----
cert_2=-----BEGIN CERTIFICATE-----
snipped
-----END CERTIFICATE-----
cert_3=-----BEGIN CERTIFICATE-----
snipped
-----END CERTIFICATE-----
</debug.log>

<squid options>
configure options:  '--with-default-user=squid' '--bindir=/usr/pbi/squid-amd64/sbin' '--sbindir=/usr/pbi/squid-amd64/sbin' '--datadir=/usr/pbi/squid-amd64/etc/squid' '--libexecdir=/usr/pbi/squid-amd64/libexec/squid' '--localstatedir=/var' '--sysconfdir=/usr/pbi/squid-amd64/etc/squid' '--with-logdir=/var/squid/logs' '--with-pidfile=/var/run/squid/squid.pid' '--with-swapdir=/var/squid/cache' '--without-gnutls' '--enable-auth' '--enable-build-info' '--enable-loadable-modules' '--enable-removal-policies=lru heap' '--disable-epoll' '--disable-linux-netfilter' '--disable-linux-tproxy' '--disable-translation' '--disable-arch-native' '--enable-eui' '--enable-cache-digests' '--enable-delay-pools' '--enable-ecap' '--enable-esi' '--enable-follow-x-forwarded-for' '--enable-htcp' '--enable-icap-client' '--enable-icmp' '--disable-ident-lookups' '--enable-ipv6' '--disable-kqueue' '--with-large-files' '--enable-http-violations' '--without-nettle' '--enable-snmp' '--enable-ssl' '--enable-ssl-crtd' '--disable-stacktraces' '--disable-ipf-transparent' '--disable-ipfw-transparent' '--enable-pf-transparent' '--with-nat-devpf' '--disable-forw-via-db' '--enable-wccp' '--enable-wccpv2' '--with-mit-krb5=/usr/local' 'CFLAGS=-I/usr/local/include -pipe  -I/usr/local/include -I/usr/local/include -I/usr/local/include -I/usr/local/include -I/usr/local/include/libxml2 -I/usr/local/include -g -fstack-protector -DLDAP_DEPRECATED -fno-strict-aliasing' 'LDFLAGS=-L/usr/local/lib -Wl,-rpath,/usr/local/lib:/usr/local/lib  -L/usr/local/lib -L/usr/local/lib -L/usr/local/lib -L/usr/local/lib -pthread -L/usr/local/lib -fstack-protector' 'LIBS=-lkrb5 -lgssapi_krb5 ' 'KRB5CONFIG=/usr/local/bin/krb5-config' '--enable-auth-basic=DB SMB_LM MSNT-multi-domain NCSA PAM POP3 RADIUS fake getpwnam LDAP SASL SMB NIS' '--enable-auth-digest=file' '--enable-external-acl-helpers=file_userip time_quota unix_group LDAP_group wbinfo_group SQL_session kerberos_ldap_group' '--enable-auth-negotiate=kerberos wrapper' '--enable-auth-ntlm=fake smb_lm' '--enable-storeio=ufs aufs diskd rock' '--enable-disk-io=AIO Blocking IpcIo Mmapped DiskThreads DiskDaemon' '--enable-log-daemon-helpers=file' '--enable-url-rewrite-helpers=fake' '--enable-storeid-rewrite-helpers=file' '--with-openssl=/usr/local' '--disable-optimizations' '--enable-debug-cbdata' '--prefix=/usr/pbi/squid-amd64' '--mandir=/usr/pbi/squid-amd64/man' '--infodir=/usr/pbi/squid-amd64/info/' '--build=amd64-portbld-freebsd10.1' 'build_alias=amd64-portbld-freebsd10.1' 'CC=cc' 'CPPFLAGS=-I/usr/local/include' 'CXX=c++' 'CXXFLAGS=-pipe -I/usr/local/include -I/usr/local/include -I/usr/local/include -I/usr/local/include -I/usr/local/include/libxml2 -I/usr/local/include -g -fstack-protector -DLDAP_DEPRECATED -fno-strict-aliasing ' 'CPP=cpp' 'PKG_CONFIG=pkgconf'
</squid options>

<squid.conf>
# This file is automatically generated by pfSense
# Do not edit manually !

http_port 192.168.1.1:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/pbi/squid-amd64/local/etc/squid/serverkey.pem capath=/usr/pbi/squid-amd64/local/share/certs/

http_port 127.0.0.1:3128 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/pbi/squid-amd64/local/etc/squid/serverkey.pem capath=/usr/pbi/squid-amd64/local/share/certs/

https_port 127.0.0.1:3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/pbi/squid-amd64/local/etc/squid/serverkey.pem capath=/usr/pbi/squid-amd64/local/share/certs/

icp_port 0
pid_filename /var/run/squid/squid.pid
cache_effective_user proxy
cache_effective_group proxy
error_default_language de-de
icon_directory /usr/pbi/squid-amd64/local/etc/squid/icons
visible_hostname pfsense.onesty-tech.loc
cache_mgr admin at pfsense-onesty.loc
access_log /var/squid/logs/access.log
cache_log /var/squid/logs/cache.log
netdb_filename /var/squid/logs/netdb.state
pinger_enable on
sslcrtd_program /usr/pbi/squid-amd64/local/libexec/squid/ssl_crtd -s /var/squid/lib/ssl_db -M 4MB -b 2048
sslcrtd_children 5
sslproxy_capath /usr/pbi/squid-amd64/local/share/certs/

logfile_rotate 7
debug_options rotate=7
shutdown_lifetime 3 seconds
# Allow local network(s) on interface(s)
acl localnet src  192.168.1.0/24
uri_whitespace strip


# Setup some default acls
# From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.
# acl localhost src 127.0.0.1/32
acl allsrc src all
acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901  3128 3127 1025-65535 
acl sslports port 443 563  

# From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.
#acl manager proto cache_object

acl purge method PURGE
acl connect method CONNECT

# Define protocols used for redirects
acl HTTP proto HTTP
acl HTTPS proto HTTPS
acl allowed_subnets src 192.168.1.0/24
http_access allow manager localhost

http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !safeports
http_access deny CONNECT !sslports

# Always allow localhost connections
# From 3.2 further configuration cleanups have been done to make things easier and safer.
# The manager, localhost, and to_localhost ACL definitions are now built-in.
# http_access allow localhost

# Package Integration
url_rewrite_program /usr/pbi/squidguard-amd64/bin/squidGuard -c /usr/pbi/squidguard-amd64/etc/squidGuard/squidGuard.conf
url_rewrite_bypass off
url_rewrite_children 16 startup=8 idle=4 concurrency=0

# Custom options before auth
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3

ssl_bump peek step1
ssl_bump bump all

sslcrtvalidator_program cache=8192 ttl=240 /tmpfs/main.sh
#sslcrtvalidator_children 12 startup=5 idle=1 concurrency=1

# Setup allowed acls
# Allow local network(s) on interface(s)
http_access allow allowed_subnets
http_access allow localnet
# Default block all to be sure
http_access deny allsrc

icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_encode off
icap_client_username_header X-Authenticated-User
icap_preview_enable on
icap_preview_size 1024

icap_service service_avi_req reqmod_precache icap://[::1]:1344/squid_clamav bypass=off
adaptation_access service_avi_req allow all
icap_service service_avi_resp respmod_precache icap://[::1]:1344/squid_clamav bypass=on
adaptation_access service_avi_resp allow all
</squid.conf>

Mit freundlichen Grüßen / Best Regards

Sebastian Kirschner


More information about the squid-users mailing list