[squid-users] Squid Explicit Proxying

Amos Jeffries squid3 at treenet.co.nz
Wed Aug 26 05:36:44 UTC 2020


On 25/08/20 10:35 pm, Eric F. wrote:
> Hi,
> 
> I use OpenBSD 6.7 with Squid 4.12.
> I want to filter http and https website, so i'm trying to use SSL bumping.
> But unfortunately, my configuration doesn't work. I explain what i did:
> 
> The host is named : proxy.lab.local
> 
> I generated the certificate like that:
> 
> cd /etc/squid
> openssl req -new -newkey rsa:4096 -sha256 -days 365 -nodes -x509 -keyout
> squid.pem -out squid.pem

This creates keys. The public cert still needs to be signed. Though curl
below indicates a self-signed cert is present in the chain it gets from
Squid.
 That is a bit odd.


> openssl x509 -in /etc/squid/squid.pem -outform DER -out
> /etc/squid/browser.der

This should be done after signing. Whether you do self-signed or not
export the DER from the same file you put in the --CA parameter for the
signing process.


> chown _squid:_squid *.pem
> 
> run squid with squid -z && rcctl start squid
> 
> no errors.
> 
> I installed the browser.der on my Windows 10 laptop (added the proxy),
> therefore i can't access any webpage.

Er. You should still be able to access web pages. The traffic should
just be going via Squid if you "added the proxy" right.


> 
> I tried on the squid server the following tests (curl)
> 
> proxy# curl --proxy http://127.0.0.1:3128 https://www.google.com
> curl: (60) SSL certificate problem: self signed certificate in
> certificate chain
> More details here: https://curl.haxx.se/docs/sslcerts.html


curl on the proxy machine does not know about browser.der on the Windows
machines. This is expected result.


> 
> curl failed to verify the legitimacy of the server and therefore could not
> establish a secure connection to it. To learn more about this situation and
> how to fix it, please visit the web page mentioned above.
> 
> proxy# curl --proxy http://127.0.0.1:3128 --cacert /etc/squid/squid.pem
> -l https://www.google.com
> curl: (35) error:1401E410:SSL routines:CONNECT_CR_FINISHED:sslv3 alert
> handshake failure
> 

The -l indicates an email or FTP server being connected to. Otherwise
this command looks correct.

I start by looking up the OpenSSL error message. Unfortunately that one
produces no search results for me. You might have better luck. In
absence of any useful info about what the error means next thing is to
get the verbose output from curl to see what is going on.
 And check the Squid cache.log with "debug_options ALL,5" to see what
Squid is doing at its end.

 If that does not provide more useful clues then TCP level packet trace
in wireshark as a last resort.



> Can you help me to troubleshoot this issue ?
> 
> Thank you very much.
> 
> Below my configuration :
> 
> 
> proxy# squid -v
> Squid Cache: Version 4.12
> Service Name: squid
> 
> This binary uses LibreSSL 3.1.1. For legal restrictions on distribution
> see https://www.openssl.org/source/license.html
> 

FYI, LibreSSL is not formally supported due to the number of behavioural
differences it now has with OpenSSL. SSL-Bump is a mix of custom Squid
code and relatively low-level calls into OpenSSL. While LibreSSL usually
builds, we cannot guarantee those low-level calls do what SSL-Bump expects.


...
> 
> acl bad_urls urlpath_regex -i "/etc/squid/bad_urls"
> acl bad_domains dstdomain "/etc/squid/bad_domains"
> 
> http_access deny bad_urls
> http_access deny bad_domains
> 
> #
> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
> #
> 

Nit: that line means all the bad_* checks should be down here.


> # Example rule allowing access from your local networks.
> # Adapt localnet in the ACL section to list your (internal) IP networks
> # from where browsing should be allowed
> http_access allow localnet
> http_access allow localhost
> 
> # And finally deny all other access to this proxy
> http_access deny all
> 
> # Squid normally listens to port 3128
> http_port 3128 ssl-bump \
>   cert=/etc/squid/squid.pem \

Nit: the option is now named tls-cert=


>   generate-host-certificates=on dynamic_cert_mem_cache_size=8MB
> 
> sslcrtd_program /usr/local/libexec/squid/security_file_certgen -s
> /var/squid/ssl_db -M 8MB
> 
> acl step1 at_step SslBump1
> ssl_bump peek step1
> ssl_bump bump all


This makes SSL-Bump generate the certificates without any details from
the actual server. You can expect a lot of issues with TLS features that
need end-to-end negotiation (eg TLS/1.3 connections).

To work around that:

  acl step1 at_step SslBump1
  ssl_bump peek step1

  acl step2 at_step SslBump2
  ssl_bump stare step2

  ssl_bump bump all


> sslcrtd_children 5
> sslproxy_cert_sign signTrusted
> 


HTH
Amos


More information about the squid-users mailing list