[squid-users] SSL Bump in intercept mode

Alex Rousskov rousskov at measurement-factory.com
Mon Sep 28 14:49:25 UTC 2015 

On 09/28/2015 12:57 AM, Степаненко Сергей wrote:

> I'm use config with

>   ssl_bump stare all
>   ssl_bump bump all

> When I'm use ssl bump, squid not send certificate chain.
> Info from s_client
> 
> with ssl_bump
> Certificate chain
> 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=google.com
> i:/C=RU/ST=VLG/O=HOME Ltd/OU=IT/CN=proxy02.home.lan

> With server-first
> Certificate chain
> 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=google.com
> i:/C=RU/ST=VLG/O=HOME Ltd/OU=IT/CN=proxy02.home.lan
> 1 s:/C=RU/ST=VLG/O=HOME Ltd/OU=IT/CN=proxy02.home.lan
> i:/C=RU/ST=VLG/O=HOME Ltd/OU=IT/CN=SIGN-CA1
> 2 s:/C=RU/ST=VLG/O=HOME Ltd/OU=IT/CN=SIGN-CA1
> i:/C=RU/ST=VLG/L=VOLGOGRAD/O=HOME Ltd/OU=IT/CN=MAIN_CA
> 3 s:/C=RU/ST=VLG/L=VOLGOGRAD/O=HOME Ltd/OU=IT/CN=MAIN_CA
> i:/C=RU/ST=VLG/L=VOLGOGRAD/O=HOME Ltd/OU=IT/CN=MAIN_CA

Thank you for sending relevant details!

This sounds like a Squid bug to me, although I am surprised you are the
only one seeing it (perhaps I just do not recall relevant bug reports).

I recommend filing a bug report with the similar information you have
posted here. If you can, also post (to the bug report) cache.log with
debug_options set to ALL,9 and reproducing the problem with a single
s_client transaction.


> In man ssl_crtd

> The version 1.0 of this helper will not add chained intermediate CA certificates.

> But I'm have question, how this do with server-first?

Good question. I suspect the manual page is outdated, but I am not 100%
sure. We can come back to this once the bug is resolved.


Thank you,

Alex.



> -----Original Message-----
> From: Alex Rousskov [mailto:rousskov at measurement-factory.com] 
> Sent: Wednesday, September 23, 2015 6:05 PM
> To: squid-users at lists.squid-cache.org
> Cc: Степаненко Сергей
> Subject: Re: [squid-users] SSL Bump in intercept mode
> 
> On 09/23/2015 12:16 AM, Степаненко Сергей wrote:
> 
>> My proxy certificate released by subca, i.e CA - SubCA - Proxy.
> 
>> OS - Centos6.7, squid - 3.5.7 from www1.ngtech.co.il repo
> 
> 
>> ssl_bump stare all
>> ssl_bump bump all
>> ssl_bump splice all step3
> 
> Please note that the last "splice" rule will never match [in the latest Squids]. Other than being misleading about your true intent, this should not cause problems.
> 
> Apart from the pointless splice rule, this is the configuration variant you should focus on if you want to bump everything.
> 
> 
>> in this configuration browser write "Not check certificate chain"
> 
> Perhaps the browser lacks the SubCA certificate? Does Squid send that intermediate certificate to the browser? You should be able to tell by examining the browser-Squid SSL handshake in wireshark.
> 
> 
>> ssl_bump bump all
>> ssl_bump stare all
>> ssl_bump splice all step3
> 
> Please note that the second and third rules will never match [in the latest Squids].
> 
> Also, the above config variation is subject to Bug 4327 [in the latest Squids]. It is not yet clear what the correct Squid behaviour should be in this case. Avoid this configuration for now.
> 
>     http://bugs.squid-cache.org/show_bug.cgi?id=4327
> 
> 
>> I'm get error "The security certificate presented by this website was 
>> issued for a different website's address", but certificate chain is 
>> trust, i.e I'm view chain CA - SubCA - Proxy - site ipaddr.
> 
> Possibly because of the problems discussed in comments 0-3 of the Bug
> 4327 report mentioned above. I do not know whether your Squid version is affected because quite a few things have changed since it was released.
> 
> 
>> ssl_bump server-first all
> 
>> All works. But not all sites.
> 
> I cannot fully explain this observation. In theory, this last config should have similar effects to your first config, but should handle fewer cases because the last config lacks SNI support.
> 
> I recommend that you try to reproduce the problems [with the first config] using the latest v3.5 daily snapshot (or trunk):
> 
>   ssl_bump stare all
>   ssl_bump bump all
> 
> 
> Good luck,
> 
> Alex.
> 
> 
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>

More information about the squid-users mailing list