[squid-users] after changed from 3.4.13 to 3.5.8 sslbump doesn't work for the site https://banking.postbank.de/

Marcus Kool marcus.kool at urlfilterdb.com
Thu Sep 17 11:05:38 UTC 2015


I just tried accessing https://banking.postbank.de/
using Squid 3.5.8 and Chrome.
I also got the ERR_CONNECTION_CLOSED error.

What is weird is that Squid sends a "CONNECT banking.postbank.de" 21 times to the URL rewriter.

Then I changed the Squid configuration and added ".postbank.de" in our list of banks (acl tls_server_is_bank) to prevent bumping.
The configuration is:

sslproxy_options  NO_SSLv2,NO_SSLv3,No_Compression
sslproxy_cipher   ALL:!SSLv2:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL:!eNULL

# TLS/SSL bumping definitions
acl tls_s1_connect      at_step SslBump1
acl tls_s2_client_hello at_step SslBump2
acl tls_s3_server_hello at_step SslBump3

# do not touch servers where ssl-bump breaks HSTS
acl tls_allowed_hsts ssl::server_name .akamaihd.net
# prevent bumping some allowed servers because otherwise Squid will issue a certificate error
acl tls_allowed_incomplete_chain ssl::server_name .webtvframework.com
# prevent bumping some allowed servers with self-signed certificates
acl tls_allowed_selfsigned ssl::server_name .nic.es .my-own.local
# prevent bumping of sites where client software uses certificate pinning like Dropbox and Googledrive
acl tls_allowed_software ssl::server_name .dropbox.com .googledrive.com drive.google.com
# do not touch servers where applications use pinned certificates
acl tls_allowed_pinned ssl::server_name .ovh.com
# do not touch servers of a few banks
# Note that a bank may use several domains!
acl tls_server_is_bank ssl::server_name .paypal.com
acl tls_server_is_bank ssl::server_name .abnamro.nl
acl tls_server_is_bank ssl::server_name .abnamro.com
acl tls_server_is_bank ssl::server_name .caixa.gov.br
acl tls_server_is_bank ssl::server_name .santander.com.br
acl tls_server_is_bank ssl::server_name .santander.com
acl tls_server_is_bank ssl::server_name .santandernet.com.br
acl tls_server_is_bank ssl::server_name .postbank.de                   # here is postbank.de

# TLS/SSL bumping steps
ssl_bump peek   tls_s1_connect      all
#
ssl_bump splice tls_s2_client_hello tls_allowed_hsts
ssl_bump splice tls_s2_client_hello tls_server_is_bank
ssl_bump splice tls_s2_client_hello tls_allowed_software
ssl_bump splice tls_s2_client_hello tls_allowed_pinned
ssl_bump stare  tls_s2_client_hello all
#
ssl_bump bump   tls_s3_server_hello all

# TLS/SSL certificate errors
sslproxy_cert_error allow tls_allowed_incomplete_chain
sslproxy_cert_error allow tls_allowed_selfsigned
sslproxy_cert_error deny  all

And tried to access https://banking.postbank.de again from Chrome and the site works normal.

Marcus



On 09/17/2015 04:18 AM, Dieter Bloms wrote:
> Hello Amos,
>
> thank you for your hints.
>
> On Thu, Sep 17, Amos Jeffries wrote:
>
>>> the relevant part ist:
>>>
>>> --snip--
>>> acl nodecryptdomains dstdomain "/etc/squid/nodecrypt.domains"
>>> http_port MYIP:8080 ssl-bump cert=/etc/squid/ca.pem key=/etc/squid/ca.key generate-host-certificates=on dhparams=/etc/squid/dhparams.pem
>>
>>
>> Replace these...
>>
>>> ssl_bump none nodecryptdomains
>>> ssl_bump server-first all
>>
>> ... with:
>>
>>   acl nodecrypt ssl::server_name "/etc/squid/nodecrypt.domains"
>>   acl step1 at_step SslBump1
>>   ssl_bump peek step1
>>   ssl_bump splice nodecrypt
>>   ssl_bump bump all
>>
>> Maybe also remove the nodecryptdomains ACL. Depends on whether you use
>> it anywhere else.
>
> I've changed my config, but same results.
> SSLBump works so far, only the site banking.postbank.de makes trouble.
> My chrome browser says "ERR_CONNECTION_CLOSED" and in the squid log
> looks like:
>
> --snip--
> 1442473894.771     49 10.252.16.100 TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 -
> 1442473894.832     49 10.252.16.100 TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 -
> 1442473895.074     48 10.252.16.100 TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 -
> 1442473895.134     47 10.252.16.100 TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 -
> 1442473895.193     45 10.252.16.100 TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 -
> --snip--
>
>
> here the ssl relevant part of my squid.conf
> --snip--
> http_port MYIP:8080 ssl-bump cert=/etc/squid/ca.pem key=/etc/squid/ca.key generate-host-certificates=on dhparams=/etc/squid/dhparams.pem
> ssl_bump peek step1
> ssl_bump bump all
> sslproxy_capath /etc/ssl/certs
> sslproxy_options NO_SSLv2:NO_SSLv3:ALL
> sslproxy_cipher ALL:!SSLv2:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL:!eNULL
> --snip--
>
> so it would be nice, if anybody with enabled sslbump on squid3.5.8 can
> do a GET Request to https://banking.postbank.de/ to see if that works.
>
>


More information about the squid-users mailing list