[squid-users] Squid 3.5.13 unable to establish ssl-bump connection
Ted Wynnychenko
ted.m.w at comcast.net
Mon Jan 25 06:23:08 UTC 2016
I have been trying to get this working for days without success.
Trying to setup Squid with https inspection as an explicit proxy.
On OpenBSD current (# uname -srv -> OpenBSD 5.9 GENERIC.MP#1783)
Running squid from packages (# pkg_info | grep squid -> squid-3.5.13)
# squid -v
Squid Cache: Version 3.5.13
Service Name: squid
configure options: '--disable-strict-error-checking' '--disable-arch-native'
'--enable-shared' '--datadir=/usr/local/share/squid'
'--libexecdir=/usr/local/libexec/squid' '--disable-loadable-modules'
'--enable-arp-acl' '--enable-auth' '--enable-delay-pools'
'--enable-follow-x-forwarded-for' '--enable-forw-via-db'
'--enable-http-violations' '--enable-icap-client' '--enable-ipv6'
'--enable-referer-log' '--enable-removal-policies=lru heap' '--enable-ssl'
'--enable-ssl-crtd' '--with-openssl' '--enable-storeio=aufs ufs diskd'
'--with-default-user=_squid' '--with-filedescriptors=8192'
'--with-krb5-config=no' '--with-pidfile=/var/run/squid.pid' '--with-pthreads'
'--with-swapdir=/var/squid/cache' '--disable-pf-transparent'
'--enable-ipfw-transparent' '--enable-external-acl-helpers=LDAP_group
SQL_session file_userip time_quota unix_group wbinfo_group LDAP_group
eDirectory_userip' '--prefix=/usr/local' '--sysconfdir=/etc/squid'
'--mandir=/usr/local/man' '--infodir=/usr/local/info'
'--localstatedir=/var/squid' '--disable-silent-rules' '--disable-gtk-doc'
'CC=cc' 'CFLAGS=-O2 -pipe' 'LDFLAGS=-L/usr/local/lib'
'CPPFLAGS=-I/usr/local/include' 'CXX=c++' 'CXXFLAGS=-O2 -pipe'
(as above, compiled with enable-ssl and enable-ssl-crtd)
With a basic squid.conf file:
# cat /etc/squid/squid.conf
-----
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
http_access deny !Safe_ports
http_access allow localnet
http_access deny all
http_port 3128 ssl-bump cert=/etc/squid/ssl_cert/myCA.pem
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
ssl_bump stare all
ssl_bump bump all
always_direct allow all
sslproxy_cafile /etc/ssl/cert.pem
sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /var/squid/ssl_db -M 8MB
sslcrtd_children 32 startup=5 idle=1
cache_dir ufs /var/squid/cache 50000 64 512
coredump_dir /var/squid/cache
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
-----
Certificates made per the squid wiki at:
http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
# cd /etc/squid/ssl_cert
# openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -keyout
myCA.pem -out myCA.pem
# ls -lah /etc/squid
drwxr-xr-x 4 root wheel 512B Jan 24 20:33 .
drwxr-xr-x 35 root wheel 2.0K Jan 23 16:17 ..
-rw-r--r-- 1 root wheel 692B Jan 17 10:22 cachemgr.conf
-rw-r--r-- 1 root wheel 1.8K Jan 17 10:22 errorpage.css
-rw-r--r-- 1 root wheel 11.8K Jan 17 10:22 mime.conf
-rw-r--r-- 1 root wheel 1.1K Jan 24 21:36 squid.conf
drwx------ 2 _squid _squid 512B Jan 24 18:23 ssl_cert
# ls -lah /etc/squid/ssl_cert
drwx------ 2 _squid _squid 512B Jan 24 18:23 .
drwxr-xr-x 3 root wheel 512B Jan 24 23:39 ..
