[squid-users] acl aclname server_cert_fingerprint

Tue Jan 26 07:09:46 UTC 2021

I will try to test it when users are not on the proxy later.

I have another issue with the "server_cert_fingerprint" directive.
I have a working setup which I am unable to make it work with "server_cert_fingerprint".
I'm not sure how and in what step or place in the config it should be used.

My squid conf attached and one server cert fingerprint is:
1C:8C:EC:C8:C4:7F:DF:36:62:69:B1:6A:92:5A:AE:4A:F2:06:E6:B2

Which is in the file:
no-ssl-bump-server-fingerprint.list

I'm trying to understand what I'm doing wrong in the config that stil lets edition.cnn.com be decrypted instead of spliced?

Thanks,
Eliezer

----
Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: ngtech1ltd at gmail.com
Zoom: Coming soon

-----Original Message-----
From: Alex Rousskov <rousskov at measurement-factory.com> 
Sent: Tuesday, January 26, 2021 6:22 AM
To: Eliezer Croitoru <ngtech1ltd at gmail.com>; squid-users at lists.squid-cache.org
Subject: Re: [squid-users] acl aclname server_cert_fingerprint

On 1/25/21 6:03 AM, Eliezer Croitoru wrote:
> I'm trying to use:
> acl aclname server_cert_fingerprint [-sha1] fingerprint
> 
> 
> I have cerated the next file:
> /etc/squid/no-ssl-bump-server-fingerprint.list
> 
> And trying to use the next line:
> acl NoBump_certificate_fingerprint server_cert_fingerprint -sha1
> "/etc/squid/no-ssl-bump-server-fingerprint.list"
> 
> To be explicit despite that only sha1 is a valid checksum.
> Squid doesn't accept the above line 

Does not accept how? What is the error message?

> but this one yes:
> acl NoBump_certificate_fingerprint server_cert_fingerprint
> "/etc/squid/no-ssl-bump-server-fingerprint.list"

> Is there a reason for that?

The use of ACL options and ACL parameter options is poorly documented.

Squid Bug 4847 is marked as fixed, but the corresponding commit d4c6aca
says that server_cert_fingerprint is still broken. Not sure whether that
was true, whether some other commit has fixed that ACL, and whether the
problem mentioned in the commit message is related to your troubles.
https://bugs.squid-cache.org/show_bug.cgi?id=4847
https://github.com/squid-cache/squid/pull/191

Also, according to my 2015 notes, server_cert_fingerprint happens to be
case sensitive. I consider that a bug. I am not sure, but I think Squid
expects uppercase hex letters (if any). I do not know whether that has
been fixed.

Finally, it is dangerous to list ACL parameter options like -sha1 in
front of parameter filename when that parameter file may contain its own
parameter options. A reader may think that -sha1 in squid.conf
overwrites, say, -sha256 in the parameter file, but that is not what
probably will happen when Squid starts supporting both options.

That consideration may actually be the reason why Squid rejects your
first configuration sample (or perhaps it should be the reason even if
it does not).

I am sure there are use cases where the admin wants to apply one
parameter option to the whole file, but the ambiguity is too dangerous
to allow IMO. We should make the choice explicit.

HTH,

Alex.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: squid.conf
Type: application/octet-stream
Size: 7195 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20210126/6e4f94c4/attachment-0001.obj>