[squid-users] SQUID 4.12 (Debian 10, OpenSSL 1.1.1d) - SSL bump no server helllo

Loučanský Lukáš Loucansky.Lukas at kjj.cz
Wed Jun 17 11:35:51 UTC 2020 

This is the most naïve and dirtiest effort but I don't know where else it's called - not going to check it and fix calling it with nonsense numbers - so I went like this:

/// parse TLS ProtocolVersion (uint16) and convert it to AnyP::ProtocolVersion
static AnyP::ProtocolVersion
ParseProtocolVersion(Parser::BinaryTokenizer &tk, const char *contextLabel = ".version")
{
    Parser::BinaryTokenizerContext context(tk, contextLabel);
    uint8_t vMajor = tk.uint8(".major");
    uint8_t vMinor = tk.uint8(".minor");

if (vMajor>3)      return AnyP::ProtocolVersion(AnyP::PROTO_TLS, 1, 0);

    if (vMajor == 0 && vMinor == 2)
        return AnyP::ProtocolVersion(AnyP::PROTO_SSL, 2, 0);

    Must(vMajor == 3);
    if (vMinor == 0)
        return AnyP::ProtocolVersion(AnyP::PROTO_SSL, 3, 0);

    return AnyP::ProtocolVersion(AnyP::PROTO_TLS, 1, (vMinor - 1));
}


So - if someone tries to fool us with random numbers - rule it out as TLS 1.0. I know it deserves more - this code does what it is not mean to be doing etc. etc. (for every version >3 returns something) But:

2020/06/17 13:02:12.978 kid2| 24,7| BinaryTokenizer.cc(65) got: Extension.type=43 occupying 2 bytes @164 in 0x7ffcd4777170.
2020/06/17 13:02:12.978 kid2| 24,7| BinaryTokenizer.cc(65) got: Extension.data.length=11 occupying 2 bytes @166 in 0x7ffcd4777170.
2020/06/17 13:02:12.978 kid2| 24,8| SBuf.cc(38) SBuf: SBuf15611 created from id SBuf15576
2020/06/17 13:02:12.978 kid2| 24,7| BinaryTokenizer.cc(74) got: Extension.data.octets= 0a7a7a0304030303020301 occupying 11 bytes @168 in 0x7ffcd4777170.
2020/06/17 13:02:12.978 kid2| 24,8| SBuf.cc(70) ~SBuf: SBuf15611 destructed
2020/06/17 13:02:12.978 kid2| 24,7| BinaryTokenizer.cc(57) got: Extension occupying 15 bytes @164 in 0x7ffcd4777170.
2020/06/17 13:02:12.978 kid2| 24,8| SBuf.cc(38) SBuf: SBuf15612 created from id SBuf15610
2020/06/17 13:02:12.978 kid2| 24,7| BinaryTokenizer.cc(65) got: SupportedVersions.length=10 occupying 1 bytes @0 in 0x7ffcd4776fd0.
2020/06/17 13:02:12.978 kid2| 24,8| SBuf.cc(38) SBuf: SBuf15613 created from id SBuf15612
2020/06/17 13:02:12.978 kid2| 24,7| BinaryTokenizer.cc(74) got: SupportedVersions.octets= 7a7a0304030303020301 occupying 10 bytes @1 in 0x7ffcd4776fd0.
2020/06/17 13:02:12.979 kid2| 24,8| SBuf.cc(38) SBuf: SBuf15614 created from id SBuf15613
2020/06/17 13:02:12.979 kid2| 24,8| SBuf.cc(70) ~SBuf: SBuf15613 destructed
2020/06/17 13:02:12.979 kid2| 24,7| BinaryTokenizer.cc(65) got: supported_version.major=122 occupying 1 bytes @0 in 0x7ffcd4777010.
2020/06/17 13:02:12.979 kid2| 24,7| BinaryTokenizer.cc(65) got: supported_version.minor=122 occupying 1 bytes @1 in 0x7ffcd4777010.
2020/06/17 13:02:12.979 kid2| 24,7| BinaryTokenizer.cc(65) got: supported_version.major=3 occupying 1 bytes @2 in 0x7ffcd4777010.
2020/06/17 13:02:12.979 kid2| 24,7| BinaryTokenizer.cc(65) got: supported_version.minor=4 occupying 1 bytes @3 in 0x7ffcd4777010.
2020/06/17 13:02:12.979 kid2| 24,7| BinaryTokenizer.cc(65) got: supported_version.major=3 occupying 1 bytes @4 in 0x7ffcd4777010.
2020/06/17 13:02:12.979 kid2| 24,7| BinaryTokenizer.cc(65) got: supported_version.minor=3 occupying 1 bytes @5 in 0x7ffcd4777010.
2020/06/17 13:02:12.979 kid2| 24,7| BinaryTokenizer.cc(65) got: supported_version.major=3 occupying 1 bytes @6 in 0x7ffcd4777010.
2020/06/17 13:02:12.979 kid2| 24,7| BinaryTokenizer.cc(65) got: supported_version.minor=2 occupying 1 bytes @7 in 0x7ffcd4777010.
2020/06/17 13:02:12.979 kid2| 24,7| BinaryTokenizer.cc(65) got: supported_version.major=3 occupying 1 bytes @8 in 0x7ffcd4777010.
2020/06/17 13:02:12.979 kid2| 24,7| BinaryTokenizer.cc(65) got: supported_version.minor=1 occupying 1 bytes @9 in 0x7ffcd4777010.
2020/06/17 13:02:12.979 kid2| 24,8| SBuf.cc(70) ~SBuf: SBuf15614 destructed
2020/06/17 13:02:12.979 kid2| 24,8| SBuf.cc(70) ~SBuf: SBuf15612 destructed
2020/06/17 13:02:12.979 kid2| 83,7| Handshake.cc(594) parseSupportedVersionsExtension: found TLS/1.3
2020/06/17 13:02:12.979 kid2| 24,8| SBuf.cc(70) ~SBuf: SBuf15610 destructed

Note 7a7a0304030303020301, 0x7A = 122

I think fixing it everywhere would involve BinaryTokenizing extension string (like  tkVersions) and check every value sent to  ParseProtocolVersion. In the HandShake.cc file on about six occassions. It seems very likely that *some* vendors will send nonsense values to the other parts as well. So it would be nice to have them all sanitized. For me it looks like Google initiative - but I could be wrong. Anyway - what seemed to be problem with TLS on my box now seems to be problem with additive, random numbers in the supported versions string - waiting for someone to investigate it further...

LL

More information about the squid-users mailing list