[squid-users] Uncomplete Negotiate negotiation with Kerberos

Emmanuel Coirier ecoirier at olfeo.com
Tue Oct 2 11:32:26 UTC 2018 

Hi everybody !

Is it desirable that the Negotiate/Kerberos proxy authentication method be interrupted as soon as Squid knows the identity of the browser's user, without letting the browser authenticates Squid in response ?

When a browser wants to connect to some random HTTP website, it sends a GET request. A proxy wanting to authenticate the browser, via Kerberos, responds with 407, which lets the browser knows that it has to authenticate. Then the browser sends a Kerberos authenticator (in base64 in the Proxy-Authorization header). Then Squid *should* answer back with a Proxy-Authentication-Info letting the browser finish the Kerberos process and validating that it is communicating with the real proxy it wants to use. It is how gss-api is intended to be used.

It was the case with Squid 3.3.8, where Squid answers back, along with the response (200 OK), the Proxy-Authentication-Info header with the final token. But with Squid 4.2, the browser doesn't anymore add this headers, preventing the browser to authenticate back the proxy.

The problem is that it enables some potentially Man in the Middle attack (since any malicious proxy where the traffic is diverted could then answers back without the client knowing it talks to a malicious proxy)

Here is an example of this phenomenon with GET and CONNECT :

GET http://perdu.com/ HTTP/1.1
Host: perdu.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1

HTTP/1.1 407 Proxy Authentication Required
Server: squid/4.2
Mime-Version: 1.0
Date: Tue, 02 Oct 2018 08:35:27 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 1852
X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
Vary: Accept-Language
Content-Language: fr
Proxy-Authenticate: Negotiate
X-Cache: MISS from ceriseconfite
X-Cache-Lookup: NONE from ceriseconfite:3129
Via: 1.1 ceriseconfite (squid/4.2)
Connection: keep-alive

<some really long webpage for something that shouldn't be displayed>

GET http://perdu.com/ HTTP/1.1
Host: perdu.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Proxy-Authorization: Negotiate YIIChwYGKw[...blablabla some random authenticator...]W6m

HTTP/1.1 200 OK (with Squid 4.2)
Date: Tue, 02 Oct 2018 08:35:27 GMT
Server: Apache
Last-Modified: Thu, 02 Jun 2016 06:01:08 GMT
ETag: "cc-5344555136fe9"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 163
Content-Type: text/html
X-Cache: MISS from ceriseconfite
X-Cache-Lookup: MISS from ceriseconfite:3129
Via: 1.1 ceriseconfite (squid/4.2)
Connection: keep-alive
                     <------------- Missing the Proxy-Authentication-Info


HTTP/1.1 200 OK (with older Squid 3.3.8)
Date: Fri, 28 Sep 2018 08:09:27 GMT
Server: Apache
Last-Modified: Thu, 02 Jun 2016 06:01:08 GMT
ETag: "cc-5344555136fe9"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 163&
Content-Type: text/html
Proxy-Authentication-Info: Negotiate oRQwEqADCgEAoQsGCSqGSIb3EgECAg==  <--- here was the authentication response back to the client
X-Cache: MISS from sucre-SQUID-50118215
X-Cache-Lookup: MISS from sucre-SQUID-50118215:3127
Connection: keep-alive

..........5....0.Dw...H.....L.l..Cc.H%).S..'!....:...L..:B
:3.S.pU.0....4....#.O....\...-*KdmzE...m........."...v...R..0...$\.	j.....ny
2...0.4.B...>....|....-....


And here is the same exchange but with TLS :

CONNECT perdu.com:443 HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Proxy-Connection: keep-alive
Connection: keep-alive
Host: perdu.com:443

HTTP/1.1 407 Proxy Authentication Required
Server: squid/4.2
Mime-Version: 1.0
Date: Tue, 02 Oct 2018 08:30:51 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 1813
X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
Vary: Accept-Language
Content-Language: en
Proxy-Authenticate: Negotiate
X-Cache: MISS from ceriseconfite
X-Cache-Lookup: NONE from ceriseconfite:3129
Via: 1.1 ceriseconfite (squid/4.2)
Connection: keep-alive

<some really long webpage for something that shouldn't be displayed>

CONNECT perdu.com:443 HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Proxy-Connection: keep-alive
Connection: keep-alive
Host: perdu.com:443
Proxy-Authorization: Negotiate YIIChwYGKwYBBQUCo[...blablabla some other random authenticator...]zCqD

HTTP/1.1 200 Connection established (same with Squid 4.2 and Squid 3.3.8)
                  <---- is the Proxy-Authentication-Info missing ?

(TLS tunnel exchange)

It this behavior endorsed, or is it a bug ?

Actually, I know that browsers seem not to care, but they won't be able to care if they don't receive all the needed information.

Thanks for reading and your response :-)

-- 
Emmanuel Coirier

More information about the squid-users mailing list