-rw------- 1 _squid _squid 2.9K Jan 24 17:07 myCA.pem
Made a .der verison:
# openssl x509 -in myCA.pem -outform DER -out myCA.der
And imported it into the "Authorities" section of Firefox certificate store,
giving it all "trust settings."
ssl_crtd is present and executable:
# ls -lah /usr/local/libexec/squid/ssl_crtd
-r-xr-xr-x 1 root bin 97.7K Jan 15 16:31 /usr/local/libexec/squid/ssl_crtd
Created dynamic certificate directory structure:
# /usr/local/libexec/squid/ssl_crtd -c -s /var/squid/ssl_db
# chown -R _squid._squid /var/squid/ssl_db
# ls -lah /var/squid
drwxrwx--x 5 _squid _squid 512B Jan 24 23:42 .
drwxr-xr-x 25 root wheel 512B Jan 19 19:47 ..
drwxrwx--x 66 _squid _squid 1.0K Jan 24 21:44 cache
drwxrwxr-x 2 _squid _squid 512B Jan 24 03:00 logs
drwxr-xr-x 3 _squid _squid 512B Jan 24 23:42 ssl_db
# ls -lah /var/squid/ssl_db
drwxr-xr-x 3 _squid _squid 512B Jan 24 23:42 .
drwxrwx--x 5 _squid _squid 512B Jan 24 23:42 ..
drwxr-xr-x 2 _squid _squid 512B Jan 24 23:42 certs
-rw-r--r-- 1 _squid _squid 0B Jan 24 23:42 index.txt
-rw-r--r-- 1 _squid _squid 1B Jan 24 23:42 size
No, "serial" present, so it was added:
# echo "101" > /var/squid/ssl_db/serial
# chown _squid /var/squid/ssl_db/serial
squid starts without error:
# /usr/local/sbin/squid -d 1 -N
2016/01/24 23:45:53| Set Current Directory to /var/squid/cache
2016/01/24 23:45:53| Starting Squid Cache version 3.5.13 for
x86_64-unknown-openbsd5.9...
2016/01/24 23:45:53| Service Name: squid
2016/01/24 23:45:53| Process ID 763
2016/01/24 23:45:53| Process Roles: master worker
2016/01/24 23:45:53| With 128 file descriptors available
2016/01/24 23:45:53| Initializing IP Cache...
2016/01/24 23:45:53| DNS Socket created at [::], FD 10
2016/01/24 23:45:53| DNS Socket created at 0.0.0.0, FD 11
2016/01/24 23:45:53| Adding domain wynnychenko.com from /etc/resolv.conf
2016/01/24 23:45:53| Adding nameserver 10.0.28.128 from /etc/resolv.conf
2016/01/24 23:45:53| Adding nameserver 10.0.28.129 from /etc/resolv.conf
2016/01/24 23:45:53| helperOpenServers: Starting 5/32 'ssl_crtd' processes
2016/01/24 23:45:53| Logfile: opening log daemon:/var/squid/logs/access.log
2016/01/24 23:45:53| Logfile Daemon: opening log /var/squid/logs/access.log
2016/01/24 23:45:53| Unlinkd pipe opened on FD 28
2016/01/24 23:45:53| Store logging disabled
2016/01/24 23:45:53| Swap maxSize 51200000 + 262144 KB, estimated 3958626
objects
2016/01/24 23:45:53| Target number of buckets: 197931
2016/01/24 23:45:53| Using 262144 Store buckets
2016/01/24 23:45:53| Max Mem size: 262144 KB
2016/01/24 23:45:53| Max Swap size: 51200000 KB
2016/01/24 23:45:53| Rebuilding storage in /var/squid/cache (clean log)
2016/01/24 23:45:53| Using Least Load store dir selection
2016/01/24 23:45:53| Set Current Directory to /var/squid/cache
2016/01/24 23:45:54| Finished loading MIME types and icons.
2016/01/24 23:45:54| HTCP Disabled.
2016/01/24 23:45:54| Adaptation support is off.
2016/01/24 23:45:54| Accepting SSL bumped HTTP Socket connections at
local=[::]:3128 remote=[::] FD 31 flags=9
2016/01/24 23:45:54| Accepting SSL bumped HTTP Socket connections at
local=0.0.0.0:3128 remote=[::] FD 32 flags=9
2016/01/24 23:45:54| Done reading /var/squid/cache swaplog (312 entries)
2016/01/24 23:45:54| Finished rebuilding storage from disk.
2016/01/24 23:45:54| 312 Entries scanned
2016/01/24 23:45:54| 0 Invalid entries.
2016/01/24 23:45:54| 0 With invalid flags.
2016/01/24 23:45:54| 312 Objects loaded.
2016/01/24 23:45:54| 0 Objects expired.
2016/01/24 23:45:54| 0 Objects cancelled.
2016/01/24 23:45:54| 0 Duplicate URLs purged.
2016/01/24 23:45:54| 0 Swapfile clashes avoided.
