[squid-users] Squid 4.x acl server_cert_fingerprint for bump no matches

Alex Rousskov rousskov at measurement-factory.com
Tue May 19 14:25:57 UTC 2020


On 5/15/20 3:28 AM, David Touzeau wrote:

> acl TestFinger server_cert_fingerprint 77:F6:8D:C1:0A:DF:94:8B:43:1F:8E:0E:91:5E:0C:32:42:8B:99:C9
> ssl_bump peek ssl_step2
> ssl_bump splice ssl_step3 TestFinger
> ssl_bump stare ssl_step2 all
> ssl_bump bump all

> But no luck, website still decrypted.

That should be expected: During step1, the only ssl_bump rule that
matches now is ... "bump all".

Also, you have two ssl_step2 rules but only the first one can match.
Perhaps the first one has a typo, and you meant to put ssl_step1 there?


Amos is correct that Squid uses SHA1. So does my openssl x509 (by
default). However, FWIW, I get a different SHA1 fingerprint when I run
your command:

> openssl s_client -host www.clubic.com -port 443 2> /dev/null | openssl x509 -fingerprint -noout
> SHA1 Fingerprint=2A:F4:A6:8E:31:15:AD:A5:52:A9:5F:03:80:42:BE:CA:01:12:2C:E7

Perhaps www.clubic.com uses different certificates for different clients.


HTH,

Alex.


> Le 13/05/2020 à 21:33, Alex Rousskov a écrit :
>> On 5/12/20 7:42 AM, David Touzeau wrote:
>>> ssl_bump peek ssl_step1
>>> ssl_bump splice TestFinger
>>> ssl_bump stare ssl_step2 all
>>> ssl_bump bump all
>>> Seems TestFinger Acls did not matches in any case
>> You are trying to use step3 information (i.e., the server certificate)
>> during SslBump step2: The "splice TestFinger" line is tested during
>> step2 and mismatches because the server certificate is still unknown
>> during that step. That mismatch results in Squid staring during step2.
>> The "splice TestFinger" line is not tested during step3 because splicing
>> is not possible after staring. Thus, Squid reaches "bump all" and bumps.
>>
>> For a detailed description of what happens (and what information is
>> available) during each SslBump step, please see
>> https://wiki.squid-cache.org/Features/SslPeekAndSplice
>>
>> Also, if you are running v4.9 or earlier, please upgrade. We fixed one
>> server_cert_fingerprint bug, and that fix became a part of the v4.10
>> release (commit e0eca4c).
>>
>>
>> HTH,
>>
>> Alex.
> 
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 



More information about the squid-users mailing list