Re: [squid-users] stopping sslbump to domains with invalid or unsigned certs

From: Sean Boran <>
Date: Wed, 21 Dec 2011 08:36:01 +0100

According to the doc, sslproxy_flags only has only one other value
That doesn't seem of much use... it does recognise and refuse the
expired cert though:

2011/12/21 07:30:01.269| Self signed certificate:
2011/12/21 07:30:01.269| confirming SSL error 18
2011/12/21 07:30:01.269| fwdNegotiateSSL: Error negotiating SSL
connection on FD 29: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

But also refuses a well know bank:
Self signed certificate in certificate chain:
8/O=Credit Suisse Group AG/
2011/12/21 07:32:47.859| confirming SSL error 19

And amazon:
Unable to get local issuer certificate:
/C=US/ST=Washington/L=Seattle/ Inc./

I had expected DONT_VERIFY_PEER to mean "dont verify peer if it is the
except acl".
Digging in the sources, in ssl/, there are more that two
constants defined (I had just looked at the docs so far..). There is
no actual VERIFY_PEER though.

Looking at the sources it seems necessary that
SSL_FLAG_DONT_VERIFY_PEER not be set if this is to be called:
SSL_CTX_set_verify(sslContext, SSL_VERIFY_PEER ...);

So, compiled the lastest HEAD and tried both VERIFY_CRL,
VERIFY_CRL_ALL which would presumably have done some additional CRL
checking, but the example sites above fail on that too:

Unable to get certificate CRL:
/C=US/ST=Washington/L=Seattle/ Inc./

Which would look like its requires the existence of a CRL for each destination?
Tried setting capath to an empty directory, but it probably requires
some standard CRLs.

Squid pull its standard CA list from openssl (/etc/ssl/certs ?), but
should just accept empty crl lists if there are none? Setting
capath=/etc/ssl/certs and crlfile=/emptyfile does not help.

I muust still be missing something..

As regards The Measurement Factory, their website looks interesting,
but I dont see any relevant references. Is there a discussion or
ticket on what they are planning and how to contact them ? Should I
ask on squid-dev?



On 21 December 2011 01:02, Amos Jeffries <> wrote:
> On 21/12/2011 3:34 a.m., Sean Boran wrote:
>> Hi,
>> sslbump allows me to interrupts ssl connections and run an AV check on
>> them.
>> It generates a certs for the target domain (via sslcrtd), so that the
>> users browser sees a server cert signed by the proxy.
>> If the target domain has a certificate that is expired, or it not
>> signed by a recognised CA, its important that the lack of trust is
>> communicated to the end user.
>> Example, on connecting direct (not via a proxy) to
>> the certificated presented is expired 2
>> years ago and not signed by known CA  .
>> Noext on connecting via a sslbump proxy (v3.2.0.14), the proxy creates
>> a valid cert for and in the user's browsers it
>> looks like has a valid cert signed by the proxy.
>> So my question is:
>> What ssl_bump settings would allow the proxy to handle such
>> destinations with expired or non trusted sites by, for example:
>> a) Not bumping the connection but piping it through to the user
>> unchanged, so the user browser notices the invalid certs?
>> b) Refuses the connection with a message to the user, if the
>> destination is not on an allowed ACL of exceptions.
> Pretty much. The Measurement Factory has a project underway to fix this
> limitation.
> Please contact Alex about sponsoring their work to make it happen faster, or
> get access to the experimental code.
>> Looking at squid.conf, there is sslproxy_flags, sslproxy_cert_error
>> #  TAG: sslproxy_flags
>> #           DONT_VERIFY_PEER    Accept certificates that fail
>> verification.
>> #           NO_DEFAULT_CA       Don't use the default CA list built in
>>  to OpenSSL.
>> #  TAG: sslproxy_cert_error
>> #       Use this ACL to bypass server certificate validation errors.
>> So, the following config would then implement scenario b) above?
>> # Verify destinations: yes, but allow exceptions
>> sslproxy_flags DONT_VERIFY_PEER
>> #sslproxy_flags none
>> # ignore Certs with certain cites
>> acl TrustedName url_regex ^
>> sslproxy_cert_error allow TrustedName
>> sslproxy_cert_error deny all
>> ==>  But then, why does it not throw an error when connecting to
>> ?
> You configured not to verify, therefore the error is not noticed and cannot
> trigger any action.
> Why no output is displayed you will have to ask the OpenSSL people. There
> are a few places in their API like this where errors are silently dropped
> and seemingly no way is provided to check for them externally (ie from
> Squid).
> Amos
Received on Wed Dec 21 2011 - 07:36:07 MST

This archive was generated by hypermail 2.2.0 : Wed Dec 21 2011 - 12:00:03 MST