[squid-users] Ssl-Bump and revoked server certificates

Walter H. Walter.H at mathemainzel.info
Wed Oct 7 14:17:42 UTC 2015


On 07.10.2015 11:05, Amos Jeffries wrote:
> On 7/10/2015 4:27 a.m., Alex Rousskov wrote:
>> On 10/06/2015 01:27 AM, Jason Haar wrote:
>>> Good catch - I don't think squid does CRL/OCSP checks
>>> But this is a bug in squid - this means untrustworthy certs become
>>> trusted again - not a good look
>>
>> IIRC, Squid relies on OpenSSL to perform CRL checks. OpenSSL is
>> difficult to configure to do CRL checks. If my recollection is correct,
>> then this is not exactly a Squid bug but more like a missing convenience
>> feature.
> Exactly. All thats missing is the squid.conf directive in Squid-3.x.
> That has been added in Squid-4.
>
>> Squid does not know about OCSP. Another missing feature.
>>
>> One may perform all those checks using a custom certificate validator
>> helper, of course.
>>
> Amos
>
Hi Amos,

what about these two directives in squid.conf?

sslcrtvalidator_program and sslcrtvalidator_children

or

sslcrtvalidator_program cache=8192 ttl=240 /usr/lib64/squid/cert_valid.pl
sslcrtvalidator_children 12 startup=5 idle=1 concurrency=1

can I have a working sample of valid_cert.pl that results
in an "access denied" or any other error page of squid?
(it may bring this on any page that is ssl_bumped,
so I know the interface, because this here:
http://wiki.squid-cache.org/Features/SslServerCertValidator
is wrong;

instead of
/usr/lib64/squid/cert_valid.pl
I used a bash-script with this content

#!/bin/bash

myprog 2>>/tmp/pre.log |/usr/lib64/squid/cert_valid.pl

and the C source of myprog:


#include<fcntl.h>
#include<stdio.h>
int main( int argc, char* argv[ ] )
{
         static char szBuf[ 260 ];
         int nLen;
         while( ( nLen = read( 0, (void*) szBuf, 256 ) )>  0 )
         {
                 write( 1, (void*) szBuf, nLen );
                 write( 2, (void*) szBuf, nLen );
         }
         return 0;
}

so I got the ident content as stdout and stderr and there I catched e.g. this:

