[squid-users] Squid blocking own OCSP/AIA requests

Markus Wernig listener at wernig.net
Wed Mar 22 13:20:21 UTC 2017 

Small update:

- The URL http://apps.identrust.com/roots/dstrootcax3.p7c is not the
OCSP responder, but the AIA for the Root CA (DST Root CA X3) embedded in
the issuing CA's certificate's CA Issuers.
- Same for
http://swisssign.net/cgi-bin/authority/download/5B257B96A465517EB839F3C078665EE83AE7F0EE:
AIA for Root CA.

Since squid is sslbumping the connection, it must be doing the AIA
lookups (presumably for SSL verification). Does anybody have an idea why
it is blocking its own requests?

Best /markus

On 03/21/2017 11:35 AM, Markus Wernig wrote:
> Hi all
> 
> I have configured Squid 4.0.18 (CentOS) with sslbump and clamav as
> ecap_service. This works well.
> 
> One thing I've noticed though, are constant log entries like this in
> access.log:
> 
> 2017-03-21 10:35:08.338 +0100 000137 - TCP_DENIED/403 3607 GET
> http://apps.identrust.com/roots/dstrootcax3.p7c - HIER_NONE/-
> text/html;charset=utf-8 -
> 2017-03-21 10:35:08.345 +0100 000161 10.254.254.2 NONE/200 0 CONNECT
> letsencrypt.org:443 - HIER_DIRECT/letsencrypt.org - -
> 
> It appears that this is the OCSP URI for Letsencrypt certificates.
> 
> And in fact every time this is logged, a CONNECT to a https uri is
> logged that is using a Letsencrypt certificate (like eg.
> https://letsencrypt.org).
> 
> Given that there is no client IP logged, I assume that squid is blocking
> its own outgoing OCSP request here (the browser is configured to NOT use
> OCSP).
> 
> The same seems to happen when there's no OCSP URI, but a regular AIA URI
> in the certificate:
> 
> 2017-03-21 10:36:19.773 +0100 000000 - TCP_DENIED/403 3734 GET
> http://swisssign.net/cgi-bin/authority/download/5B257B96A465517EB839F3C078665EE83AE7F0EE
> - HIER_NONE/- text/html;charset=utf-8 -
> 2017-03-21 10:36:19.782 +0100 000038 10.254.254.2 NONE/200 0 CONNECT
> swisssign.net:443 - HIER_DIRECT/swisssign.net - -
> 
> I do have "http_access allow localhost" in squid.conf, but since there's
> no IP associated with the request, this does not seem to help.
> 
> Is there a way to allow these outgoing internal requests? I've looked
> through the FAQ and wiki, but couldn't find anything on the topic.
> 
> Thanks & best
> 
> /markus
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 


-- 
Markus Wernig
Unix/Network Security Engineer
PGP: D9203D2A4AD9FC3333DEEF9DF7ACC6208E82E4DC
SIP/XMPP: markus at wernig.net
Furch D25-SR Cut - Ovation CE C2078AX-5
-----------------------------------------
http://xfer.ch - http://markus.wernig.net
-----------------------------------------

More information about the squid-users mailing list