[squid-users] 4.17 and 5.3 SSL BUMP issue: SSL_ERROR_RX_RECORD_TOO_LONG

Eliezer Croitoru ngtech1ltd at gmail.com
Mon Jan 24 07:42:29 UTC 2022 

Hey,

I have been testing both Squid 4.17 and 5.3 (yet to test 6.x)

The issue I have seen is pretty annoying operationally.
Other products on the market resolve this issue with couple techniques and I
assume it shouldn't be a problem to configure it.
It's a special case that was raised due to the nature of remote working.
I am connection to couple places with a VPN connection which must force the
remote DNS for couple services.
However, not all the traffic is passed via the VPN connection tunnel.
What happens is that the local proxy with ssl bump is using the local
Recursive DNS server while the PC uses the VPN DNS server.
So, I am trying to access http://www.google.com and boom:
I get SSL errors.
I have tried to understand the issue and took a packet capture:
https://cloud1.ngtech.co.il/squid/1.pcapng

I have also seen the cache and access logs which shows the next:
# cache.log
2022/01/24 09:11:20 kid1| SECURITY ALERT: Host header forgery detected on
local=142.250.179.228:443 remote=10.200.191.171:51831 FD 16 flags=33 (local
IP does not match any domain IP)
2022/01/24 09:11:20 kid1| SECURITY ALERT: on URL: www.google.com:443
2022/01/24 09:11:20 kid1| SECURITY ALERT: Host header forgery detected on
local=142.250.179.228:443 remote=10.200.191.171:51832 FD 16 flags=33 (local
IP does not match any domain IP)
2022/01/24 09:11:20 kid1| SECURITY ALERT: on URL: www.google.com:443
2022/01/24 09:11:20 kid1| SECURITY ALERT: Host header forgery detected on
local=142.250.179.228:443 remote=10.200.191.171:51833 FD 16 flags=33 (local
IP does not match any domain IP)
2022/01/24 09:11:20 kid1| SECURITY ALERT: on URL: www.google.com:443
2022/01/24 09:11:20 kid1| SECURITY ALERT: Host header forgery detected on
local=142.250.179.228:443 remote=10.200.191.171:51834 FD 16 flags=33 (local
IP does not match any domain IP)
2022/01/24 09:11:20 kid1| SECURITY ALERT: on URL: www.google.com:443
2022/01/24 09:11:20 kid1| SECURITY ALERT: Host header forgery detected on
local=142.250.179.228:443 remote=10.200.191.171:51835 FD 16 flags=33 (local
IP does not match any domain IP)
2022/01/24 09:11:20 kid1| SECURITY ALERT: on URL: www.google.com:443
2022/01/24 09:11:20 kid1| SECURITY ALERT: Host header forgery detected on
local=142.250.179.228:443 remote=10.200.191.171:51836 FD 16 flags=33 (local
IP does not match any domain IP)
2022/01/24 09:11:20 kid1| SECURITY ALERT: on URL: www.google.com:443
2022/01/24 09:11:20 kid1| SECURITY ALERT: Host header forgery detected on
local=142.250.179.228:443 remote=10.200.191.171:51837 FD 16 flags=33 (local
IP does not match any domain IP)
2022/01/24 09:11:20 kid1| SECURITY ALERT: on URL: www.google.com:443
2022/01/24 09:11:20 kid1| SECURITY ALERT: Host header forgery detected on
local=142.250.179.228:443 remote=10.200.191.171:51838 FD 16 flags=33 (local
IP does not match any domain IP)
2022/01/24 09:11:20 kid1| SECURITY ALERT: on URL: www.google.com:443
2022/01/24 09:11:20 kid1| SECURITY ALERT: Host header forgery detected on
local=142.250.179.228:443 remote=10.200.191.171:51839 FD 16 flags=33 (local
IP does not match any domain IP)
2022/01/24 09:11:20 kid1| SECURITY ALERT: on URL: www.google.com:443
2022/01/24 09:11:20 kid1| SECURITY ALERT: Host header forgery detected on
local=142.250.179.228:443 remote=10.200.191.171:51840 FD 16 flags=33 (local
IP does not match any domain IP)
2022/01/24 09:11:20 kid1| SECURITY ALERT: on URL: www.google.com:443
2022/01/24 09:11:22 kid1| Error negotiating SSL connection on FD 16:
error:00000001:lib(0):func(0):reason(1) (1/-1)
2022/01/24 09:11:26 kid1| SECURITY ALERT: Host header forgery detected on
local=140.82.112.25:443 remote=10.200.191.171:51842 FD 16 flags=33 (local IP
does not match any domain IP)
2022/01/24 09:11:26 kid1| SECURITY ALERT: on URL: alive.github.com:443
## END

