[squid-users] Squid 4 ssl_bump issue

Davide Belloni davide.belloni at gmail.com
Thu Apr 4 09:11:38 UTC 2019 

Hi,
I've a problem in Ubuntu 18.04.2 with Squid 4.6 compiled with OpenSSL 1.1
about ssl_bump. The same configuration works in Squid 3.5 and OpenSSL 1.0

Here the relevant conf :

...
http_port 3128 ssl-bump options=ALL:NO_SSLv3 connection-auth=off
generate-host-certificates=off cert=/etc/squid/squidCA.pem

# Not bypass server certificate validation errors
sslproxy_cert_error deny all
# This one return errors with debian on GCP (
https://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery)
host_verify_strict off

sslproxy_session_cache_size 0

acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3

ssl_bump peek step1 all
ssl_bump peek step2 all

# API Google
acl api_google_urls url_regex
^(https?:\/\/)?.*\.googleapis\.com(:443)?($|\/)
acl api_google_urls url_regex ^(https?:\/\/)?.*\.google\.com(:443)?($|\/)
acl api_google_urls url_regex
^(https?:\/\/)?.*\.cloud\.google\.com(:443)?($|\/)
acl api_google_urls url_regex
^(https:\/\/)?([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})
acl api_google_ssl ssl::server_name_regex .*\.googleapis\.com
acl api_google_ssl ssl::server_name_regex .*\.google\.com
acl api_google_ssl ssl::server_name_regex .*\.cloud\.google\.com
acl api_google_ips src 127.0.0.1/32

http_access allow api_google_ips api_google_urls
ssl_bump splice step3 api_google_ips api_google_ssl

http_access deny all
ssl_bump terminate step3 all
...


To compile and install squid I use this script:

# set squid version
> export SQUID_VER="4.6"
> export SQUID_PKG="${SQUID_VER}-2"
> sudo apt-get -y install libssl-dev devscripts build-essential fakeroot
> dpkg-dev
> sudo apt-get -y install libcppunit-dev libsasl2-dev libxml2-dev
> libkrb5-dev \
>     libdb-dev libnetfilter-conntrack-dev libexpat1-dev libcap2-dev
> libldap2-dev \
>     libpam0g-dev libgnutls28-dev libssl-dev libdbi-perl libecap3
> libecap3-dev \
>     ed libltdl-dev cdbs debhelper dh-apparmor
> # we will be working in a subfolder make it
> mkdir -p build/squid
> # decend into working directory
> pushd build/squid
> curl --tlsv1.1 -sSO
> http://cdn-fastly.deb.debian.org/debian/pool/main/s/squid/squid_${SQUID_PKG}.dsc
> curl --tlsv1.1 -sSO
> http://cdn-fastly.deb.debian.org/debian/pool/main/s/squid/squid_${SQUID_VER}.orig.tar.gz
> curl --tlsv1.1 -sSO
> http://cdn-fastly.deb.debian.org/debian/pool/main/s/squid/squid_${SQUID_PKG}.debian.tar.xz
> # unpack the source package
> dpkg-source -x squid_${SQUID_PKG}.dsc
> echo "DEB_CONFIGURE_EXTRA_FLAGS += --enable-ssl --with-openssl
> --enable-ssl-crtd" >> squid-${SQUID_VER}/debian/rules
> # build the package
> cd squid-${SQUID_VER} && dpkg-buildpackage -rfakeroot -b -J2 -uc -us
> sudo apt-get install squid-langpack
> sudo dpkg --install squid-common_${SQUID_PKG}_all.deb
> sudo dpkg --install squid_${SQUID_PKG}_amd64.deb
> sudo dpkg --install squidclient_${SQUID_PKG}_amd64.deb
> cd /etc/squid
> sudo openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -subj
> "/CN=nobody" -x509 -extensions v3_ca -keyout squidCA.pem -out squidCA.pem
> chown proxy:proxy /var/spool/squid
> chown proxy:proxy /var/log/squid
> chown -R proxy:proxy /etc/squid
> sudo apt-get -y remove --purge libssl-dev
> sudo apt-get -y remove --purge devscripts build-essential fakeroot dpkg-dev
> sudo apt-get -y remove --purge libcppunit-dev libsasl2-dev libxml2-dev
> libkrb5-dev \
>     libdb-dev libnetfilter-conntrack-dev libexpat1-dev libcap2-dev
> libldap2-dev \
>     libpam0g-dev libgnutls28-dev libssl-dev libecap3-dev \
>     ed libltdl-dev cdbs debhelper dh-apparmor
> sudo apt-get -y autoremove


I'm upgrading to Squid4 with OpenSSL 1.1 because with Squid3 Ive some
connections that get stuck (for example
https://packages.cloud.google.com/apt/doc/apt-key.gpg) I think for
unsupported ciphers.

But with Squid4 and OpenSSL1.1 I've this lines in cache log:

> 2019/04/04 08:49:15 kid1| ERROR: client https start failed to allocate
> handle: error:140AB043:SSL routines:SSL_CTX_use_certificate:passed a null
> parameter

2019/04/04 08:49:15 kid1| ERROR: could not create TLS server context for
> local=127.0.0.1:3128 remote=127.0.0.1:39203 FD 19 flags=1

and this in access log:

> 127.0.0.1 - - [04/Apr/2019:08:49:15 +0000] "CONNECT
> packages.cloud.google.com:443 HTTP/1.1" 200 0 "-" "curl/7.58.0"
> NONE_ABORTED:HIER_NONE packages.cloud.google.com


for the following connection:

root at instance-2:/etc/squid $ https_proxy="http://127.0.0.1:3128" curl -vvvv
-sSO  https://packages.cloud.google.com/apt/doc/apt-key.gpg
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 3128 (#0)
* allocate connect buffer!
* Establish HTTP proxy tunnel to packages.cloud.google.com:443
> CONNECT packages.cloud.google.com:443 HTTP/1.1
> Host: packages.cloud.google.com:443
> User-Agent: curl/7.58.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
<
* Proxy replied 200 to CONNECT request
* CONNECT phase completed!
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [223 bytes data]
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to
packages.cloud.google.com:443
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to
packages.cloud.google.com:443


Thanks

-- 

Davide Belloni
http://about.me/davidebelloni
http://www.linkedin.com/in/davidebelloni


-- 

Davide Belloni
http://about.me/davidebelloni
http://www.linkedin.com/in/davidebelloni
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20190404/178c244b/attachment-0001.html>

More information about the squid-users mailing list