[squid-users] Squid ignores crlfile options
Amos Jeffries
squid3 at treenet.co.nz
Thu Oct 1 13:51:56 UTC 2015
On 1/10/2015 11:54 p.m., Sebastian Kirschner wrote:
> Hi
>
> I´m using squid (3.5.9) as transparent https proxy with build options (see below) and config (see below , I removed some uninteresting things from the config like caching).
>
> To get the system more secure I would like to add crl checking (at the moment static , later maybe dynamic if it's possible with my skills :-) ) and ocsp (later) .
> I´m using the site https://revoked.grc.com/ to test my config.
> To do it I downloaded the certificate from the site , checked if a CRL URI is available and downloaded the crl.
> Converted the format of the crl from DER to pem and inserted it my squid.conf "crlfile=/tmp/crl/glob.pem sslflags=VERIFY_CRL".
>
> I tested the "crl.pem" with openssl and the site https://revoked.grc.com/ is revoked in the crl.
>
> But why squid seems to ignore the crlfile option / file ?
Because it is only relevant on http(s)_port when there is TLS client
certificate authentication being verified. You do not have that configured.
> Also I tested to use the crl in DER format but it still wouldn’t work , even didn’t saw an error in the log when the file isn’t available.
It is not even loaded unless the clientca= is configured. Which turns on
client cert authentication.
If you mean it to be used to verify the *server* certificates then you
need to configure sslproxy_crlfile instead.
> #config
> http_port local.ip.adress:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/pbi/squid-amd64/local/etc/squid/serverkey.pem capath=/usr/pbi/squid-amd64/local/share/certs/ crlfile=/tmp/crl/glob.pem sslflags=VERIFY_CRL
>
> http_port 127.0.0.1:3128 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/pbi/squid-amd64/local/etc/squid/serverkey.pem capath=/usr/pbi/squid-amd64/local/share/certs/ crlfile=/tmp/crl/glob.pem sslflags=VERIFY_CRL
>
> https_port 127.0.0.1:3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/pbi/squid-amd64/local/etc/squid/serverkey.pem capath=/usr/pbi/squid-amd64/local/share/certs/ crlfile=/tmp/crl/glob.pem sslflags=VERIFY_CRL
>
> icp_port 0
This is a default, remove the icp_port line.
> dns_v4_first on
> pid_filename /var/run/squid/squid.pid
This is a default, remove the pid_filename line.
> cache_effective_user proxy
> cache_effective_group proxy
Check your build options (squid -v), your proxy is built to use the
account 'squid'. It is usually a good idea to stick with the
> error_default_language de-de
> icon_directory /usr/pbi/squid-amd64/local/etc/squid/icons
> visible_hostname pfsense
visible_hostname needs to be FQDN and publicly resolvable. It is the DNS
hostname people use to access your proxy for thise icons you configured
(amongst other things).
> cache_mgr admin at pfsense-onesty.loc
> access_log /var/squid/logs/access.log
> cache_log /var/squid/logs/cache.log
> cache_store_log none
This is a default, remove the cache_store_log line.
> netdb_filename /var/squid/logs/netdb.state
> pinger_enable on
> pinger_program /usr/pbi/squid-amd64/local/libexec/squid/pinger
This is probably a default too, if so remove the pinger lines. It will
run unless disabled.
> sslcrtd_program /usr/pbi/squid-amd64/local/libexec/squid/ssl_crtd -s /var/squid/lib/ssl_db -M 4MB -b 2048
> sslcrtd_children 5
>
> logfile_rotate 7
> debug_options rotate=7
> shutdown_lifetime 3 seconds
> acl localnet src local.network.range
> forwarded_for on
This is a default, remove the forwarded_for line.
> uri_whitespace strip
>
> acl dynamic urlpath_regex cgi-bin ?
> cache deny dynamic
Remove the above if you want to actually cache much content. Squid has
been okay with caching this stuff since 2.7.
>
> acl allsrc src all
Don't. Really. "all" is a built-in ACL, just use it.
> acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 3128 3127 1025-65535
> acl sslports port 443 563
>
> acl purge method PURGE
> acl connect method CONNECT
>
> acl HTTP proto HTTP
> acl HTTPS proto HTTPS
> acl allowed_subnets src local.network.range
You defined localnet to that already. Meaning you can replace all uses
of "allowed_subnets" with "localnet".
> acl whitelist dstdom_regex -i '/var/squid/acl/whitelist.acl'
> http_access allow manager localhost
>
> http_access deny manager
> http_access allow purge localhost
> http_access deny purge
Best practice is now to move all the above http_access lines with their
slow and DoS-vulnerable ACL processing down below the CONNECT line
following...
> http_access deny !safeports
> http_access deny CONNECT !sslports
>
> request_body_max_size 0 KB
Seriously? POST and PUT are forbidden to send data anywhere?
> delay_pools 1
> delay_class 1 2
> delay_parameters 1 -1/-1 -1/-1
> delay_initial_bucket_level 100
> delay_access 1 allow allsrc
Hmm. A delay pool that does not do anything, and every byte of traffic
is processed through it.
Completely useless waste of CPU cycles and memory. Remove all of the
above lines.
>
> always_direct allow whitelist
You don't use cache_peer. The above line is useless. Remove it.
> ssl_bump none whitelist
Do not mix deprecated bumping modes with non-deprecated.
Use "splice" instead of "none" in the above rule...
Then notice that dstdom_regex ACL will not work in ssl_bump. So you may
as well remove the line entirely.
Your peek/splice rules below with "bypass" ACL seem to be doing what you
intended this to do.
> # Package Integration
> url_rewrite_program /usr/pbi/squidguard-amd64/bin/squidGuard -c /usr/pbi/squidguard-amd64/etc/squidGuard/squidGuard.conf
> url_rewrite_bypass off
> url_rewrite_children 16 startup=8 idle=4 concurrency=0
>
> # Custom options before auth
> #debug_options all,1 20,0 36,0 41,0 47,0 79,0 90,0 92,0
> debug_options 83,6
>
> acl step1 at_step SslBump1
> acl step2 at_step SslBump2
> acl step3 at_step SslBump3
Note that step2 and step3 are not being used. You can remove those lines.
>
> acl bypass ssl::server_name .google.de .sparkasse.de .postbank.de
> acl wupdate ssl::server_name .windowsupdate.com .microsoft.com
>
> ssl_bump peek step1
> ssl_bump peek bypass wupdate
> ssl_bump splice bypass wupdate
> ssl_bump bump all
>
> sslproxy_cert_error allow wupdate
Note that ssl::server_name probably won't work in this sslproxy_* rules.
> sslproxy_cert_error deny all
>
> # Always allow access to whitelist domains
> http_access allow whitelist
> # Setup allowed acls
> # Allow local network(s) on interface(s)
> http_access allow allowed_subnets
> http_access allow localnet
Note that localnet == allowed_subnets, so the allowed_subnets line can
be removed.
> # Default block all to be sure
> http_access deny allsrc
Really s/allsrc/all/
<snip>
>
>
> #build options
> configure options: '--with-default-user=squid'
'--bindir=/usr/pbi/squid-amd64/local/sbin'
'--sbindir=/usr/pbi/squid-amd64/local/sbin'
'--datadir=/usr/pbi/squid-amd64/local/etc/squid'
'--libexecdir=/usr/pbi/squid-amd64/local/libexec/squid'
'--localstatedir=/var'
'--sysconfdir=/usr/pbi/squid-amd64/local/etc/squid'
'--with-logdir=/var/squid/logs'
'--with-pidfile=/var/run/squid/squid.pid'
> '--with-swapdir=/var/squid/cache' '--without-gnutls' '--enable-auth'
> '--enable-build-info'
<snip>
build-info requires a string. Whoever provided this package needs to fix
that.
Amos
More information about the squid-users
mailing list