[squid-users] Squid 5: server_cert_fingerprint not working fine...

ngtech1ltd at gmail.com ngtech1ltd at gmail.com
Sat Nov 19 17:17:15 UTC 2022


Hey Fred,

Just a tiny question, can you share this php script so we can make sense of what is this script doing compared to what squid is doing?

Thanks,
Eliezer

----
Eliezer Croitoru
NgTech, Tech Support
Mobile: +972-5-28704261
Email: ngtech1ltd at gmail.com
Web: https://ngtech.co.il/
My-Tube: https://tube.ngtech.co.il/

-----Original Message-----
From: squid-users <squid-users-bounces at lists.squid-cache.org> On Behalf Of UnveilTech - Support
Sent: Saturday, 19 November 2022 15:44
To: Amos Jeffries <squid3 at treenet.co.nz>; squid-users at lists.squid-cache.org
Subject: Re: [squid-users] Squid 5: server_cert_fingerprint not working fine...

Hi Amos,

Quick update...
A 10 lines PHP helper is able to catch the SHA1 key with a basis "openssl_x509_fingerprint" function when Squid, a 1 million lines product, could not be able ?

Samples from the helper:
apple.com tls1.3, SHA1: "7B:B1:94:4F:56:5D:7D:64:A1:45:5C:91:E5:BA:0C:EA:D9:FB:91:50"
xforce-cracks.com tls1.3, SHA1: "31:3E:E1:3D:FD:B1:0A:C0:CA:AF:30:47:0A:BA:A1:49:D4:08:42:2A"

I'm sure the Squid team can do better than a PHP function 😊

Bye Fred

-----Message d'origine-----
De : UnveilTech - Support 
Envoyé : vendredi 18 novembre 2022 14:56
À : 'Amos Jeffries' <squid3 at treenet.co.nz>; squid-users at lists.squid-cache.org
Objet : RE: [squid-users] Squid 5: server_cert_fingerprint not working fine...

Hi Amos,

We have tested with a "ssl_bump bump" ("ssl_bump all" and "ssl_bump bump sslstep1"), it does not solve the problem.
According to Alex, we can also confirm it's a bug with Squid 5.x and TLS 1.3.
It seems Squid is only compatible with TLS 1.2, it's not good for the future...

Bye Fred

-----Message d'origine-----
De : squid-users [mailto:squid-users-bounces at lists.squid-cache.org] De la part de Amos Jeffries Envoyé : vendredi 18 novembre 2022 06:34 À : squid-users at lists.squid-cache.org Objet : Re: [squid-users] Squid 5: server_cert_fingerprint not working fine...

On 18/11/2022 5:02 am, UnveilTech - Support wrote:
>
> Hello Squid Team,
>
> Can you have a look to this bugzilla case :
>
> https://bugs.squid-cache.org/show_bug.cgi?id=5245
>
> it’s about a bug with Squid 5.7 and TLS 1.3.
>
> Critical case created the 2022-10-27 09:59 UTC, it would be nice to 
> have a fix/patch…
>
>   occur)
>

As one can see in the bug report Alex has looked at it in some detail.
The solution may be complex or large change, and thus unlikely to occur in Squid-5 if so.

There are three things that come to mind immediately as related problems we cannot do anything about:
  1) Squid cannot know in advance what server cert will be provided (after step2) when it decided to splice (or not) at step2.
  2) SHA1 is not the only type of cert fingerprint. The non-working certs may be providing newer SHA2/3 etc fingerprints
  3) In TLS/1.3 a lot of data can be hidden inside the encryption. Squid may simply not be given access to the [real] fingerprint unless bump
(decrypt) happens.

HTH
Amos

_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users



More information about the squid-users mailing list