[squid-users] acl aclname server_cert_fingerprint

Eliezer Croitoru ngtech1ltd at gmail.com
Wed Jan 27 16:45:20 UTC 2021 

Hey Alex,

I'm not sure I understood hat these errorcde and error detai.
I assume that there is a relevant debug_options for parsing the fingerprint.
The next thing I was thinking about was the fingerprint validation related debug.
To verify what might make squid to compare wrongly the SHA1 signature.

 I have attached the full squid.conf
The more relevant parts are:
## START
acl NoBump_server_regex ssl::server_name_regex -i "/etc/squid/no-ssl-bump-regex.list"
acl NoBump_server_regex_by_urls_domain ssl::server_name_regex -i "/etc/squid/no-ssl-bump-urls-domains-regex.list"
acl NoBump_server_name ssl::server_name "/etc/squid/no-ssl-bump-server-name.list"
acl NoBump_dst dst "/etc/squid/no-ssl-bump-server-dst-addresses.list"
acl NoBump_certificate_fingerprint server_cert_fingerprint "/etc/squid/no-ssl-bump-server-fingerprint.list"
acl NoBump_src src "/etc/squid/no-ssl-bump-client-src.list"

acl tls_to_splice any-of NoBump_src NoBump_server_name NoBump_server_regex_by_urls_domain NoBump_server_regex NoBump_dst NoBump_certificate_fingerprint bypass_src_helper


acl Bump_server_regex ssl::server_name_regex -i "/etc/squid/ssl-bump-regex.list"
acl Bump_server_regex_by_urls_domain ssl::server_name_regex -i "/etc/squid/ssl-bump-urls-domains-regex.list"
acl Bump_server_name ssl::server_name "/etc/squid/ssl-bump-server-name.list"
acl Bump_dst dst "/etc/squid/ssl-bump-server-dst-addresses.list"

acl tls_to_bump any-of Bump_server_name Bump_server_regex_by_urls_domain Bump_server_regex Bump_dst sni_matcher_helper yandex_bl_checker_helper


# TLS/SSL bumping definitions
acl tls_s1_connect at_step SslBump1
acl tls_s2_client_hello at_step SslBump2
acl tls_s3_server_hello at_step SslBump3

ssl_bump peek tls_s1_connect
ssl_bump splice tls_to_splice
ssl_bump stare tls_s2_client_hello
ssl_bump bump tls_to_bump
## END

The fingerprint contains only 3 signatures and one of them is (Quoted as is):
1C:8C:EC:C8:C4:7F:DF:36:62:69:B1:6A:92:5A:AE:4A:F2:06:E6:B2

My setup is working fine except this fingerprint part which is not always the best way to splice.
However it seems like it should be pretty straight forward.

I can dump the whole config into a tar file to try and understand better the setup if required.

Thanks,
Eliezer

----
Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: ngtech1ltd at gmail.com
Zoom: Coming soon


-----Original Message-----
From: Alex Rousskov <rousskov at measurement-factory.com> 
Sent: Wednesday, January 27, 2021 5:12 PM
To: Eliezer Croitoru <ngtech1ltd at gmail.com>; squid-users at lists.squid-cache.org
Subject: Re: [squid-users] acl aclname server_cert_fingerprint

On 1/26/21 2:09 AM, Eliezer Croitoru wrote:

> I'm trying to understand what I'm doing wrong in the config that stil
> lets edition.cnn.com be decrypted instead of spliced?

If you still need help, please share the relevant parts of your
configuration and logs. I would start with ssl_bump rules and access log
records containing additional %error_code/%err_detail fields.

Alex.



> -----Original Message-----
> From: Alex Rousskov <rousskov at measurement-factory.com> 
> Sent: Tuesday, January 26, 2021 6:22 AM
> To: Eliezer Croitoru <ngtech1ltd at gmail.com>; squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] acl aclname server_cert_fingerprint
> 
> On 1/25/21 6:03 AM, Eliezer Croitoru wrote:
>> I'm trying to use:
>> acl aclname server_cert_fingerprint [-sha1] fingerprint
>>
>>
>> I have cerated the next file:
>> /etc/squid/no-ssl-bump-server-fingerprint.list
>>
>> And trying to use the next line:
>> acl NoBump_certificate_fingerprint server_cert_fingerprint -sha1
>> "/etc/squid/no-ssl-bump-server-fingerprint.list"
>>
>> To be explicit despite that only sha1 is a valid checksum.
>> Squid doesn't accept the above line 
> 
> 
> Does not accept how? What is the error message?
> 
> 
>> but this one yes:
>> acl NoBump_certificate_fingerprint server_cert_fingerprint
>> "/etc/squid/no-ssl-bump-server-fingerprint.list"
> 
>> Is there a reason for that?
> 
> 
> The use of ACL options and ACL parameter options is poorly documented.
> 
> Squid Bug 4847 is marked as fixed, but the corresponding commit d4c6aca
> says that server_cert_fingerprint is still broken. Not sure whether that
> was true, whether some other commit has fixed that ACL, and whether the
> problem mentioned in the commit message is related to your troubles.
> https://bugs.squid-cache.org/show_bug.cgi?id=4847
> https://github.com/squid-cache/squid/pull/191
> 
> Also, according to my 2015 notes, server_cert_fingerprint happens to be
> case sensitive. I consider that a bug. I am not sure, but I think Squid
> expects uppercase hex letters (if any). I do not know whether that has
> been fixed.
> 
> 
> Finally, it is dangerous to list ACL parameter options like -sha1 in
> front of parameter filename when that parameter file may contain its own
> parameter options. A reader may think that -sha1 in squid.conf
> overwrites, say, -sha256 in the parameter file, but that is not what
> probably will happen when Squid starts supporting both options.
> 
> That consideration may actually be the reason why Squid rejects your
> first configuration sample (or perhaps it should be the reason even if
> it does not).
> 
> I am sure there are use cases where the admin wants to apply one
> parameter option to the whole file, but the ambiguity is too dangerous
> to allow IMO. We should make the choice explicit.
> 
> 
> HTH,
> 
> Alex.
> 
> 
> 
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: squid.conf
Type: application/octet-stream
Size: 7195 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20210127/63b93806/attachment.obj>

More information about the squid-users mailing list