[squid-users] Microsoft store issues with ssl-bump

Eliezer Croitoru ngtech1ltd at gmail.com
Tue Jan 12 09:15:36 UTC 2021 

This works in another proxy which looks at the SNI only without any bump
involved.
Remember that Squid should splice the connection based on regex and
server-name dst.

On the other proxy this is what I have:
Jan 12 11:12:46 ndpi-fw proxy[497]: 2021/01/12 11:12:46 conn
192.168.189.X:64632 - 104.79.221.20:443 released
[storeedgefd.dsx.mp.microsoft.com:443]
Jan 12 11:12:46 ndpi-fw proxy[497]: 2021/01/12 11:12:46 conn
192.168.189.X:64633 - 104.79.221.20:443 released
[storeedgefd.dsx.mp.microsoft.com:443]
Jan 12 11:12:46 ndpi-fw proxy[497]: 2021/01/12 11:12:46 conn
192.168.189.X:64634 - 104.79.221.20:443 released
[storeedgefd.dsx.mp.microsoft.com:443]
Jan 12 11:12:46 ndpi-fw proxy[497]: 2021/01/12 11:12:46 conn
192.168.189.X:64630 - 104.79.221.20:443 released
[storeedgefd.dsx.mp.microsoft.com:443]
Jan 12 11:12:46 ndpi-fw proxy[497]: 2021/01/12 11:12:46 conn
192.168.189.X:64631 - 104.79.221.20:443 released
[storeedgefd.dsx.mp.microsoft.com:443]
Jan 12 11:12:54 ndpi-fw proxy[497]: 2021/01/12 11:12:54
SNI:https://storeedgefd.dsx.mp.microsoft.com:443
Jan 12 11:12:54 ndpi-fw proxy[497]: 2021/01/12 11:12:54 use parent : false,
storeedgefd.dsx.mp.microsoft.com:443
Jan 12 11:12:54 ndpi-fw proxy[497]: 2021/01/12 11:12:54 ip 192.168.189.X
rate, current: 1/s, max: 20/s
Jan 12 11:12:54 ndpi-fw proxy[497]: 2021/01/12 11:12:54 conn
192.168.189.X:64667 - 104.79.221.20:443 connected
[storeedgefd.dsx.mp.microsoft.com:443]
Jan 12 11:12:54 ndpi-fw proxy[497]: 2021/01/12 11:12:54
SNI:https://storeedgefd.dsx.mp.microsoft.com:443
Jan 12 11:12:54 ndpi-fw proxy[497]: 2021/01/12 11:12:54 use parent : false,
storeedgefd.dsx.mp.microsoft.com:443
Jan 12 11:12:54 ndpi-fw proxy[497]: 2021/01/12 11:12:54 ip 192.168.189.X
rate, current: 2/s, max: 20/s
Jan 12 11:12:54 ndpi-fw proxy[497]: 2021/01/12 11:12:54 conn
192.168.189.X:64669 - 104.79.221.20:443 connected
[storeedgefd.dsx.mp.microsoft.com:443]

So the regex:
storeedgefd\.dsx\.mp\.microsoft\.com

should work.

Eliezer

----
Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: ngtech1ltd at gmail.com
Zoom: Coming soon


-----Original Message-----
From: squid-users <squid-users-bounces at lists.squid-cache.org> On Behalf Of
Lorenzo Marcantonio
Sent: Tuesday, January 12, 2021 10:58 AM
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] Microsoft store issues with ssl-bump

On Tue, Jan 12, 2021 at 10:33:00AM +0200, Eliezer Croitoru wrote:
>
> Any hints might help to find and resolve this issue

>From my experience MS Update and probably the store too use custom root
certificates; check if that's the case. It's also possible that that
connection is so hardwired that it doesn't accept a redirect. So it sees
that and become suspicious (Windows Update is extremely suspicious :D)

For some antivirus (avast maybe? I don't remember) the updater actually
checks the server certificate fingerprint so you can't bump it and you
need a special NAT rule for all the fscking IPs it uses (if you set a
proxy it does a connect BY IP and not by name, and the IPs are hardcoded
and not resolved by DNS).

So it is possible you can't bump a store connection (remember that
technically a bump is a MITM intrusion that TLS is explicitely design to
detect!)

-- 
Lorenzo Marcantonio

More information about the squid-users mailing list