[squid-users] HTTPS is not working while doing authentication bypass

Renato C. Pacheco renato.camarao at gmail.com
Tue Apr 26 20:58:47 UTC 2022 

Hello!

I'm facing an issue regarding bypass authentication in some domains. I was
following the official wiki here
<https://wiki.squid-cache.org/ConfigExamples/Authenticate/Bypass> and it
worked, but every HTTPS request (CONNECT method) that belongs to the
exception that I've made receives a SSL error
(ssl_error_rx_record_too_long). Below, the squid.conf content, squid
version and telemetry content.

# squid -v
Squid Cache: Version 4.6
Service Name: squid
Debian linux
configure options:  '--build=x86_64-linux-gnu' '--prefix=/usr'
'--includedir=${prefix}/include' '--mandir=${prefix}/share/man'
'--infodir=${prefix}/share/info
' '--sysconfdir=/etc' '--localstatedir=/var'
'--libexecdir=${prefix}/lib/squid' '--srcdir=.' '--disable-maintainer-mode'
'--disable-dependency-tracking' '--di
sable-silent-rules' 'BUILDCXXFLAGS=-g -O2
-fdebug-prefix-map=/build/squid-4.6=. -fstack-protector-strong -Wformat
-Werror=format-security -Wdate-time -D_FORTI
FY_SOURCE=2 -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -latomic'
'BUILDCXX=x86_64-linux-gnu-g++' '--with-build-environment=default'
'--enable-build-info=Debian l
inux' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid'
'--libexecdir=/usr/lib/squid' '--mandir=/usr/share/man' '--enable-inline'
'--disable-arch-native'
'--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock'
'--enable-removal-policies=lru,heap' '--enable-delay-pools'
'--enable-cache-digests' '--enable-i
cap-client' '--enable-follow-x-forwarded-for'
'--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB'
'--enable-auth-digest=file,LDAP' '
--enable-auth-negotiate=kerberos,wrapper' '--enable-auth-ntlm=fake,SMB_LM'
'--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,S
QL_session,time_quota,unix_group,wbinfo_group'
'--enable-security-cert-validators=fake'
'--enable-storeid-rewrite-helpers=file' '--enable-url-rewrite-helpers=
fake' '--enable-eui' '--enable-esi' '--enable-icmp' '--enable-zph-qos'
'--enable-ecap' '--disable-translation' '--with-swapdir=/var/spool/squid'
'--with-logdi
r=/var/log/squid' '--with-pidfile=/var/run/squid.pid'
'--with-filedescriptors=65536' '--with-large-files'
'--with-default-user=proxy' '--with-gnutls' '--enabl
e-linux-netfilter' 'build_alias=x86_64-linux-gnu' 'CC=x86_64-linux-gnu-gcc'
'CFLAGS=-g -O2 -fdebug-prefix-map=/build/squid-4.6=.
-fstack-protector-strong -Wfo
rmat -Werror=format-security -Wall' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now
-Wl,--as-needed -latomic' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2'
'CXX=x86_64-linux-gn
u-g++' 'CXXFLAGS=-g -O2 -fdebug-prefix-map=/build/squid-4.6=.
-fstack-protector-strong -Wformat -Werror=format-security'

# cat /etc/squid/squid.conf

auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp --domain=DOMAIN
auth_param ntlm children 500
auth_param ntlm keep_alive on

auth_param basic program /usr/lib/squid/basic_ldap_auth -b
ou=users,dc=mydomain,dc=com,dc=br -h 10.100.0.1 -p 389 -s sub -v 3 -f
"uid=%s"
auth_param basic children 1000
auth_param basic realm Proxy Server ldap
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off


acl CONNECT method CONNECT
acl password proxy_auth REQUIRED


acl telemetry dstdomain "/etc/squid/exceptions/telemetry"
acl http proto http
acl port_443 port 443
acl port_80 port 80
http_access allow CONNECT port_443 telemetry
http_access allow http port_80 telemetry

http_access allow http port_80 password
http_access allow CONNECT port_443 password
http_access deny all

http_port 3128

acl hasRequest has request
access_log syslog:local4.warning squid hasRequest

visible_hostname proxy.mydomain.com.br

error_directory /usr/share/squid/errors/pt-br

cache_peer 127.0.0.1 parent 8080 0 login=*:password no-digest
no-netdb-exchange
always_direct deny all
never_direct allow all
max_filedesc 65535

# cat /etc/squid/exceptions/telemetry
.data.microsoft.com
.telemetry.microsoft.com

Below, the test accessing https://watson.telemetry.microsoft.com with curl:

$ curl --proxy http://myserver:3128 -vk
https://watson.telemetry.microsoft.com/
*   Trying 10.100.1.13:3128...
* TCP_NODELAY set
* Connected to myserver (10.100.1.13) port 3128 (#0)
* allocate connect buffer!
* Establish HTTP proxy tunnel to watson.telemetry.microsoft.com:443
> CONNECT watson.telemetry.microsoft.com:443 HTTP/1.1
> Host: watson.telemetry.microsoft.com:443
> User-Agent: curl/7.68.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
<
* Proxy replied 200 to CONNECT request
* CONNECT phase completed!
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
 CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CONNECT phase completed!
* CONNECT phase completed!
* error:1408F10B:SSL routines:ssl3_get_record:wrong version number
* Closing connection 0
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number

With browser (Chrome):

[image: image.png]


Thanks,
--
Renato Carneiro Pacheco
Security Analyst

http://br.linkedin.com/in/renatocarneirop
http://www.facebook.com/renatocarneirop

*"Não acredite no que eu digo, pois é a minha experiência e não a sua.
Experimente, indague e busque." - *Osho Rajneesh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20220426/cf3a475b/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 46153 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20220426/cf3a475b/attachment-0001.png>

More information about the squid-users mailing list