[squid-users] Deny Access based on SSL-Blacklists (SHA1-Fingerprint) with ssl_bump

Tom Tom tomtux007 at gmail.com
Fri Dec 11 05:33:11 UTC 2015


Bug created: http://bugs.squid-cache.org/show_bug.cgi?id=4394

On Thu, Dec 10, 2015 at 9:10 PM, Tom Tom <tomtux007 at gmail.com> wrote:
> Hi Alex
>
> I've tested again. Squid (3.5.11) only terminates the connection
> (based on SHA1-Fingerprint), *if* the fingerprint is delimited with
> colons. If not, squid GET's the https-request as usual. I'll report a
> bug.
>
> With SHA1-FP (delimited):
> 41:30:72:F8:03:CE:96:12:10:E9:A4:5D:10:DA:14:B0:D2:D4:85:32 in the
> config-file, Squid terminates the connection as expected:
> $ curl -x proxy:3128 -I -k -L https://www.yahoo.com
> HTTP/1.1 200 Connection established
> curl: (35) Unknown SSL protocol error in connection to www.yahoo.com:443
>
>
> With SHA1-FP (not delimited): 413072F803CE961210E9A45D10DA14B0D2D48532
> in the config-file, squid GET's the site:
> $ curl -x proxy:3128 -I -k -L https://www.yahoo.com
> HTTP/1.1 200 Connection established
>
> HTTP/1.1 200 OK
> Date: Thu, 10 Dec 2015 20:06:11 GMT
> P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR
> CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi
> UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE
> LOC GOV"
> X-Frame-Options: DENY
> Strict-Transport-Security: max-age=2592000
> ...
> ....
>
> Kind regards,
> Tom
>
> On Mon, Dec 7, 2015 at 10:30 PM, Alex Rousskov
> <rousskov at measurement-factory.com> wrote:
>> On 12/07/2015 02:05 PM, Tom Tom wrote:
>>> The configuration provided by Alex works for me (squid 3.5.11)
>>
>> Thank you for testing and helping expose problems.
>>
>>
>>> if:
>>> * the http_port-directive is configured with ssl-bump and a
>>> certificate (ex. http_port 3128 ssl-bump generate-host-certificates=on
>>> dynamic_cert_mem_cache_size=4MB cert=/usr/local/certs/myCA.pem)
>>
>> ssl-bump is required to access SSL/TLS peeking code. Now way around that
>> today although future Squid versions may provide something like an
>> ssl-peek port option that tells Squid that no bumping, for any reason
>> (including error serving) is permitted on that port.
>>
>> Specifying root CA is required to serve certificate validation (and
>> other) errors, but we probably should be more flexible and allow no-CA
>> splice-or-terminate configurations as well.
>>
>> Related enhancement requests in bugzilla are welcomed, especially if
>> they are followed by quality patches.
>>
>>
>>> * the SHA1-fingerprint in the file SSL_BLACKLISTS is delimited after
>>> two characters with a colon
>>> (9E:C8:15:3F:27:C9:B5:BA:B9:17:49:C8:0A:D7:DF:21:D3:8C:80:50 for
>>> ar***krebs.de)
>>
>> If Squid silently misinterprets colon-less fingerprints, it is a bug
>> that should be reported and fixed. Squid should either interpret them
>> correctly or exit with a configuration error.
>>
>>
>> Thank you,
>>
>> Alex.
>>
>>
>>
>>> On Mon, Dec 7, 2015 at 4:02 PM, Alex Rousskov
>>> <rousskov at measurement-factory.com> wrote:
>>>> On 12/07/2015 04:37 AM, Ralf Hildebrandt wrote:
>>>>> * Alex Rousskov <rousskov at measurement-factory.com>:
>>>>>> Please note that if you do not want to bump anything, then the following
>>>>>> should also work (bugs notwithstanding):
>>>>>>
>>>>>>     ssl_bump splice whitelist
>>>>>>     ssl_bump peek all
>>>>>>     ssl_bump terminate blacklist
>>>>>>     ssl_bump splice all
>>>>>
>>>>> That doesn't seem to work for me (squid 3.5.2)
>>>>
>>>>> Yet I still can connect. What am I doing wrong?
>>>>
>>>> If you are indeed using v3.5.2, then that is a big red flag.
>>>>
>>>> If you are using the latest v3.5 release, then you should open a bug
>>>> report, preferably with an ALL,9 log depicting a single failing
>>>> transaction. AFAICT, the above is meant to work. If it does not, there
>>>> is either a Squid bug or misconfiguration [that I cannot detect by
>>>> reading email].
>>>>
>>>>
>>>> Thank you,
>>>>
>>>> Alex.
>>>>
>>>> _______________________________________________
>>>> squid-users mailing list
>>>> squid-users at lists.squid-cache.org
>>>> http://lists.squid-cache.org/listinfo/squid-users
>>> _______________________________________________
>>> squid-users mailing list
>>> squid-users at lists.squid-cache.org
>>> http://lists.squid-cache.org/listinfo/squid-users
>>>
>>


More information about the squid-users mailing list