[squid-users] SSLBUMP for specific domains

andre.bolinhas at articatech.com andre.bolinhas at articatech.com
Thu Jan 12 21:47:47 UTC 2023 

So is a bug for 500 or a bad configuration?
I have also tried this setup and seams to "fix" the tcp_tunnel/500

# Squid 5.x branch
# SSL used for port ID 1, :3128 on
# Patch 2020 - 08 - 03 SquidMikrotikEnabled = 0
# SSL Proxy options  Proxy version:5.7 [146]
sslcrtd_program /lib/squid3/security_file_certgen -s /media/squidtmpfs/ssl/ssl_db -M 64MB
sslcrtd_children 32 startup=5 idle=1 queue-size=64
acl AnnotateSSLGBW2 annotate_transaction whitelistssl=yes
#The AppStore application in IOS (iPhone, iPad, MacOS) uses SSL Certificate Pinning,
#it means the application knows what certificate to expect when accessing AppStore.
#When you enable SSL Bump of HTTPS connections Squid replaces the default certificate with a ‘mimicked’ one;
#the application detects that and refuses to function.
#
acl FakeCert ssl::server_name .apple.com
acl FakeCert ssl::server_name .icloud.com
acl FakeCert ssl::server_name .mzstatic.com
acl FakeCert ssl::server_name .dropbox.com
acl FakeCert ssl::server_name .bnpparisbas
acl SSLInternalNets dst 10.0.0.0/8
acl SSLInternalNets dst 172.16.0.0/12
acl SSLInternalNets dst 192.168.0.0/16
acl ssl_step1 at_step SslBump1
acl ssl_step2 at_step SslBump2
acl ssl_step3 at_step SslBump3
include /etc/squid3/ssl_whitelist.conf
acl NotPeek any-of Group26
ssl_bump peek !NotPeek
acl GlobalWhitelistDSTNet dst "/etc/squid3/acls_whitelist.dst.conf"
ssl_bump splice GlobalWhitelistDSTNet AnnotateSSLGBW2
ssl_bump splice ByPassRBL AnnotateSSLGBW2
ssl_bump splice SSLInternalNets AnnotateSSLGBW2
ssl_bump splice FakeCert AnnotateSSLGBW2

# Rules (spliced) added by admins....
# 5 rules...
# -------------- Personal rules -----------------

# id:5
# decrypt_cnn order:0
acl AnnotateSSLW5 annotate_transaction bumprule=5
ssl_bump bump Group26 AnnotateSSLW5
ssl_bump splice all

tls_outgoing_options options=NO_SSLv3,NO_TICKET cipher=ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL:!eNULL flags=DONT_VERIFY_PEER
sslproxy_cert_error allow all
on_unsupported_protocol tunnel all


Basically the changes that I made is on peek step changing from
ssl_bump peek ssl_step1
To
acl NotPeek any-of Group26
ssl_bump peek !NotPeek

This is a good idea?


-----Mensagem original-----
De: squid-users <squid-users-bounces at lists.squid-cache.org> Em Nome De Amos Jeffries
Enviada: 12 de janeiro de 2023 21:22
Para: squid-users at lists.squid-cache.org
Assunto: Re: [squid-users] SSLBUMP for specific domains

