Re: [squid-users] stopping sslbump to domains with invalid or unsigned certs

From: Sean Boran <sean_at_boran.com>
Date: Wed, 21 Dec 2011 14:33:40 +0100

On 21 December 2011 12:49, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> On 21/12/2011 10:16 p.m., Sean Boran wrote:
>>
>> So, as a test I set SSL_FLAG_DONT_VERIFY_PEER, then modified
>> ssl/support.cc sslCreateClientContext() to ignore
>> SSL_FLAG_DONT_VERIFY_PEER to that it would always verify.
>>
>> Then my three test cases woks just fine. The unsigned cert is refused
>> (although with a not very precise error message to the user), and the
>> two valid ones work.
>
>
> So you hard-code Squid to behave as if the flag was not set. How is that
> different to not setting it in the first place?

Well there does not seem to be a flag that says "do verify peer".

> sslproxy_* directives configure what Squid does on SSL connections to
> servers.
>
>
>>
>> Another quick hack:
>> ssl_verify_cb(): disabled domain checking (so that amazon.com worked
>> with its insufficient www.amazon.com cert.   (Setting
>> sslflags=DONT_VERIFY_DOMAIN on the http_port config line did not
>> work..)
>
>
> Makes sense, I dont believe client certificates contain a domain name.
> Although they may include the TCP level details of the client as
> equivalents.
>
> http_port sslflags= are configuring what to verify on received client
> certificates.

Ah I see.

> SSL has no functionality for the server to tell the remote client what not
> to verify. That would defeat the entire purpose of certificates.

Yes, but we need squid options to tell sslbump how strict it should be
about checking (policy), and what action it should take when policy is
breached (refuse connection, inform, continue etc..)

>> Obviously the above hacking is not the proper solution though, should
>> I move this conversation to the squid-dev list? What would you suggest
>> as the next step Amos?
>
>
> Yes please move this to squid-dev. Christos and Alex who authored the bump
> feature do not often read this mailing list regularly.

OK.
Where can I find information on the work planned by The Measurement
Factory? Maybe I can dig up some sponsorship for them if its aligned
with my site-specific needs..

Sean
Received on Wed Dec 21 2011 - 13:33:48 MST

This archive was generated by hypermail 2.2.0 : Wed Dec 21 2011 - 12:00:03 MST