# access.log
1643008592.196      4 10.200.191.171 NONE/200 0 CONNECT 142.250.179.228:443
- HIER_NONE/- - www.google.com splice
1643008592.196      0 10.200.191.171 NONE/409 4077 CONNECT
www.google.com:443 - HIER_NONE/- text/html www.google.com -
1643008592.196      0 10.200.191.171 NONE/000 0 NONE
error:transaction-end-before-headers - HIER_NONE/- - - -
1643008592.217      5 10.200.191.171 NONE/200 0 CONNECT 142.250.179.228:443
- HIER_NONE/- - www.google.com splice
1643008592.217      0 10.200.191.171 NONE/409 4077 CONNECT
www.google.com:443 - HIER_NONE/- text/html www.google.com -
1643008592.217      0 10.200.191.171 NONE/000 0 NONE
error:transaction-end-before-headers - HIER_NONE/- - - -
1643008592.232      4 10.200.191.171 NONE/200 0 CONNECT 142.250.179.228:443
- HIER_NONE/- - www.google.com splice
1643008592.233      0 10.200.191.171 NONE/409 4077 CONNECT
www.google.com:443 - HIER_NONE/- text/html www.google.com -
1643008592.233      0 10.200.191.171 NONE/000 0 NONE
error:transaction-end-before-headers - HIER_NONE/- - - -
1643008592.247      4 10.200.191.171 NONE/200 0 CONNECT 142.250.179.228:443
- HIER_NONE/- - www.google.com splice
1643008592.248      0 10.200.191.171 NONE/409 4077 CONNECT
www.google.com:443 - HIER_NONE/- text/html www.google.com -
1643008592.248      0 10.200.191.171 NONE/000 0 NONE
error:transaction-end-before-headers - HIER_NONE/- - - -
1643008592.265      5 10.200.191.171 NONE/200 0 CONNECT 142.250.179.228:443
- HIER_NONE/- - www.google.com splice
1643008592.266      0 10.200.191.171 NONE/409 4077 CONNECT
www.google.com:443 - HIER_NONE/- text/html www.google.com -
1643008592.266      0 10.200.191.171 NONE/000 0 NONE
error:transaction-end-before-headers - HIER_NONE/- - - -
1643008592.276      4 10.200.191.171 NONE/200 0 CONNECT 142.250.179.228:443
- HIER_NONE/- - www.google.com splice
1643008592.276      0 10.200.191.171 NONE/409 4077 CONNECT
www.google.com:443 - HIER_NONE/- text/html www.google.com -
1643008592.276      0 10.200.191.171 NONE/000 0 NONE
error:transaction-end-before-headers - HIER_NONE/- - - -
1643008592.291      4 10.200.191.171 NONE/200 0 CONNECT 142.250.179.228:443
- HIER_NONE/- - www.google.com splice
1643008592.291      0 10.200.191.171 NONE/409 4077 CONNECT
www.google.com:443 - HIER_NONE/- text/html www.google.com -
1643008592.291      0 10.200.191.171 NONE/000 0 NONE
error:transaction-end-before-headers - HIER_NONE/- - - -
1643008592.306      4 10.200.191.171 NONE/200 0 CONNECT 142.250.179.228:443
- HIER_NONE/- - www.google.com splice
1643008592.306      0 10.200.191.171 NONE/409 4077 CONNECT
www.google.com:443 - HIER_NONE/- text/html www.google.com -
1643008592.306      0 10.200.191.171 NONE/000 0 NONE
error:transaction-end-before-headers - HIER_NONE/- - - -
1643008592.320      4 10.200.191.171 NONE/200 0 CONNECT 142.250.179.228:443
- HIER_NONE/- - www.google.com splice
1643008592.320      0 10.200.191.171 NONE/409 4077 CONNECT
www.google.com:443 - HIER_NONE/- text/html www.google.com -
1643008592.320      0 10.200.191.171 NONE/000 0 NONE
error:transaction-end-before-headers - HIER_NONE/- - - -
1643008592.336      5 10.200.191.171 NONE/200 0 CONNECT 142.250.179.228:443
- HIER_NONE/- - www.google.com splice
1643008592.336      0 10.200.191.171 NONE/409 4077 CONNECT
www.google.com:443 - HIER_NONE/- text/html www.google.com -
1643008592.336      0 10.200.191.171 NONE/000 0 NONE
error:transaction-end-before-headers - HIER_NONE/- - - -
1643008594.154    145 10.200.191.171 NONE/200 0 CONNECT 104.21.81.98:443 -
ORIGINAL_DST/104.21.81.98 - www.ruby-forum.com bump
## END

Squid returns the response:
HTTP/1.1 409 Conflict
Server: squid/4.17
Mime-Version: 1.0
Date: Mon, 24 Jan 2022 07:13:00 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 3680
X-Squid-Error: ERR_CONFLICT_HOST 0
Vary: Accept-Language
Content-Language: en
X-Cache: MISS from px2-043.ngtech.home
X-Cache-Lookup: NONE from px2-043.ngtech.home:3128
Via: 1.1 px2-043.ngtech.home (squid/4.17)
Connection: close
...

And squid is right indeed.
The local DNS has the next DNS resolution for www.google.com
> www.google.com
Server:  [10.200.191.3]
Address:  10.200.191.3

Non-authoritative answer:
Name:    www.google.com
Addresses:  2a00:1450:4009:80a::2004
          216.58.212.196

While the remote resolution is:
> www.google.com
Server:  DC..XX
Address:  192.168.X.X

Non-authoritative answer:
Name:    www.google.com
Addresses:  2a00:1450:4009:81d::2004
          142.250.179.228

So yes, it's a different IP then expected however squid should have the
option(to my understanding) to handle such cases.
Maybe disable caching or anything else.

The whole server config ie: /etc/squid is at:
http://cloud1.ngtech.co.il/squid/support-save-2022-01-24_09:31:10.tar.gz

I have created a setup which uses mysql to store and dump specific acls
files.
It has a nice Makefile with support-save option which dumps many details on
the machine including the HW and OS most relevant details.
I have tried to patch squid to "fix" the issue but didn't had enough time to
resolve it.
I hope it will help to add the ability to handle this situation (which in
the past I haven't seen the real need for a solution and I was wrong).

If any details are missing let me know.
I am pretty sure that there is an open bug for this issue and I am more then
welcome to get a redirection towards it with a link.

Thanks,

----
Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: ngtech1ltd at gmail.com

More information about the squid-users mailing list