On 13/01/2023 10:04 am, andre.bolinhas wrote:
> Forgot to attach the config file
>
> root at proxy01:~# cat /etc/squid3/ssl.conf # Squid 5.x branch # SSL used 
> for port ID 1, :3128 on # Patch 2020 - 08 - 03 SquidMikrotikEnabled = 
> 0 # SSL Proxy options  Proxy version:5.7 [146] sslcrtd_program 
> /lib/squid3/security_file_certgen -s /media/squidtmpfs/ssl/ssl_db -M 
> 64MB sslcrtd_children 32 startup=5 idle=1 queue-size=64 acl 
> AnnotateSSLGBW2 annotate_transaction whitelistssl=yes #The AppStore 
> application in IOS (iPhone, iPad, MacOS) uses SSL Certificate Pinning, 
> #it means the application knows what certificate to expect when accessing AppStore.
> #When you enable SSL Bump of HTTPS connections Squid replaces the 
> default certificate with a ‘mimicked’ one; #the application detects that and refuses to function.
> #
> acl FakeCert ssl::server_name .apple.com acl FakeCert ssl::server_name 
> .icloud.com acl FakeCert ssl::server_name .mzstatic.com acl FakeCert 
> ssl::server_name .dropbox.com acl FakeCert ssl::server_name 
> .bnpparisbas acl SSLInternalNets dst 10.0.0.0/8 acl SSLInternalNets 
> dst 172.16.0.0/12 acl SSLInternalNets dst 192.168.0.0/16 acl ssl_step1 
> at_step SslBump1 acl ssl_step2 at_step SslBump2 acl ssl_step3 at_step 
> SslBump3 include /etc/squid3/ssl_whitelist.conf ssl_bump peek 
> ssl_step1 acl GlobalWhitelistDSTNet dst 
> "/etc/squid3/acls_whitelist.dst.conf"
> ssl_bump splice GlobalWhitelistDSTNet AnnotateSSLGBW2 ssl_bump splice 
> ByPassRBL AnnotateSSLGBW2 ssl_bump splice SSLInternalNets 
> AnnotateSSLGBW2 ssl_bump splice FakeCert AnnotateSSLGBW2 # 
> IMPRIM_RULE:5 ssl_bump splice ByPassRBL AnnotateSSLGBW2 ssl_bump 
> splice GlobalWhitelistDSTNet AnnotateSSLGBW2

FYI, Those two lines are duplicates of the first ssl_bump rules. They do nothing here except waste CPU cycles.


> # Rules (spliced) added by admins....
> # 5 rules...
> # -------------- Personal rules -----------------
>
> # id:5
> # decrypt_cnn order:0
> acl AnnotateSSLW5 annotate_transaction bumprule=5
> ssl_bump bump Group26 AnnotateSSLW5
> ssl_bump splice all
>
> tls_outgoing_options options=NO_SSLv3,NO_TICKET cipher=ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL:!eNULL flags=DONT_VERIFY_PEER
> sslproxy_cert_error allow all
> on_unsupported_protocol tunnel all
>
> -----Mensagem original-----
> De: squid-users Em Nome De andre.bolinhas
> Enviada: 12 de janeiro de 2023 21:03
> Assunto: Re: [squid-users] SSLBUMP for specific domains
>
> Hi Amos
> Thansk for your quick reply, I have done it as example but now, even the internet surf is ok for all website I get to many TCP_TUNNEL/500  on access.log for all  websites that we are not decrypting
>
> 1673531433.924  31315 192.168.60.30 TCP_TUNNEL/500 4096 CONNECT sapo.pt:443 - HIER_DIRECT/213.13.146.142:443 - mac="d6:8b:66:2a:9b:92" accessrule:%20ntlm_white_dstdomain%0D%0Awebfilter:%20pass%0D%0Acategory:%203%0D%0Acategory-name:%20Society%0D%0Aclog:%20cinfo:3-Society;%0D%0A exterr="-|- splice"
> 1673531433.933  31324 192.168.60.30 TCP_TUNNEL/500 4695 CONNECT sapo.pt:443 - HIER_DIRECT/213.13.146.142:443 - mac="d6:8b:66:2a:9b:92" accessrule:%20ntlm_white_dstdomain%0D%0Awebfilter:%20pass%0D%0Acategory:%203%0D%0Acategory-name:%20Society%0D%0Aclog:%20cinfo:3-Society;%0D%0A exterr="-|- splice"
> 1673531437.798  35024 192.168.60.30 TCP_TUNNEL/500 76572 CONNECT www.sapo.pt:443 - HIER_DIRECT/213.13.146.142:443 - mac="d6:8b:66:2a:9b:92" accessrule:%20ntlm_white_dstdomain%0D%0Awebfilter:%20pass%0D%0Acategory:%203%0D%0Acategory-name:%20Society%0D%0Aclog:%20cinfo:3-Society;%0D%0A exterr="-|- splice"

By the differences on size and the existence of a remote server IP 
address in the log entry, I guess this is 
<https://bugs.squid-cache.org/show_bug.cgi?id=5252>.

Amos

_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list