[squid-users] Transparent proxy with Peek and Splice feature.

Vadim Rogoziansky vrogoziansky.squid at gmail.com
Thu Nov 27 13:48:37 UTC 2014


Hello Amos.

Thank you for answer.

There was made an investigation related to squid's peek and splice 
issues in transparent mode.
One-line explanation is as follows - in intercept mode squid can't get a 
server host name from the request header and uses clent IP address 
instead for both fake cert generation and as a SNI record in server bump 
SSL handshaking. This is the root of the problem. However this can be 
fixed if squid uses SNI field taken from client TLS Hello message for 
that purposes. Can you hack squid in this way? What do you think?

Many thanks.


11/26/2014 11:33 AM, Amos Jeffries написав(ла):
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 26/11/2014 7:22 a.m., Vadim Rogoziansky wrote:
>> Hello All.
>>
>> My goal is to do ssl bumping in transparent proxy mode with domain
>> exclude possibility. Let me tell you about squid's strange
>> behaviour when I'm trying to do it.
>>
>> In browsers it says something like this: /This server could not
>> prove that it is www.ukr.net; its security certificate is
>> from212.42.76.253. This may be caused by a misconfiguration or an
>> attacker intercepting your connection.//
>> //NET::ERR_CERT_COMMON_NAME_INVALID// //Subject: 212.42.76.253// /
>> Looks like squid takes the CN from the certificate as IP address of
>> the destination domain.
> Squid takes the IP address from the TCP packet. Which is all that is
> available in NAT intercepted traffic at bumping step #1.
>
> The ACLs you have therefore determine that "bump" action is to happen.
> Correct?
>
> The cert details are therefore mimic'ed from what gets delivered by
> the server.
>
> It may be that the server is depending on SNI to generate its own
> cert, but since Squid deos not have that domain name already an
> IP-based cert comes back.
>
> It may also be that some ISP upstream of you is bumping the encryption
> with client-first method.
>
>
>
>> But, everything works smoothly when I use proxy in non transparent
>> mode and put it to the browser directly .
> In which case the browser sends domain name to the proxy in its
> CONNECT message starting the HTTPS. The possible results are very
> different.
>
> Amos
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (MingW32)
>
> iQEcBAEBAgAGBQJUdZ5sAAoJELJo5wb/XPRj0qIIANBjuFvq45hPmcaj/NYL6bza
> 7ttt5Gn+tn8E5KH7T4wfQhUXr91UIsYWfOswfnVAAlBevIO/iFVoDN5hAOveuhIl
> ra/0eGti1EpZ3LHJiAqmo0mHsrz3v9+PAduVrXgUJLyYDiM0xctg0nRhj2u166VX
> j0IL3g8CKEw+KiWVJM9HdLaDEz9fYtHBO8UHhKDDE94O9yxScIvB+GAhN4YlTtrE
> z65VJkSCEw+3vH6XcrrkF2aEnB20jeEGiV5puO2cPoJpgcg3ic8sMVEfa/Z1qwqa
> KCkj2XI28wBCIovCV+AfBhpvW0o8eVFbt4ESodLTmwjUvU+m8zxky/9cjO5kyLE=
> =kgug
> -----END PGP SIGNATURE-----
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users



More information about the squid-users mailing list