[squid-users] SSL_Bump not working correctly for IP destiantions like https:/1.1.1.1/

Dieter Bloms squid.org at bloms.de
Thu May 20 15:23:49 UTC 2021


Hello Alex,

thank yout for the fast response.

On Thu, May 20, Alex Rousskov wrote:

> On 5/20/21 8:12 AM, Dieter Bloms wrote:
> 
> > I've a working setup with squid 4.14 and enabled sslbump under debian buster.
> > But when I try destinations like https://1.1.1.1/ I get an error ERR_CERT_COMMON_NAME_INVALID
> > 
> > The alternate DNS Names in the certificate of the original webserver is:
> > 
> > X509v3 Subject Alternative Name: 
> >     DNS:cloudflare-dns.com, DNS:*.cloudflare-dns.com, DNS:one.one.one.one, IP Address:1.1.1.1, IP Address:1.0.0.1, IP Address:162.159.36.1, IP Address:162.159.46.1, IP Address:2606:4700:4700:0:0:0:0:1111, IP Address:2606:4700:4700:0:0:0:0:1001, IP Address:2606:4700:4700:0:0:0:0:64, IP Address:2606:4700:4700:0:0:0:0:6400
> > 
> > for the client using the proxy with sslbump it looks like:
> > 
> > X509v3 Subject Alternative Name: 
> >     DNS:1.1.1.1
> > 
> > so the SAN is a DNS and not an IP Address one.
> > I think is has to be something like this:
> > 
> > X509v3 Subject Alternative Name: 
> >     IP Address:1.1.1.1
> > 
> > Can someone confirm this, or may I have a mistake in my squid configuration.
> 
> If this happens on an otherwise successful HTTP response (not an error
> page), then I would suspect a Squid bug (or insufficient support for
> X509v3 extensions).

The chrome browser shows me this error page, but you are right it is an
error page of squid with SQUID_X509_V_ERR_DOMAIN_MISMATCH.
So it looks like insufficient support for X509v3 extensions
I filled a bug report https://bugs.squid-cache.org/show_bug.cgi?id=5130

> > Here some sslbum related details of my config:
> > 
> > http_port MYIP:8080 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=32MB cert=/etc/squid/cert.pem key=/etc/squid/key.pem tls-dh=/etc/squid/dhparams.pem
> > http_port MYIP:8880 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=32MB cert=/etc/squid/cert.pem key=/etc/squid/key.pem tls-dh=/etc/squid/dhparams.pem
> > sslcrtd_program /usr/sbin/security_file_certgen -s /var/cache/squid/sslcert_db -M 32MB
> > sslcrtd_children 32 startup=10 idle=3
> > tls_outgoing_options capath=/etc/ssl/certs min-version=1.2
> > ssl_bump peek step1
> > ssl_bump stare all
> > ssl_bump bump all
> > 
> > 
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-- 
Gruß

  Dieter

--
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
From field.


More information about the squid-users mailing list