[squid-users] SQUID 4.12 (Debian 10, OpenSSL 1.1.1d) - SSL bump no server helllo
Loučanský Lukáš
Loucansky.Lukas at kjj.cz
Tue Jun 16 07:43:19 UTC 2020
Hello,
I was wondering if anyone could take a look at this:
I'm running squid for rather long time, recently I have upgraded my squid box to Debian 10 (from Debian 9) and OpenSSL 1.1.1d
4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64 GNU/Linux OpenSSL 1.1.1d 10 Sep 2019
squid -v
Squid Cache: Version 4.12
Service Name: squid
This binary uses OpenSSL 1.1.1d 10 Sep 2019. For legal restrictions on distribution see https://www.openssl.org/source/license.html
configure options: '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=/include' '--mandir=/share/man' '--infodir=/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=/lib/squid4' '--srcdir=.' '--disable-maintainer-mode' '--disable-dependency-tracking' '--disable-silent-rules' '--datadir=/usr/share/squid4' '--sysconfdir=/etc/squid4' '--mandir=/usr/share/man' '--enable-inline' '--disable-arch-native' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB' '--enable-auth-digest=file,LDAP' '--enable-auth-negotiate=kerberos,wrapper' '--enable-auth-ntlm=fake,SMB_LM' '--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,time_quota,unix_group,wbinfo_group' '--enable-url-rewrite-helpers=fake' '--enable-security-cert-validators=fake' '--enable-storeid-rewrite-helpers=file' '--enable-eui' '--enable-esi' '--enable-icmp' '--enable-zph-qos' '--enable-ecap' '--enable-snmp' '--disable-translation' '--with-swapdir=/var/spool/squid4' '--with-logdir=/var/log/squid4' '--with-pidfile=/var/run/squid4.pid' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--with-openssl' '--enable-ssl-crtd' '--enable-security-cert-generators' '--enable-security-cert-validators' '--enable-linux-netfilter' 'PKG_CONFIG_PATH=:/usr/local/lib/pkgconfig:/usr/lib64/pkgconfig:/usr/share/pkgconfig' 'CFLAGS=-g -O2 -m64 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wall' 'LDFLAGS=-fPIE -pie -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -m64 -fPIE -fstack-protector-strong -Wformat -Werror=format-security' 'build_alias=x86_64-linux-gnu'
Before upgrade I was running stock kernel, stock openssl and compiled squid version 4.10 with ssl support to splice (local and excepted webs), peek and terminate ssl connections based on the SNI acl.
Now I run into this problem - my configuration does not work anymore. So I decided to try to bump every connection. The security file certgen is making new certificates based on my CA as usual.
But the client on the intercepted connection (via changed routing table under mikrotik and then prerouted to correct squid ports for http and ssl traffic) running Chrome 83 http://download.kjj.cz/pub/ssl/idnes.cz_chrome.83.0.4103.97.pcapng sends ClientHello - and no ServerHello is received. I've tcpdumped outgoing interface on the squid box - and there was no actual connection to the desired server.
In the access.log there is something like 1592212170.495 2 10.0.0.40 NONE_ABORTED/200 0 CONNECT 185.17.117.32:443 - HIER_NONE/- -
But - same client, same network, same network running Firefox 77 http://download.kjj.cz/pub/ssl/idnes.cz_firefox.77.0.1.pcapng gets ServerHello after it's ClientHello - they exchange information, exchange ciphers etc. and the web page is loaded. I've checked https certificate details - it's been issued by my CA.
access.log:
1592212156.764 8 10.0.0.40 TCP_MISS/301 196 GET http://idnes.cz/ - ORIGINAL_DST/185.17.117.32 -
1592212156.774 2 10.0.0.40 NONE/200 0 CONNECT 185.17.117.32:443 - HIER_NONE/- -
1592212156.825 38 10.0.0.40 TCP_MISS/302 777 GET https://idnes.cz/ - ORIGINAL_DST/185.17.117.32 text/html
1592212156.840 7 10.0.0.40 NONE/200 0 CONNECT 185.17.117.32:443 - HIER_NONE/- -
1592212156.893 28 10.0.0.40 TCP_CLIENT_REFRESH_MISS/200 40086 GET https://www.idnes.cz/ - ORIGINAL_DST/185.17.117.32 text/html
So in Firefox - it seems to be working. I have modified opensll.cnf default configuration to avoid MinProtocol TLS1.2, but no change. I have 2048b SSL DH params specified for prime256v1 curve in the https-port definition like this https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=8MB cert=/etc/squid4/ssl/CAcert.pem tls-dh=prime256v1:/etc/squid4/ssl/dhparams_2048.pem cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
and
tls_outgoing_options options=NO_SSLv3
tls_outgoing_options cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
At first I thought I have to change my configuration or that I missed something during the compiling so I switched back to 4.10 - no change.I see 2020/06/15 11:21:45 kid2| Error negotiating SSL connection on FD 59: error:00000001:lib(0):func(0):reason(1) (1/-1) in the cache.log here and there - but it was the same before. I've actually turned debug on (by debug_options ALL,9), just to get bunch of information, tracked down connect request to the desired servers and seeing nothing...
Is it something about the patch for older TLS traffic, or is it some misconfiguration - maybe in the ciphers or TLS versions?
Thanks LL
More information about the squid-users
mailing list