[squid-users] sslproxyflags DONT_VERIFY_PEER

Stanford Prescott stan.prescott at gmail.com
Wed Aug 3 14:45:03 UTC 2016


I have had my squid implementation for sslbump set up and working for some
time now. I have had several people point out that my use of "sslproxyflags
DONT_VERIFY_PEER" is dangerous from a security standpoint. When I was first
trying to get sslbump working it would not work until I saw a suggestion
somewhere that that sslproxyflag could be used. When I tried it, sslbump
started working.

After several configurations adding the new peek+splice and peek+bump
features, I still am not able to remove "sslproxyflags DONT_VERIFY_PEER".
Whenever I try removing it, I get the error message that my browser is
trying to connect to an unsecured site or "Untrusted connection" whenever
it tries to connect to an https site.

Here is my squid.conf:

*visible_hostname smoothwall*

*# Uncomment the following to send debug info to /var/log/squid/cache.log*
*#debug_options ALL,1 33,2 28,9*

*# ACCESS CONTROLS*
*# ----------------------------------------------------------------*
*acl localhostgreen src 10.40.40.1*
*acl localnetgreen src 10.40.40.0/24 <http://10.40.40.0/24>*
*acl SWE_subnets          src
"/var/smoothwall/mods/proxy/acls/src_subnets.acl"*

*acl SSL_ports port 445 443 441 563*
*acl Safe_ports port 80     # http*
*acl Safe_ports port 81     # smoothwall http*
*acl Safe_ports port 21     # ftp *
*acl Safe_ports port 445 443 441 563 # https, snews*
*acl Safe_ports port 70     # gopher*
*acl Safe_ports port 210       # wais  *
*acl Safe_ports port 1025-65535 # unregistered ports*
*acl Safe_ports port 280       # http-mgmt*
*acl Safe_ports port 488       # gss-http *
*acl Safe_ports port 591       # filemaker*
*acl Safe_ports port 777       # multiling http*

*acl CONNECT method CONNECT*

*# TAG: http_access*
*# ----------------------------------------------------------------*

*http_access allow SWE_subnets*


*http_access allow localhost*
*http_access deny !Safe_ports*
*http_access deny CONNECT !SSL_ports*

*http_access allow localnetgreen*
*http_access allow CONNECT localnetgreen*

*http_access allow localhostgreen*
*http_access allow CONNECT localhostgreen*

*# http_port and https_port*
*#----------------------------------------------------------------------------*

*# For forward-proxy port. Squid uses this port to serve error pages, ftp
icons and communication with other proxies.*
*#----------------------------------------------------------------------------*
*http_port 3127*

*http_port 10.40.40.1:800 <http://10.40.40.1:800> intercept*
*https_port 10.40.40.1:808 <http://10.40.40.1:808> intercept ssl-bump
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
cert=/var/smoothwall/mods/proxy/ssl_cert/squidCA.pem
sslflags=VERIFY_CRL_ALL options=NO_SSLv2,NO_SSLv3,No_Compression
dhparams=/var/smoothwall/mods/proxy/ssl_cert/dhparam.pem*


*http_port 127.0.0.1:800 <http://127.0.0.1:800> intercept*

*sslproxy_session_cache_size 4 MB*

*ssl_bump none localhostgreen*

*sslproxy_options NO_SSLv2,NO_SSLv3,No_Compression*
*sslproxy_cipher
ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL:!eNULL*

*acl tls_s1_connect at_step SslBump1*
*acl tls_s2_client_hello at_step SslBump2*
*acl tls_s3_server_hello at_step SslBump3*

*acl tls_allowed_hsts ssl::server_name .akamaihd.net <http://akamaihd.net>*
*acl tls_server_is_bank ssl::server_name .wellsfargo.com
<http://wellsfargo.com>*
*acl tls_to_splice any-of tls_allowed_hsts tls_server_is_bank*

*ssl_bump peek tls_s1_connect all*
*ssl_bump splice tls_s2_client_hello tls_to_splice*
*ssl_bump stare tls_s2_client_hello all*
*ssl_bump bump tls_s3_server_hello all*

*sslproxy_cert_error deny all*
*sslproxy_flags DONT_VERIFY_PEER*

*sslcrtd_program /var/smoothwall/mods/proxy/libexec/ssl_crtd -s
/var/smoothwall/mods/proxy/lib/ssl_db -M 4MB*
*sslcrtd_children 5*

*http_access deny all*

*cache_replacement_policy heap GDSF*
*memory_replacement_policy heap GDSF*

*# CACHE OPTIONS*
*#
----------------------------------------------------------------------------*
*cache_effective_user squid*
*cache_effective_group squid*

*cache_swap_high 92*
*cache_swap_low 90*

*cache_access_log stdio:/var/log/squid/access.log*
*cache_log /var/log/squid/cache.log*
*cache_mem 64 MB*

*cache_dir aufs /var/spool/squid/cache 1024 16 256*

*maximum_object_size 33 MB*

*minimum_object_size 0 KB*


*request_body_max_size 0 KB*

*# OTHER OPTIONS*
*#
----------------------------------------------------------------------------*
*#via off*
*forwarded_for off*

*pid_filename /var/run/squid.pid*

*shutdown_lifetime 10 seconds*
*#icp_port 3130*

*half_closed_clients off*
*icap_enable on*
*icap_send_client_ip on*
*icap_send_client_username on*
*icap_client_username_encode off*
*icap_client_username_header X-Authenticated-User*
*icap_preview_enable on*
*icap_preview_size 1024*
*icap_service service_avi_req reqmod_precache
icap://localhost:1344/squidclamav bypass=off*
*adaptation_access service_avi_req allow all*
*icap_service service_avi_resp respmod_precache
icap://localhost:1344/squidclamav bypass=on*
*adaptation_access service_avi_resp allow all*

*umask 022*

*logfile_rotate 0*

*strip_query_terms off*


*url_rewrite_program /var/smoothwall/mods/ufdbguard/bin/ufdbgclient –l
/var/log/squid*
*url_rewrite_children 64 startup=16 idle=4 concurrency=0*
*url_rewrite_extras "%>a/%>A %un %>rm bump_mode=%ssl::bump_mode
sni='%ssl::>sni' referer='%{Referer}>h'"*


Does anyone have any suggestions how I can remove that proxy flag and still
keep sslbump working?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160803/ae497a56/attachment-0001.html>


More information about the squid-users mailing list