[squid-users] HTTPS chrome - SHA1 this page is insecure

Rafael Akchurin rafael.akchurin at diladele.com
Thu Sep 1 09:54:43 UTC 2016 

Hello everyone,

It also may be you are using old Squid that does not support signing faked certificate with algorithm other than SHA-1 (because it was hardcoded at that time). This is the case of Squid 3.3.8 usually present in stable Ubuntu 14 LTS and CentOS 7.

In order to fix it you either need to go to most recent Squid (preferred) or recompile your Squid after applying a small patch like the following:

--- gadgets.cc  2013-07-13 15:25:14.000000000 +0200
+++ gadgets.cc.new      2015-11-09 23:00:47.591124352 +0100
@@ -389,9 +389,9 @@

     /*Now sign the request */
     if (properties.signAlgorithm != Ssl::algSignSelf && properties.signWithPkey.get())
-        ret = X509_sign(cert.get(), properties.signWithPkey.get(), EVP_sha1());
+        ret = X509_sign(cert.get(), properties.signWithPkey.get(), EVP_sha256());
     else //else sign with self key (self signed request)
-        ret = X509_sign(cert.get(), pkey.get(), EVP_sha1());
+        ret = X509_sign(cert.get(), pkey.get(), EVP_sha256());

     if (!ret)
         return false;

There is doc article and repo that has it all explained:
http://docs.diladele.com/administrator_guide_4_4/install/ubuntu14/squid.html
https://github.com/ra-at-diladele-com/qlproxy_external/tree/master/src/va/scripts.ubuntu14

But please take it with a huge grain of salt if you can.

Best regards,
Rafael Akchurin
Diladele B.V.
http://www.quintolabs.com
http://www.diladele.com

--
Please take a look at Web Safety - our ICAP based web filter server for Squid proxy.




From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Diogenes S. Jesus
Sent: Thursday, September 1, 2016 11:37 AM
To: Alex Rousskov <rousskov at measurement-factory.com>
Cc: squid-users at lists.squid-cache.org; erdosain9 <erdosain9 at gmail.com>
Subject: Re: [squid-users] HTTPS chrome - SHA1 this page is insecure

The answer why you only see it on Chrome is because since Chrome >= 41:

"Sites with end-entity certificates that expire on or after 1 January 2017, and which include a SHA-1-based signature as part of the certificate chain, will be treated as “affirmatively insecure”. Subresources from such domain will be treated as “active mixed content”."
Source: https://security.googleblog.com/2014/09/gradually-sunsetting-sha-1.html

Best regards

On Wed, Aug 31, 2016 at 5:24 PM, Alex Rousskov <rousskov at measurement-factory.com<mailto:rousskov at measurement-factory.com>> wrote:
On 08/31/2016 09:15 AM, Amos Jeffries wrote:
> On 1/09/2016 2:26 a.m., erdosain9 wrote:
>> Hi.
>> Im using ssl-bump.. all ir working fine, but i want to know if it is
>> possible that which is not seen crossed out and red "https".
>> This happen just in Chrome
>> This page is insecure (broken HTTPS)
>> SHA-1 Certificate
>> The certificate for this site expires in 2017 or later, and the certificate
>> chain contains a certificate signed using SHA-1.

Sounds like you are running an old Squid version.


> This requires changes to the certificate generator used by SSL-Bump.
> IIRC there were some patches, but I can't find them right now in the
> changesets. If the issue exists in current releases then please ask on
> squid-dev.

See http://www.squid-cache.org/Doc/config/sslproxy_cert_sign_hash/


> Of course, its possible the site realy does have a SHA1 certificate and
> Squid is just passing on the real details. The mimic feature is designed
> to ensure TLS is actually transparent as best we can manage.

I have not checked, but I doubt we mimic the signing algorithm (because
it would make client-Squid communication less secure?). If we do, we
should update the wiki page that lists what is being mimicked.


HTH,

Alex.

_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org<mailto:squid-users at lists.squid-cache.org>
http://lists.squid-cache.org/listinfo/squid-users



--

--------

Diogenes S. de Jesus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160901/b609f2cf/attachment-0001.html>

More information about the squid-users mailing list