<CATCH CONTENT>
0 cert_validate 3373 host=revoked.grc.com
cert_0=-----BEGIN CERTIFICATE-----
MIIE7jCCA9agAwIBAgISESFVaI04B3XaNMXfl0M+0/anMA0GCSqGSIb3DQEBBQUA
MFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMS0wKwYD
VQQDEyRHbG9iYWxTaWduIERvbWFpbiBWYWxpZGF0aW9uIENBIC0gRzIwHhcNMTQw
NDIzMTUzNzUyWhcNMTcwNDIzMTUzNzUyWjBKMQswCQYDVQQGEwJVUzEhMB8GA1UE
CxMYRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkMRgwFgYDVQQDEw9yZXZva2VkLmdy
Yy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDemi+5M5XRD7PR
/4177a6x7upbXMm2b79x/PwBELElAsUq+qtmoBs0FXiMmOfxp1BUW3KO4fJGjMuE
G0UxJNo4YOYuNTW4PQnWpLqsGh8epcLi7DDQax+yKU4VaTOnHqJDjyQjiVvqojkJ
nzaSMSrUgbr7gfQwrmUVlSYhMb1j4HMQUPEyvRtkeevwBU5PHsUEIZBheTo0P8RC
1BvxXl6cSAdKiOgiloDGEAKwAa1u8ZJWtuPQbp2fbOIyMygwjo8F1JC7ybw4lT6c
UluSPZew2LPLRIJea8nYjGl1jEbCm3I8gnWAcOywjgSCv3egvxDA1NrgGjKBszXd
pZdnZLmDAgMBAAGjggG/MIIBuzAOBgNVHQ8BAf8EBAMCBaAwSQYDVR0gBEIwQDA+
BgZngQwBAgEwNDAyBggrBgEFBQcCARYmaHR0cHM6Ly93d3cuZ2xvYmFsc2lnbi5j
b20vcmVwb3NpdG9yeS8wKAYDVR0RBCEwH4IPcmV2b2tlZC5ncmMuY29tggxtYWls
LmdyYy5jb20wCQYDVR0TBAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
AwIwPwYDVR0fBDgwNjA0oDKgMIYuaHR0cDovL2NybC5nbG9iYWxzaWduLmNvbS9n
cy9nc2RvbWFpbnZhbGcyLmNybDCBiAYIKwYBBQUHAQEEfDB6MEEGCCsGAQUFBzAC
hjVodHRwOi8vc2VjdXJlLmdsb2JhbHNpZ24uY29tL2NhY2VydC9nc2RvbWFpbnZh
bGcyLmNydDA1BggrBgEFBQcwAYYpaHR0cDovL29jc3AyLmdsb2JhbHNpZ24uY29t
L2dzZG9tYWludmFsZzIwHQYDVR0OBBYEFHI8mO4OWDHnVO+3VJ6CsEaSE1JfMB8G
A1UdIwQYMBaAFJat+rBbuYNkKnbCHIpp2kLc/v0oMA0GCSqGSIb3DQEBBQUAA4IB
AQCSJwP5JwWeGblum7enlfmALaBZ+HpA7GwaCopvR2+oEI/saMalUYTog8B+m9Xr
zF4iCkAnxoe3PYlfSAONioXQA9qVrsJsrQhdfgWuFsQOwu30bwhpolxk0M50wYPE
FxAIfwW/FsCkUFQ/5t0yUuiGCAIhGQ6mU39RkC6t43NyzVAWy1cDL30VSRRtppjl
WnHI9r3t8wPyu0nVOWq1IQ+BWnrO9F7Eb8dvgbSRa+ZL+p6eDX+6OEp8IxVToTa7
4LN/oqAYvkOh5k8sBrwqUZWUV0emBPI0vcT2LoBQDjziBk/PcssQj8XK2VLJ8smp
iitPBGOk/ZlPIIN9//bfyVn+
-----END CERTIFICATE-----
cert_1=-----BEGIN CERTIFICATE-----
MIIEWjCCA0KgAwIBAgILBAAAAAABL07hQUMwDQYJKoZIhvcNAQEFBQAwVzELMAkG
A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw0xMTA0MTMxMDAw
MDBaFw0yMjA0MTMxMDAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
YWxTaWduIG52LXNhMS0wKwYDVQQDEyRHbG9iYWxTaWduIERvbWFpbiBWYWxpZGF0
aW9uIENBIC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCxo83A
3zNAJuveWteUZtQBY8wzRIng4rjCRw2PrWmGHKhzQgvxcvstrLURcoMi9lbnLsVn
cZ0AHDK84+0uCEWp5vrdyIyDBcFvS9AmSgv2G0XATX6TvA0nhO0wo+nGJibdLR/Y
i8POGdBb/Aif5NjiNeSgaKb2DaN0YEKyl4IkjkGk8i5eto6nbtlsfw07JDVq0Ktb
aveXAgA/UaanbnPKdw12fJu2MBoanPcfKHsOi0cf538FjMbJyLvP6dx6QS6hhtrU
ObLiE0CmqDr6D1MeT+xumAkbypp3s1WFhekuFrWdXlTxSnpsObpuFwY0s7JC4ffz
nJoLEUTeaniOsRNPAgMBAAGjggElMIIBITAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0T
AQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUlq36sFu5g2QqdsIcimnaQtz+/SgwRwYD
VR0gBEAwPjA8BgRVHSAAMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3Lmdsb2Jh
bHNpZ24uY29tL3JlcG9zaXRvcnkvMDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9j
cmwuZ2xvYmFsc2lnbi5uZXQvcm9vdC5jcmwwPQYIKwYBBQUHAQEEMTAvMC0GCCsG
AQUFBzABhiFodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNvbS9yb290cjEwHwYDVR0j
BBgwFoAUYHtmGkUNl8qJUC99BM00qP/8/UswDQYJKoZIhvcNAQEFBQADggEBADrn
/K6vBUOAJ3VBX6jwKI8fj4N+sri6rnUxJ4il5blOBEPSregTAKPbGQEwnmw8Un9c
3qtnw4QEVFGZnmMvvdW3wNXaAw5J0+Gzkk/fkk59riJqzti8/Hyua7aK6kVikBHT
C3GnXgYi/0046rk6bs1nGgJ/S/O/DnlvvtUpMllZHZYIm3CP9x5cRntO0J20U8gS
AhsNuzLrWVO5PhtWjRXI8UI/d/4f5W2eZh+r2rKDV7QMItKGvNoy18DtcIV8k6rw
l9w5EdLYieuNkKO2UCXLbNmmw2/7iFS45JJwh855O/DeNr8DBAA9+e+eqWek9IY+
I5e4KnHi7f5piGe/Jlw=
-----END CERTIFICATE-----
</CATCH CONTENT>

with this I could programme a correct certificate validator using OpenSSL,
but I MUST have a little bit more precise knowledge about the correct interface;

can someone please explain how the 3373 of the CATCH CONTENT above is calculated?

and how the following could deal in connection with this certificate validator

acl certHasExpired ssl_error X509_V_ERR_CERT_HAS_EXPIRED
acl certNotValid ssl_error X509_V_ERR_CERT_NOT_YET_VALID
acl certRevoked ssl_error X509_V_ERR_CERT_REVOKED

sslproxy_cert_error deny certRevoked
sslproxy_cert_error deny certHasExpired
sslproxy_cert_error deny certNotValid
sslproxy_cert_error allow all

the generic fake sample /usr/lib64/squid/cert_valid.pl

returns always "0 OK 0 \1"
what does \1 mean here?

Thanks,
Walter


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4312 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20151007/7a8fa044/attachment.bin>


More information about the squid-users mailing list