[squid-users] SSL Bump: I have weekly more sites to whitelist due to HTTP Error 403 on opening site content

Amos Jeffries squid3 at treenet.co.nz
Fri Aug 28 08:49:33 UTC 2020


On 28/08/20 8:12 pm, info at schroeffu.ch wrote:
> 
> Hi Squid Community,
> 
> the last weeks it felt that more and more websites are going to be
> "incompatible" with Squid SSL bump.

"feelings" aside, that is exactly the situation. SSL-Bump is literally a
security attack on clients traffic. Exactly the thing TLS is designed to
prevent.

As all our official SSL-Bump documentation says very prominently:
  "when used properly TLS cannot be bumped".

There was a long period where very few websites used TLS properly. The
"HTTPS Everywhere" project has forced a lot of sites admin to get
experience with HTTPS and over time more networks are actually starting
to use it properly.

Which version are you using now?


> Some Websites are not displayed at all and a "403 Forbidden" from their
> proxy is displayed, others are displayed very ugly because some CSS is
> missing due to HTTP Error 403 on CSS resources.

"their"? Whose proxy?

If the problem is coming from a proxy that is not yours, contact its'
sysadmin.

> 
> Is there any way to tune SSL Bump for less problems with websites?
> 

That depends on what you have configured (see below) and whether the
sites you are interested in are capable of being bumped (see above).


> Here some example websites which are not loading at all with SSL Bump:
> 
> - forcepoint.com (Their Proxy displays: 403 forbidden)
> - itsg.de (Squid: Connect reset by peer)
> - leica-geosystems.com (Bad Request)
> 
> Displayed very ugly because CSS Files gots HTTP Error 403 with SSL bump:
> 
> - pyur.com
> - help.nextcloud.com
> - it feels like all websites with Discourse Forums are having problems
> with ssl bump - css missing, very ugly
> - many more
> 
> This are only some examples. Who can reproduce this problems with its
> own SSL Bump Squid? Am I doing something wrong with SSL Bump? Is Squid 5
> alerady better for this?
> 

Which version are you using now?
Exact version, as shown by squid -v, including OpenSSL library version.


> Thanks for any help
> Schroeffu
> 
> My current cump conf is extremely simple, just the default:

FYI; the *default* for SSL-Bump is not to exist. So no your config is
way beyond default, simple as it is.


> 
> http_port proxy03bs.tld.com:8080 ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB cert=/etc/squid/certs/subca.crt.pem
> key=/etc/squid/certs/subca.key.ohnersa.pem
> sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/ssl_db
> -M 4MB
> ssl_bump bump !domains_dont_sslbump
> 

This performs the bump action without any actual info from the TLS
server being "bumped". So of course you can expect a lot of problems
with that.

A "reliable" (as much as it can be) configuration looks at the TLS
handshake from each endpoint before deciding which details to pass on
and which to change:


 acl step1 at_step SslBump1
 ssl_bump peek step1
 ssl_bump splice domains_dont_sslbump
 ssl_bump stare all
 ssl_bump bump all


Adding in your whitelist of non-bump domains would look like:

 acl step1 at_step SslBump1
 ssl_bump peek step1
 ssl_bump splice domains_dont_sslbump
 ssl_bump stare all
 ssl_bump bump all


HTH
Amos


More information about the squid-users mailing list