[squid-users] peek/splice working with lynx but not with firefox or chrome

Roel van Meer roel at 1afa.com
Tue Mar 10 14:28:23 UTC 2015


Amos Jeffries writes:

> > The relevant portions of squid.conf:
> >
> >  https_port 192.168.13.1:3130 intercept ssl-bump options=ALL
> > cert=/etc/ssl/certs/server.pem
>
> With "options=ALL" you have enabled all features in the OpenSSL library
> including features which can cause the popular modern browsers to view
> Squid as a dangerously insecure server.

I also tried it without options=ALL. The reason I enabled it was that the  
documentation says:

  Enable various bug workarounds suggested as "harmless" by OpenSSL
  Be warned that this reduces SSL/TLS strength to some attacks.

This seemed useful to me.

> >  acl step1 at_step SslBump1
> >  acl step2 at_step SslBump2
> >  acl step3 at_step SslBump3
> >
> >  ssl_bump peek step1
> >  ssl_bump peek step2
> >  ssl_bump splice all
> >
>
> Theres nothing in the above which uses SNI. All that does is cause Squid
> to expolicitly look at the TLS handshake that is going on. Then to
> splice the two connections together a if it weren't there.

Yes, I know. I would use something like this for that:

  external_acl_type sg1t %URI %SRC %METHOD %ssl::>sni /tmp/test.sh
  acl sg1 external sg1t
  ssl_bump terminate step3 sg1

which does work. In the test script, I can either allow or reject a  
connection based on the SNI that is passed in (if one is).
I have no trouble there, only with the peek/splice stuff.

I'm trying to get peek/splice to work on all intercepted https connections.  
As soon as that works, I can do fancy stuff with SNI. But when I enable  
peek/splice as in the config above, I can no longer connect to https sites  
from Chrome and Firefox, so that is what I need to solve first. Sorry if I  
was unclear.

> >  sslproxy_cert_error allow all
> >  sslproxy_flags DONT_VERIFY_PEER
>
> Then you are explicily disabling the checks to ensure the connections
> Squid uses to send the clients private data to servers are secure.

Yes, I am, but since I'm only splicing the connection, the browser itself  
should be able to get the original certificate sent by the server, and  
handle it appropriately. Or am I mistaken there?

> > I'm using squid 3.5.2 built with openssl 0.9.8zc on Slackware 13.1.
> > Traffic is redirected from port 443 top 3130 with iptables.
>
> ... and with an older version of OpenSSL missing many of the last few
> years worth of TLS crypto features. IIRC the library releases are now up
> to 1.1.* or something. Its best to keep that kind of thing operating the
> latest versions.

I know it missing the latest features, but security patches are backported.  
And I know it is old, but it's what I have to work with now. 
Do you think it might be the cause of the problem I'm having with  
peek/splice, or was it a general recommendation?

> It may sound silly but, do all those browsers even support SNI on your
> OS with the crypto libraries they use?

Ah, I should have said, chrome and FF are on a Windows 7.

Thanks,

Roel


More information about the squid-users mailing list