[squid-users] Squid 3 SSL bump: Google drive application could not connect

Eliezer Croitoru eliezer at ngtech.co.il
Mon Jan 5 09:59:16 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey Yuri,

Indeed there are other *NIX systems and for each and every one of them
there is a solution in need.

SSL Pinned destinations cannot be identified automatically since the
are pinned inside a software and the certificate will not show
anything about that.
The basic tests we can do are:
- - The host is using ssl or tls or not at all(based on the selective
answer of the service)
- -
- - If the connection is using tls\ssl then inspect the components of
the certificate(such as rootCA validation against the local machine
certificates DB)

Depend on the goal of the certificate validation the decision will be
made to either allow the connection "uninspected" or to "bump" it as
is without any smart identification.

If indeed there is a database
sqlite3\mysql\postgres\redis\memcached\others it can be used in the
iptables level.
Also a point in this DB and this cache is that it will be persistent
so what so ever the *NIX system is there is an option once the IP +
port was tagged as non-bump-able it is better be in the FIREWALL level
override better then squid external_acl.
Reason: If the kernel does what it needs to do then squid should not
touch the packets.
It's not always right but it's a point in the issue.
I still do not know how to work with NFQUEUE and I am sure that there
is an option to make a fast decision and if not then let the
connection be BUMPED.

I have written a small golang script that can check couple things
about the ssl session at:
http://www1.ngtech.co.il/squid/ssl_helpers/ssl_validator.go

Besides this helper there is another script which do couple things in
another level.

##########
If any thing will be decided for squid internals it will be after a
proof of concept that we can implement together.
Can we take this thread to storm and put on the table a proof of
concept logic for ssl inspection\bumping and bypassing?

Eliezer

On 01/05/2015 10:40 AM, Yuri Voinov wrote:
> Sounds good,
> 
> but server world is not end on Linux. ;)
> 
> Now exists another *NIX systems. And will exists further.
> 
> Also. I have an idea, gents.
> 
> Do we can easy and quickly detect SSL Pinned destinations? And
> remember it, for example, in database?
> 
> In another words - both problems is similar. Either non-HTTPS
> traffic over 443 port, or pinned certs.
> 
> Can we detect both of them automatically and add to exclude list?
> 
> WBR, Yuri

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJUqmB0AAoJENxnfXtQ8ZQUPKkH/RQmpV8bVcQ1HKMWYLgzDIY1
qcW5AtSsiuuSQsDjew336/jE6WajfT3e5jKvvEKnLc993klJJcxlpETMRfqA+ekK
nMnycoMGSX66bgnKb/TX2PBdUNqYj3WsC5ujDyQ/37VBYY7NNIc95VR5W460jj+F
X9/sErTOsgy2/cYJ3Mz1+sHzH/IleehnosAtWaPBqXPCvi8Q4ud+SUFa8O3xgTPG
7BMM26prgMT0C8mpC/GRnMydEn4Pir3E5FEgkNZmMB7ZeQuHp0ZVKwUzvHqW/WP3
7pUydl3JKn1KP4bo1gXNO5m1Bf+X3xa9OiUTbzZ7VFrVPxXa7gOVKgZdCWpktcg=
=K9bZ
-----END PGP SIGNATURE-----


More information about the squid-users mailing list