[squid-users] CVE-2009-0801

Amos Jeffries squid3 at treenet.co.nz
Mon Dec 21 22:20:00 UTC 2015


On 22/12/2015 2:34 a.m., dc wrote:
> 
> Am 19.12.2015 um 00:52 schrieb Amos Jeffries:
>> Why not?
>> * NAT/TPROXY is mandatory to happen on the Squid machine directly since
>> kernel and Squid are performing integrated operations.
>> * PROXY protocol passes the ORIGINAL_DST explicitly over the wire.
>> * SSL-Bump all happens "inside Squid".
>>
>> Those are the only forms of interception Squid supports.
>>
> Thanks for making that clear! I fixed my setup accordingly. Squid now
> gathers original IP addresses from NAT.
> I also enabled host_verify_strict, which should make sure requests are
> always sent to correct IP addresses. Is there an equivalent setting for
> peek-and-spliced HTTPS connections? Or does host_verify_strict cover
> that case as well? This would be important, since otherwise a malicious
> application could bypass the whitelist ACLs I have installed.

The SSL-Bump code is still undergoing polishing and still very much
experimental / volatile, so YMMV on vulnerability but it wont be
CVE-2009-0801.

That is just because the situation is rather different with TLS/SSL.
Server certificates are involved to authenticate the connection level
details. The TLS connections with server-first style of bumping are also
setup and pinned at the TCP layer before HTTP mesages get involved. So
the outbound connection has nothing to do with the HTTP message Host
header on the intercepted/decrypted messages.

Amos



More information about the squid-users mailing list