[squid-users] SSL Bump in intercept mode

Степаненко Сергей sstepanenko at rsbank.ru
Mon Sep 28 06:57:29 UTC 2015 

Hi!

I'm update squid to 3.5.9, but nothing change.
I'm use config with
 ...
  ssl_bump stare all
  ssl_bump bump all
 ...

When I'm use ssl bump, squid not send certificate chain.
Info from s_client

with ssl_bump
[sas at file01 ~]$ openssl s_client -connect google.ru:443
CONNECTED(00000003)
depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = google.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = google.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = google.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=google.com
i:/C=RU/ST=VLG/O=HOME Ltd/OU=IT/CN=proxy02.home.lan
---
Server certificate
-----BEGIN CERTIFICATE-----
MIId8TCCHVqgAwIBAgIUArbJgJ+rY/6iCYPIpI4Yh15iz8UwDQYJKoZIhvcNAQEL
BQAwVjELMAkGA1UEBhMCUlUxDDAKBgNVBAgMA1ZMRzERMA8GA1UECgwISE9NRSBM
....
BggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsF
AAOBgQCaSYyvXjtbuS1ZGBnyQ4sDK/8jkjTapreBK2tJhzIaX8nt1r8nXTsNNDv+
7zFbVA94Ax+gFwjRzU62mCWXoZ7IOSWDI/yZIR2yyYkVnBvd/Oe3JeoUyq+fhRkM
qewa4S/C4sczmcGPyAuSJnX24YZiLoT4yi9HRZ8d+yFBCuFyYg==
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=google.com
issuer=/C=RU/ST=VLG/O=HOME Ltd/OU=IT/CN=proxy02.home.lan
---
No client certificate CA names sent
---
SSL handshake has read 7982 bytes and written 439 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : AES256-GCM-SHA384
Session-ID: FF52E1FA45A100529F290119DAF36E40BBE2E4D6CFA03D8310CA151D81934AF6
Session-ID-ctx:
Master-Key: C0FE89EE352C1DB55C2E7DC067420E17DCC45949BDC06E26474994D7B0FBBB95549FE4B490EE6C6A34C8B7FD8C412AC3
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 67 f2 fd f6 1c a0 72 ef-27 c7 e0 8d bc 36 58 fd g.....r.'....6X.
0010 - 24 1e e0 26 92 55 18 c9-b9 d5 25 a2 be c8 b4 7f $..&.U....%.....
0020 - ac 0a 50 d5 f3 6a 75 38-1f 4f 34 16 6a 83 70 ec ..P..ju8.O4.j.p.
0030 - 19 e7 a0 3a 94 82 bc c8-1c 03 94 35 57 13 98 2d ...:.......5W..-
0040 - c9 ce c7 fe 5c f3 0e e6-33 97 1f 9d 39 c5 24 dd ....\...3...9.$.
0050 - 53 a5 49 10 03 5e 24 a6-fb d8 b3 4a 47 9d 8e e0 S.I..^$....JG...
0060 - 71 63 27 ba 69 e6 14 e5-98 c4 a7 24 0c e6 9b 6d qc'.i......$...m
0070 - bd c1 b6 31 ea 5c 3e 0b-5f 3b 47 75 66 e0 2e 22 ...1.\>._;Guf.."
0080 - 0e b0 42 0b 0d fc 13 c7-0d 00 ee 4a 5a cf 6f 35 ..B........JZ.o5
0090 - a2 01 d2 33 20 68 db 0a-b3 3f 6c 2b 1b 35 3f 9c ...3 h...?l+.5?.
Start Time: 1443196400
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)

