[squid-users] Squid not coming up with dynamic host certificate on ssl bum

Amos Jeffries squid3 at treenet.co.nz
Wed Jan 30 13:04:52 UTC 2019


On 30/01/19 8:11 pm, bandeep2000 wrote:
> Have squid in transparent, want to ssl bump all the connections which
> are not whitelisted, but when given *generate-host-certificates=on ,
> *squid keeps crashing when trying to bring it up after service restart.
> 
> 
> 
> */var/log/messages*
> 
> Jan 30 07:05:52 ban-squid-proxy22 squid[23323]: Squid Parent: (squid-1)
> process 23441 started
> 
> Jan 30 07:05:52 ban-squid-proxy22 (squid-1): The ssl_crtd helpers are
> crashing too rapidly, need help!
> 

There is the error. cache.log should contain more details and possibly
instructions about the error.

Probably you did not initialize the certificate database or it needs to
be purged and reinitialized.




> 
> *squid.conf details:*
> *
> *
> 
> visible_hostname squid
> 


This name will clash with any other proxy calling itself "squid" and the
traffic may/will be rejected as forwarding loop.

Using the full hostname or FQDN is best to ensure the URLs of objects
provided direct from Squid to clients can be fetched by those clients.


> 
> cache deny all
> 
> #Handling HTTP requests
> 
> http_port 3128 intercept
> 
> acl allowed_http_sites dstdomain ...
> acl blacklist url_regex -i /.(.*?)

The above is equivalent to:

  acl blacklist url_regex /.

Meaning "blacklist" matches any URI containing a '/' character followed
by one other character...

> 
> 
> http_access allow allowed_http_sites
> 
> http_access deny blacklist
> 


... all URLs start with "scheme://" therefore the first '/' always
exists and is always followed by the second '/'.

... So any traffic with a URL is blacklisted.

The only traffic allowed is that on the whitelist or with URI or URN -
the latter two do not require the '//' scheme delimiters. So they
usually will not match, but may do so.


> 
> #Handling HTTPS requests
> 
> #https_port 3130 cert=/etc/pki/tls/certs/squidCA.pem ssl-bump intercept
> 
> #/root/openssl/squid.crt  squid.csr  /root/openssl/squid.key
> 
> *https_port 3130 cert=/root/openssl/squid.crt
> key=/root/openssl/squid.key ssl-bump intercept
> generate-host-certificates=on version=1
> options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE*
> 

Please put the traffic mode ("intercept" for these) as the first option
after the port number. The Squid "-k parse" checks can only verify
correct operation and help instructions if the mode is known when the
other options are interpreted.



> sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB
> 
> 
> acl SSL_port port 443
> 
> http_access allow SSL_port
> 

So any attempt to open opaque tunnels (uses a URI not a URL) to port 443
to any domain is allowed by any client who can get TCP connections to
reach your proxy port 3128.
 Also to any server in the allowed_https_sites whitelist regardless of
whether the client is your LAN or an external attacker.

(NP: there are good reasons we recommend the default !Safe_ports and
"CONNECT !SSL_ports" ACL checks as to be used firs and your rules
second. Mostly it is about protecting your network from abusers.)


> acl allowed_https_sites ssl::server_name ...
> 
> 
> acl step1 at_step SslBump1
> 
> acl step2 at_step SslBump2
> 
> acl step3 at_step SslBump3
> 
> 
> ssl_bump peek step1 all
> 
> #ssl_bump peek all
> 
> ssl_bump splice step2 allowed_https_sites
> 
> ssl_bump splice step3 allowed_https_sites
> 

No traffic should ever reach the step3. Since step2 always finishes with
the above splice or the below bump actions. There are no other
possibilities at step2 which would ever lead to step3 (server
credentials) being checked.


> ssl_bump bump step2 all
> 

Note: the "all" ACL is always pointless on ssl_bump lines and seems to
often confuse people into thinking that a line matches all traffic (it
does nothing). I recommend removing those and re-checking the rules
against your understanding of what your policy needs to make happen.


Amos


More information about the squid-users mailing list