2016/01/24 23:45:54| Took 0.06 seconds (4937.57 objects/sec).
2016/01/24 23:45:54| Beginning Validation Procedure
2016/01/24 23:45:54| Completed Validation Procedure
2016/01/24 23:45:54| Validated 312 Entries
2016/01/24 23:45:54| store_swap_size = 4850.00 KB
2016/01/24 23:45:54| storeLateRelease: released 0 objects
running as expected:
# ps aux | grep squid
_squid 26037 0.0 0.1 844 4824 ?? Ss 11:46PM 0:00.03 (ssl_crtd) -s
/var/squid/ssl_db -M 8MB -b 2048 (ssl_crtd)
_squid 6398 0.0 0.1 840 4836 ?? Ss 11:46PM 0:00.03 (ssl_crtd) -s
/var/squid/ssl_db -M 8MB -b 2048 (ssl_crtd)
_squid 12848 0.0 0.1 840 4852 ?? Ss 11:46PM 0:00.05 (ssl_crtd) -s
/var/squid/ssl_db -M 8MB -b 2048 (ssl_crtd)
_squid 5788 0.0 0.1 840 4844 ?? Ss 11:46PM 0:00.03 (ssl_crtd) -s
/var/squid/ssl_db -M 8MB -b 2048 (ssl_crtd)
_squid 13372 0.0 0.1 844 4844 ?? Ss 11:46PM 0:00.06 (ssl_crtd) -s
/var/squid/ssl_db -M 8MB -b 2048 (ssl_crtd)
_squid 17491 0.0 0.0 444 1616 ?? Ss 11:46PM 0:00.04
(logfile-daemon) /var/squid/logs/access.log (log_file_daemon)
_squid 13973 0.0 0.0 320 1452 ?? Ss 11:46PM 0:00.07 (unlinkd)
(unlinkd)
_squid 896 0.3 0.2 18132 19132 p0 S+ 11:46PM 0:00.43
/usr/local/sbin/squid -d 1 -N
root 19831 0.0 0.0 160 304 p1 R+ 11:46PM 0:00.00 grep squid
Now, I point Firefox at the proxy, and the proxy works with http.
For example:
http://www.squid-cache.org/ is rendered in the browser, and
/var/squid/logs/access.log shows:
1453701132.838 2412 10.0.128.10 TCP_MISS_ABORTED/000 0 GET
http://www.squid-cache.org/ - HIER_DIRECT/209.169.10.131 -
1453701132.941 93 10.0.128.10 TCP_MISS/200 3533 GET
http://www.squid-cache.org/ - HIER_DIRECT/209.169.10.131 text/html
1453701133.013 44 10.0.128.10 TCP_MISS/200 1715 GET
http://www.squid-cache.org/default.css - HIER_DIRECT/209.169.10.131 text/css
1453701133.115 101 10.0.128.10 TCP_MISS/200 29148 GET
http://www.squid-cache.org/Images/img4.jpg - HIER_DIRECT/209.169.10.131
image/jpeg
1453701133.116 95 10.0.128.10 TCP_MISS/200 459 GET
http://www.squid-cache.org/Images/img2.gif - HIER_DIRECT/209.169.10.131
image/gif
1453701133.117 95 10.0.128.10 TCP_MISS/200 789 GET
http://www.squid-cache.org/Images/img3.gif - HIER_DIRECT/209.169.10.131
image/gif
1453701133.117 96 10.0.128.10 TCP_MISS/200 797 GET
http://www.squid-cache.org/Images/img1.gif - HIER_DIRECT/209.169.10.131
image/gif
1453701133.117 94 10.0.128.10 TCP_MISS/200 442 GET
http://www.squid-cache.org/Images/img5.gif - HIER_DIRECT/209.169.10.131
image/gif
1453701133.123 98 10.0.128.10 TCP_MISS/200 440 GET
http://www.squid-cache.org/Images/img7.gif - HIER_DIRECT/209.169.10.131
image/gif
1453701133.123 99 10.0.128.10 TCP_MISS/200 775 GET
http://www.squid-cache.org/Images/img8.gif - HIER_DIRECT/209.169.10.131
image/gif
1453701133.211 44 10.0.128.10 TCP_MISS/200 1763 GET
http://www.squid-cache.org/favicon.ico - HIER_DIRECT/209.169.10.131
image/vnd.microsoft.icon
and reloading http://www.squid-cache.org/ shows:
1453701223.042 0 10.0.128.10 TCP_HIT/200 3543 GET
http://www.squid-cache.org/ - HIER_NONE/- text/html
1453701223.198 130 10.0.128.10 TCP_REFRESH_MODIFIED/200 1715 GET
http://www.squid-cache.org/default.css - HIER_DIRECT/209.169.10.131 text/css
1453701223.248 48 10.0.128.10 TCP_REFRESH_UNMODIFIED/304 248 GET
http://www.squid-cache.org/Images/img4.jpg - HIER_DIRECT/209.169.10.131 -
1453701223.306 101 10.0.128.10 TCP_REFRESH_UNMODIFIED/304 246 GET
