[squid-users] can't get bump to work anymore on 3.5.7?

Jason Haar Jason_Haar at trimble.com
Thu Aug 20 00:42:17 UTC 2015 

On 20/08/15 03:36, Alex Rousskov wrote:
> SNI is obtained during step #1. Peeking during step #1 does _not_
> preclude future bumping.

thanks for persisting with me Alex - I got there in the end! :-)

That looks a lot better, my config is now

root# egrep -i 'crtd|bump|ssl:|checkIfHTTPS' squid.conf
ssl-bump.inc|grep -v '#'
squid.conf:http_port 3128 ssl-bump cert=/etc/squid/squidCA.cert 
generate-host-certificates=on dynamic_cert_mem_cache_size=256MB options=ALL
squid.conf:https_port 3129 intercept ssl-bump
cert=/etc/squid/squidCA.cert  generate-host-certificates=on
dynamic_cert_mem_cache_size=256MB options=ALL
squid.conf:include /etc/squid/ssl-bump.inc
squid.conf:logformat logdetails %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm
%ru %[un %Sh/%<a %mt %ssl::>sni %ssl::>cert_subject
ssl-bump.inc:sslcrtd_program /usr/lib64/squid/ssl_crtd -s
/var/lib/squid/ssl_db -M 256MB
ssl-bump.inc:sslcrtd_children 32 startup=15 idle=5
ssl-bump.inc:acl DiscoverSNIHost at_step SslBump1
ssl-bump.inc:ssl_bump peek DiscoverSNIHost
ssl-bump.inc:acl NoSNIpresent ssl::server_name_regex ".*"
ssl-bump.inc:acl NoSSLIntercept ssl::server_name_regex -i
"/etc/squid/acl-NoSSLIntercept.txt"
ssl-bump.inc:external_acl_type checkIfHTTPS children-max=20
concurrency=20 negative_ttl=3600 ttl=3600 grace=90  %SRC %DST %PORT
%ssl::>sni /usr/local/bin/confirm_https.pl
ssl-bump.inc:acl is_ssl external checkIfHTTPS
####ssl-bump.inc:ssl_bump splice !NoSNIpresent
ssl-bump.inc:ssl_bump splice NoSSLIntercept
ssl-bump.inc:ssl_bump bump is_ssl

So now I can:

1.  ###dynamically whitelist/splice non-SNI traffic via it's existence
(commented because it didn't work - ended up splicing everything)
2.  statically whitelist/splice cert pinning apps via acl "NoSSLIntercept"
3.  dynamically whitelist/splice some classes of websites (eg banks) by
external process checkIfHTTPS
4.  bump the rest

Can't get that "###" one to work. How do I create an acl that will match
when there's any SNI - so that I can splice anything that hasn't got it?

The only remaining question I have is about SSL session resumption. If a
*bumped* session uses resumption - that's purely a squid issue  - so I
suspect that would always work? (including intercept mode?). And if it's
a spliced session, then all squid can do is allow it anyway (because in
my config, I want to splice anything that hasn't got SNI) - so that
would also work?


> Please note that doing so will give you no knowledge about the SSL
> server point of view. All your decisions will be based on what the
> client has told you. This is often not a problem because, in most cases,
> if the client lied, the [bumped or spliced] connection to the SSL server
> will not work anyway. However, if the client supplied no SNI
> information, then your "bank" ACL (or equivalent) may not have enough
> information to go on, especially for intercepted connections.

My only desire for doing TLS intercept is to introduce content filtering
(ie AV). So I  am quite happy throw away (ie splice) old SSL plus
non-HTTPS sessions - as the primary target I'm after is people in web
browsers downloading viruses from https://dropbox.com, etc (which aren't
old SSL: a hacker who deliberately brings up a SSLv2 system in order to
subvert my assumption is welcome to - try finding a web browser that
will talk to it :-). People who bash their way through multiple layers
of browser warning popups/etc in order to get infected are out of scope ;-)


Thanks again for your help Alex. Hopefully this conversation will be
useful for others. TLS intercept is a bit of a step up in complexity
over standard TCP ;-)

-- 
Cheers

Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the squid-users mailing list