[squid-users] Why 3.5.0.4 generates mimicked certs with server IP only when bumping?

Daniel Greenwald dig at digcorp.net
Mon Jan 26 16:14:37 UTC 2015


call it what you want, it works :)

-----------
Daniel I Greenwald



On Mon, Jan 26, 2015 at 10:51 AM, Yuri Voinov <yvoinov at gmail.com> wrote:

>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Daniel,
>
> well,
>
> but AFAIK server-first directive is deprecated in 3.5.x.
>
> Hmmmmmm?
>
> 26.01.2015 19:37, Daniel Greenwald пишет:
> > See below. Nothing else too interesting. Those four lines were the key.
> >
> > http_port 3128
> > http_port 3180 intercept
> > https_port 3443 intercept ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=16MB  cert=/usr/local/squid/ssl_cert/myCA.pem
> > sslcrtd_program /usr/lib64/squid/ssl_crtd -s
> /usr/local/squid/var/lib/ssl_db -M 16MB
> > sslcrtd_children 10
> > logformat dig %{%Y-%m-%d %H:%M:%S}tl  %6tr %>a %Ss/%03>Hs %<st %rm %ru
> %un %Sh/%<A "%{User-Agent}>h"
> > logfile_rotate 10
> > access_log /var/log/squid/access.log dig
> > pinger_enable off
> >
> > acl step1 at_step SslBump1
> > acl step2 at_step SslBump2
> > ssl_bump peek step1 all
> > ssl_bump server-first step2 all
> >
> > acl SSL_ports port 443
> > acl Safe_ports port 80 443
> > acl CONNECT method CONNECT
> > http_access deny !Safe_ports
> > http_access deny CONNECT !SSL_ports
> >
> > http_access allow localhost manager
> > http_access deny manager
> > http_access deny to_localhost
> >
> > http_access allow all
> > http_access deny all
> >
> > # Uncomment and adjust the following to add a disk cache directory.
> > #cache_dir ufs /var/spool/squid 100 16 256
> >
> > # Leave coredumps in the first cache dir
> > coredump_dir /var/spool/squid
> >
> > #
> > # Add any of your own refresh_pattern entries above these.
> > #
> > refresh_pattern ^ftp:        1440    20%    10080
> > refresh_pattern ^gopher:    1440    0%    1440
> > refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
> > refresh_pattern .        0    20%    4320
> >
> >
> >
> >
> >
> > -----------
> > Daniel I Greenwald
> >
> >
> >
> > On Mon, Jan 26, 2015 at 3:28 AM, Rafael Akchurin <
> rafael.akchurin at diladele.com <mailto:rafael.akchurin at diladele.com>
> <rafael.akchurin at diladele.com>> wrote:
> >
> >     Hello Daniel, Yuri
> >
> >
> >     May be you could dump your whole squid.conf here (please remove any
> sensitive details).
> >
> >     I still cannot understand once Squid has the target server hostname
> from SNI - where is the acl/rule in squid.conf that can be used with this
> info present?
> >
> >
> >     Best regards,
> >
> >     Rafael
> >
> >
> >     -------------------------
> >     *From:* squid-users <squid-users-bounces at lists.squid-cache.org
> <mailto:squid-users-bounces at lists.squid-cache.org>
> <squid-users-bounces at lists.squid-cache.org>> on behalf of Daniel
> Greenwald <dig at digcorp.net <mailto:dig at digcorp.net> <dig at digcorp.net>>
> >     *Sent:* Monday, January 26, 2015 5:39 AM
> >     *To:* Yuri Voinov
> >     *Cc:* squid-users at lists.squid-cache.org
> <mailto:squid-users at lists.squid-cache.org>
> <squid-users at lists.squid-cache.org>
> >     *Subject:* Re: [squid-users] Why 3.5.0.4 generates mimicked certs
> with server IP only when bumping?
> >
> >     Thank you Amos,
> >     Based on your explanation I was able to make bumping work for
> transparent with no browser errors in 3.5.1 by using the following. If I
> understand correctly, this is actually whats required to mimic the behavior
> of pre 3.5 (sslbump server-first all) :
> >
> >     acl step1 at_step SslBump1
> >     acl step2 at_step SslBump2
> >     ssl_bump peek step1 all
> >     ssl_bump server-first step2 all
> >
> >     Hope that helps Yuri or any one else with this issue.
> >
> >     PS So far this is working great for eg gmail.com <http://gmail.com>
> <http://gmail.com> which in previous version would throw browser errors!
> >
> >     -----------
> >     Daniel I Greenwald
> >
> >
> >
> >     On Fri, Jan 9, 2015 at 2:51 PM, Yuri Voinov <yvoinov at gmail.com
> <mailto:yvoinov at gmail.com> <yvoinov at gmail.com>> wrote:
> >
> >
> > How can that be?
> >
> > All HSTS sites cry with 3.5 bump option - they don't like host IP as CN,
> > other sites behaviour depending they (and browsers) settings.
> >
> > Is it possible to keep server-first behaviour in 3.5.x ?
> >
> > WBR, Yuri
> >
> > 09.01.2015 16:57, Amos Jeffries пишет:
> > > On 9/01/2015 11:45 p.m., Yuri Voinov wrote:
> >
> > > > I have working production 3.4.10 with working ssl bumping.
> >
> > > > Config was the same as working 3.4.10. I've just want to take a
> > > > look on new release.
> >
> > > > in squid.documented said, than backward compatibility server-first
> > > > and none options for ssl_bump are kept.
> >
> > > > But:
> >
> > > > Neither works with old syntax, nor new.
> >
> > > > Looks like target https hosts not resolved and bump got only IP.
> >
> > > The config values are still accepted, but there is an extra bumping
> > > stage now before the SNI is available.
> >
> > > You are wanting to peek at stage 1 (to get the client SNI details) and
> > > server-first/splice at stage 2 (using the domain). Otherwise All Squid
> > > works with when intercepting are the TCP IPs.
> >
> > > Amos
> >
> >         _______________________________________________
> >         squid-users mailing list
> >         squid-users at lists.squid-cache.org
> <mailto:squid-users at lists.squid-cache.org>
> <squid-users at lists.squid-cache.org>
> >         http://lists.squid-cache.org/listinfo/squid-users
> >
> >
> >
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQEcBAEBAgAGBQJUxmJ7AAoJENNXIZxhPexG/cEIAMm+urebQJM9//zH0ZPdqVDY
> SztxbkYnHFU/3oI/Ox6CwBtn7SpvOiZn5fuk+IcKhntmF4a1iIF+jgFJkDexYGJQ
> 2/orRca1Ud4qExfDwEukEPUh+/4ccIB5mwmpDXRsBqbFsQMdIJeRstSrGeCTmomK
> ry8m7KIX+aKb8VS6T9qyBAAoHFHs7Bffy9beJA6e7Tm52tmG/WuLc5hpzKrWYX+w
> hAw3NIU8N+z0Gn2hsKphp0tpeO8r/DIUhPRmSqBNUnktzrzJmonsMD4///uCgBwr
> D3yYfsiwXjo3cK1rvcCQTQj7VwUtpkZZUasr0n6LamcO/YahFFAwCgG+cm4oPXM=
> =LzfY
> -----END PGP SIGNATURE-----
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150126/6235846e/attachment-0001.html>


More information about the squid-users mailing list