http://www.squid-cache.org/Images/img2.gif - HIER_DIRECT/209.169.10.131 -
1453701223.307 101 10.0.128.10 TCP_REFRESH_UNMODIFIED/304 247 GET
http://www.squid-cache.org/Images/img1.gif - HIER_DIRECT/209.169.10.131 -
1453701223.307 99 10.0.128.10 TCP_REFRESH_UNMODIFIED/304 247 GET
http://www.squid-cache.org/Images/img8.gif - HIER_DIRECT/209.169.10.131 -
1453701223.307 98 10.0.128.10 TCP_REFRESH_UNMODIFIED/304 246 GET
http://www.squid-cache.org/Images/img7.gif - HIER_DIRECT/209.169.10.131 -
1453701223.307 101 10.0.128.10 TCP_REFRESH_UNMODIFIED/304 247 GET
http://www.squid-cache.org/Images/img3.gif - HIER_DIRECT/209.169.10.131 -
1453701223.307 100 10.0.128.10 TCP_REFRESH_UNMODIFIED/304 246 GET
http://www.squid-cache.org/Images/img5.gif - HIER_DIRECT/209.169.10.131 -
But, if I try to connect to a https site like google: https://google.com,
nothing happens, and the browser is just spinning with "Connecting..."
displayed.
The squid instance (running in the foreground) spits out a line:
2016/01/24 23:56:57| hold write on SSL connection on FD 26
If I try another https like yahoo: https://yahoo.com, nothing happens in the
browser as well, just "Connecting..."
But, the squid instance spits out:
2016/01/24 23:59:04| Error negotiating SSL on FD 19: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (1/-1/0)
2016/01/24 23:59:04| Error negotiating SSL on FD 21: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (1/-1/0)
Now, if I remove the "ssl_bump stare all" line from squid.conf, and try:
https://yahoo.com
Firefox returns:
-----
This Connection is Untrusted
You have asked Firefox to connect securely to yahoo.com, but we can't confirm
that your connection is secure.
...
yahoo.com uses an invalid security certificate.
The certificate is only valid for ...
(Error code: ssl_error_bad_cert_domain)
-----
And trying:
https://google.com
Firefox returns:
-----
This Connection is Untrusted
You have asked Firefox to connect securely to www.google.com, but we can't
confirm that your connection is secure.
...
This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox
only connect to it securely. As a result, it is not possible to add an exception
for this certificate.
www.google.com uses an invalid security certificate.
The certificate is only valid for ...
(Error code: ssl_error_bad_cert_domain)
-----
In both instances, the certificate being presented to the Firefox client is the
"Squid CA" certificate created above.
And, checking:
# ls -lah /var/squid/ssl_db
drwxr-xr-x 3 _squid _squid 512B Jan 24 23:44 .
drwxrwx--x 5 _squid _squid 512B Jan 24 23:42 ..
drwxr-xr-x 2 _squid _squid 512B Jan 24 23:42 certs
-rw-r--r-- 1 _squid _squid 0B Jan 24 23:42 index.txt
-rw-r--r-- 1 _squid _squid 4B Jan 24 23:44 serial
-rw-r--r-- 1 _squid _squid 1B Jan 24 23:42 size
# ls -lah /var/squid/ssl_db/certs
drwxr-xr-x 2 _squid _squid 512B Jan 24 23:42 .
drwxr-xr-x 3 _squid _squid 512B Jan 24 23:44 ..
Shows no changes.
It appears that this is a problem with dynamic certificate creation, but I have
no idea how to proceed.
I have been blindly playing with configuration changes and directives, but have
never had a "better" outcome that what is described above.
Any help would be greatly appreciated.
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6269 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160125/99383beb/attachment-0001.bin>
More information about the squid-users
mailing list