[squid-users] SQUID 4.12 (Debian 10, OpenSSL 1.1.1d) - SSL bump no server helllo

Loučanský Lukáš Loucansky.Lukas at kjj.cz
Tue Jun 16 07:43:19 UTC 2020 

Hello,
I was wondering if anyone could take a look at this:
I'm running squid for rather long time, recently I have upgraded my squid box to Debian 10 (from Debian 9) and OpenSSL 1.1.1d 
 
4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64 GNU/Linux OpenSSL 1.1.1d  10 Sep 2019

squid -v
Squid Cache: Version 4.12
Service Name: squid

This binary uses OpenSSL 1.1.1d  10 Sep 2019. For legal restrictions on distribution see https://www.openssl.org/source/license.html

configure options:  '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=/include' '--mandir=/share/man' '--infodir=/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=/lib/squid4' '--srcdir=.' '--disable-maintainer-mode' '--disable-dependency-tracking' '--disable-silent-rules' '--datadir=/usr/share/squid4' '--sysconfdir=/etc/squid4' '--mandir=/usr/share/man' '--enable-inline' '--disable-arch-native' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB' '--enable-auth-digest=file,LDAP' '--enable-auth-negotiate=kerberos,wrapper' '--enable-auth-ntlm=fake,SMB_LM' '--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,time_quota,unix_group,wbinfo_group' '--enable-url-rewrite-helpers=fake' '--enable-security-cert-validators=fake' '--enable-storeid-rewrite-helpers=file' '--enable-eui' '--enable-esi' '--enable-icmp' '--enable-zph-qos' '--enable-ecap' '--enable-snmp' '--disable-translation' '--with-swapdir=/var/spool/squid4' '--with-logdir=/var/log/squid4' '--with-pidfile=/var/run/squid4.pid' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--with-openssl' '--enable-ssl-crtd' '--enable-security-cert-generators' '--enable-security-cert-validators' '--enable-linux-netfilter' 'PKG_CONFIG_PATH=:/usr/local/lib/pkgconfig:/usr/lib64/pkgconfig:/usr/share/pkgconfig' 'CFLAGS=-g -O2 -m64 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wall' 'LDFLAGS=-fPIE -pie -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -m64 -fPIE -fstack-protector-strong -Wformat -Werror=format-security' 'build_alias=x86_64-linux-gnu'

Before upgrade I was running stock kernel, stock openssl and compiled squid version 4.10 with ssl support to splice (local and excepted webs), peek and terminate ssl connections based on the SNI acl. 
 
Now I run into this problem - my configuration does not work anymore. So I decided to try to bump every connection. The security file certgen is making new certificates based on my CA as usual.
But the client on the intercepted connection (via changed routing table under mikrotik and then prerouted to correct squid ports for http and ssl traffic) running Chrome 83 http://download.kjj.cz/pub/ssl/idnes.cz_chrome.83.0.4103.97.pcapng sends ClientHello - and no ServerHello is received. I've tcpdumped outgoing interface on the squid box - and there was no actual connection to the desired server. 
In the access.log there is something like 1592212170.495      2 10.0.0.40 NONE_ABORTED/200 0 CONNECT 185.17.117.32:443 - HIER_NONE/- -
 
But - same client, same network, same network running Firefox 77 http://download.kjj.cz/pub/ssl/idnes.cz_firefox.77.0.1.pcapng  gets ServerHello after it's ClientHello - they exchange information, exchange ciphers etc. and the web page is loaded. I've checked https certificate details - it's been issued by my CA.


access.log:
 
1592212156.764      8 10.0.0.40 TCP_MISS/301 196 GET http://idnes.cz/ - ORIGINAL_DST/185.17.117.32 -
1592212156.774      2 10.0.0.40 NONE/200 0 CONNECT 185.17.117.32:443 - HIER_NONE/- -
1592212156.825     38 10.0.0.40 TCP_MISS/302 777 GET https://idnes.cz/ - ORIGINAL_DST/185.17.117.32 text/html
1592212156.840      7 10.0.0.40 NONE/200 0 CONNECT 185.17.117.32:443 - HIER_NONE/- -
1592212156.893     28 10.0.0.40 TCP_CLIENT_REFRESH_MISS/200 40086 GET https://www.idnes.cz/ - ORIGINAL_DST/185.17.117.32 text/html


So in Firefox - it seems to be working. I have modified opensll.cnf default configuration to avoid MinProtocol TLS1.2, but no change. I have 2048b SSL DH params specified for prime256v1 curve in the https-port definition like this https_port 3129 intercept ssl-bump  generate-host-certificates=on dynamic_cert_mem_cache_size=8MB cert=/etc/squid4/ssl/CAcert.pem tls-dh=prime256v1:/etc/squid4/ssl/dhparams_2048.pem cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS

and

tls_outgoing_options options=NO_SSLv3
tls_outgoing_options cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS

At first I thought I have to change my configuration or that I missed something during the compiling so I switched back to 4.10 - no change.I see 2020/06/15 11:21:45 kid2| Error negotiating SSL connection on FD 59: error:00000001:lib(0):func(0):reason(1) (1/-1) in the cache.log here and there - but it was the same before. I've actually turned debug on (by debug_options ALL,9), just to get bunch of information, tracked down connect request to the desired servers and seeing nothing...

Is it something about the patch for older TLS traffic, or is it some misconfiguration - maybe in the ciphers or TLS versions?

Thanks LL

More information about the squid-users mailing list