With server-first
[sas at file01 ~]$ openssl s_client -connect google.ru:443
CONNECTED(00000003)
depth=3 C = RU, ST = VLG, L = VOLGOGRAD, O = HOME Ltd, OU = IT, CN = MAIN_CA
verify return:1
depth=2 C = RU, ST = VLG, O = HOME Ltd, OU = IT, CN = SIGN-CA1
verify return:1
depth=1 C = RU, ST = VLG, O = HOME Ltd, OU = IT, CN = proxy02.home.lan
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = google.com
verify return:1
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=google.com
i:/C=RU/ST=VLG/O=HOME Ltd/OU=IT/CN=proxy02.home.lan
1 s:/C=RU/ST=VLG/O=HOME Ltd/OU=IT/CN=proxy02.home.lan
i:/C=RU/ST=VLG/O=HOME Ltd/OU=IT/CN=SIGN-CA1
2 s:/C=RU/ST=VLG/O=HOME Ltd/OU=IT/CN=SIGN-CA1
i:/C=RU/ST=VLG/L=VOLGOGRAD/O=HOME Ltd/OU=IT/CN=MAIN_CA
3 s:/C=RU/ST=VLG/L=VOLGOGRAD/O=HOME Ltd/OU=IT/CN=MAIN_CA
i:/C=RU/ST=VLG/L=VOLGOGRAD/O=HOME Ltd/OU=IT/CN=MAIN_CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIId8TCCHVqgAwIBAgIUArbJgJ+rY/6iCYPIpI4Yh15iz8UwDQYJKoZIhvcNAQEL
BQAwVjELMAkGA1UEBhMCUlUxDDAKBgNVBAgMA1ZMRzERMA8GA1UECgwISE9NRSBM
dGQxCzAJBgNVBAsMAklUMRkwFwYDVQQDDBBwcm94eTAyLmhvbWUubGFuMB4XDTE1
...
7zFbVA94Ax+gFwjRzU62mCWXoZ7IOSWDI/yZIR2yyYkVnBvd/Oe3JeoUyq+fhRkM
qewa4S/C4sczmcGPyAuSJnX24YZiLoT4yi9HRZ8d+yFBCuFyYg==
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=google.com
issuer=/C=RU/ST=VLG/O=HOME Ltd/OU=IT/CN=proxy02.home.lan
---
No client certificate CA names sent
---
SSL handshake has read 11366 bytes and written 439 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : AES256-GCM-SHA384
Session-ID: B391083BB8FFDA6544764FA23533A86098DF0DF75C25B720DA581BCF243FD96E
Session-ID-ctx:
Master-Key: 333F0DF78259BEB89D8F0F9D740B57A28932D80B285BDC15B37BF256950AEEBBA21BF657F2AA9F9D5E1BE9FE909B44A0
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - f7 4f a8 09 41 b8 8c 75-02 50 e0 46 11 b8 a1 23 .O..A..u.P.F...#
0010 - d5 44 70 ef 00 7e 3a 31-30 eb 15 51 34 24 f5 17 .Dp..~:10..Q4$..
0020 - 2b 36 5f 36 1b dd f1 c1-d4 56 7c d1 73 ef eb af +6_6.....V|.s...
0030 - 00 36 a8 b9 50 29 1d eb-49 c1 c6 59 ac c8 5c 68 .6..P)..I..Y..\h
0040 - 96 ca 8a da eb 5e 77 6b-e0 7d c6 d5 ce a6 46 18 .....^wk.}....F.
0050 - 6f 07 eb 29 fc 60 3f 5b-63 3e 13 61 bd 24 c0 8a o..).`?[c>.a.$..
0060 - a2 ce 1f a1 ca c9 5e 4f-11 b5 90 11 f4 df 90 5d ......^O.......]
0070 - 04 3b 88 c0 25 67 d1 37-2b 94 9a b2 0d 23 e7 2e .;..%g.7+....#..
0080 - d6 47 aa 4e a7 a5 d6 51-91 2a b0 dc cd 7f b8 3f .G.N...Q.*.....?
0090 - f0 49 36 9c c8 63 aa 02-99 2f d0 ac ac 13 b4 7a .I6..c.../.....z
Start Time: 1443196581
Timeout : 300 (sec)
Verify return code: 0 (ok)

PS
In man ssl_crtd
"Certificate chaining

The version 1.0 of this helper will not add chained intermediate CA certificates. The client must have a full chain of trust from the root CA all the way down to the end certificate generated by this program. Signing with an intermediate CA needs to install both the root and the intermediate public CA on the clients."

But I'm have question, how this do with server-first?


-----Original Message-----
From: Alex Rousskov [mailto:rousskov at measurement-factory.com] 
Sent: Wednesday, September 23, 2015 6:05 PM
To: squid-users at lists.squid-cache.org
Cc: Степаненко Сергей
Subject: Re: [squid-users] SSL Bump in intercept mode

On 09/23/2015 12:16 AM, Степаненко Сергей wrote:

> My proxy certificate released by subca, i.e CA - SubCA - Proxy.

> OS - Centos6.7, squid - 3.5.7 from www1.ngtech.co.il repo


> ssl_bump stare all
> ssl_bump bump all
> ssl_bump splice all step3

Please note that the last "splice" rule will never match [in the latest Squids]. Other than being misleading about your true intent, this should not cause problems.

Apart from the pointless splice rule, this is the configuration variant you should focus on if you want to bump everything.


> in this configuration browser write "Not check certificate chain"

Perhaps the browser lacks the SubCA certificate? Does Squid send that intermediate certificate to the browser? You should be able to tell by examining the browser-Squid SSL handshake in wireshark.


> ssl_bump bump all
> ssl_bump stare all
> ssl_bump splice all step3

Please note that the second and third rules will never match [in the latest Squids].

Also, the above config variation is subject to Bug 4327 [in the latest Squids]. It is not yet clear what the correct Squid behaviour should be in this case. Avoid this configuration for now.

    http://bugs.squid-cache.org/show_bug.cgi?id=4327


> I'm get error "The security certificate presented by this website was 
> issued for a different website's address", but certificate chain is 
> trust, i.e I'm view chain CA - SubCA - Proxy - site ipaddr.

Possibly because of the problems discussed in comments 0-3 of the Bug
4327 report mentioned above. I do not know whether your Squid version is affected because quite a few things have changed since it was released.


> ssl_bump server-first all

> All works. But not all sites.

I cannot fully explain this observation. In theory, this last config should have similar effects to your first config, but should handle fewer cases because the last config lacks SNI support.

I recommend that you try to reproduce the problems [with the first config] using the latest v3.5 daily snapshot (or trunk):

  ssl_bump stare all
  ssl_bump bump all


Good luck,

Alex.

More information about the squid-users mailing list