Re: [squid-users] Issues with ssl-bump in 3.HEAD

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 13 Jun 2014 09:11:39 +1200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 13/06/2014 7:46 a.m., Guy Helmer wrote:
> On Jun 12, 2014, at 2:25 PM, Mike <mcsnv96_at_afo.net> wrote:
>
>> On 6/12/2014 2:06 PM, Guy Helmer wrote:
>>> On Jun 12, 2014, at 1:01 PM, Mike <mcsnv96_at_afo.net> wrote:
>>>
>>>> I have been racking my brain trying to get this working and
>>>> each time,it refuses to connect to secure sites. In the end we
>>>> need a working squid proxy for SSL connections within the
>>>> company network which will serve over 1000 users (thus the
>>>> larger 8MB cert cache size). We already have theinsecure HTTP
>>>> proxy working fine (thus the use of port 3129 below). Since it
>>>> will be SSL based, I know it needs https_port (not http_port),
>>>> ssl-bump, and intercept (required by ssl-bump). The https_port
>>>> and ssl-bump documentation also mentioned the preference for
>>>> sslflags (which may or may not be working in 3.HEAD) and
>>>> cipher.
>>>>
>>>> OS is Scientific Linux 6.5 (based on CentOS) fully up to date
>>>> with yum. Server is quad core 3.4GHz, 8GB DDR3 with no other
>>>> uses (like web server, etc). SELinux has been set to permissive
>>>> mode so it only reports, doesn't block the needed connections
>>>> (although I also tested with it disabled and made no
>>>> difference). [root_at_localhost ~]# sestatus SELinux status:
>>>> enabled SELinuxfs mount: /selinux Current mode: permissive Mode
>>>> from config file: permissive Policy version: 24 Policy from
>>>> config file: targeted
>>>>
>>>> Essential squid.conf lines (I have tested it with and without
>>>> the "sslflags", does not impact it working or not working):
>>>>
>>>> https_port 3129 intercept ssl-bump connection-auth=off
>>>> generate-host-certificates=on dynamic_cert_mem_cache_size=8MB
>>>> cert=/etc/squid/ssl/squid.pem key=/etc/squid/ssl/squid.key
>>>> sslflags=DELAYED_AUTH
>>>> cipher=ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:AES128-SHA:RC4-SHA:HIGH:!aNULL:!MD5:!ADH
>>>>
>>>>
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid_ssl_db -M 8MB
>>>> sslcrtd_children 50 startup=5 idle=1 ssl_bump server-first all
>>>> ssl_bump none localhost
>>>>
>>>> Local certs have been created and self signed, and the .der
>>>> cert has been imported into the test browser (Firefox 30.0).
>>>>
>>>> Squid info (includes the needed '--enable-ssl'
>>>> '--enable-ssl-crtd' '--with-openssl'):
>>>>
>>>> [root_at_localhost ~]# squid -v Squid Cache: Version
>>>> 3.HEAD-20140127-r13248 Service Name: squid configure options:
>>>> '--build=x86_64-redhat-linux-gnu'
>>>> '--host=x86_64-redhat-linux-gnu'
>>>> '--target=x86_64-redhat-linux-gnu' '--program-prefix='
>>>> '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin'
>>>> '--sbindir=/usr/sbin' '--sysconfdir=/etc'
>>>> '--datadir=/usr/share' '--includedir=/usr/include'
>>>> '--libdir=/usr/lib64' '--libexecdir=/usr/libexec'
>>>> '--sharedstatedir=/var/lib' '--mandir=/usr/share/man'
>>>> '--infodir=/usr/share/info' '--exec_prefix=/usr'
>>>> '--libexecdir=/usr/lib64/squid' '--localstatedir=/var'
>>>> '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid'
>>>> '--with-logdir=$(localstatedir)/log/squid'
>>>> '--with-pidfile=$(localstatedir)/run/squid.pid'
>>>> '--disable-dependency-tracking' '--enable-eui'
>>>> '--enable-follow-x-forwarded-for' '--enable-auth'
>>>> '--enable-auth-basic=DB,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,getpwnam'
>>>> '--enable-auth-ntlm=smb_lm,fake'
>>>> '--enable-auth-digest=file,LDAP,eDirectory'
>>>> '--enable-auth-negotiate=kerberos,wrapper'
>>>> '--enable-external-acl-helpers=wbinfo_group,kerber!
>> os_ldap_ group,AD_group' '--enable-cache-digests'
>> '--enable-cachemgr-hostname=localhost' '--enable-delay-pools'
>> '--enable-epoll' '--enable-icap-client' '--enable-ident-lookups'
>> '--enable-linux-netfilter' '--enable-removal-policies=heap,lru'
>> '--enable-snmp' '--enable-ssl' '--enable-ssl-crtd'
>> '--enable-storeio=aufs,diskd,ufs,rock' '--enable-wccpv2'
>> '--enable-esi' '--with-aio' '--with-default-user=squid'
>> '--with-filedescriptors=16384' '--with-dl' '--with-openssl'
>> '--with-pthreads' '--disable-arch-native'
>> 'build_alias=x86_64-redhat-linux-gnu'
>> 'host_alias=x86_64-redhat-linux-gnu'
>> 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall
>> -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector
>> --param=ssp-buffer-size=4 -m64 -mtune=generic' 'CXXFLAGS=-O2 -g
>> -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector
>> --param=ssp-buffer-size=4 -m64 -mtune=generic -fPIC'
>> 'PKG_CONFIG_PATH=/usr/lib64/pkgconfig:/usr/share/pkgconfig'
>>>>
>>>>
>>>> In the end testing with only the SSL proxy set to this server
>>>> via port3129, it tries loading the secure website for 2-3
>>>> minutes and then timesout. Checking "top", it shows squid
>>>> running at 12.1g VIRT, 2.0g RES, 54.5% of MEM (server has 8GB)
>>>> and using 100% of CPU2. The ../squid/access.log and
>>>> cache_access.log shows no new entries at all. We had to disable
>>>> thecache.log (cache_log /dev/null) as it continuously recorded
>>>> everything and quickly took up all the space on the 80GB hard
>>>> drive.
>>>>
>>>> So the question is what is going wrong that it is refusing to
>>>> let ANY secure site load and how can we get this resolved? We
>>>> greatly appreciate any help on this.

The answer is those cache.og messages you disabled.

Start by re-enabling cache.log with debug_options ALL,0. What is the set
of logged errors ?

>>>>
>>>> Mike
>>> If I understand correctly, you are attempting to use port 3129 as
>>> a forward proxy. If so, you shouldn’t need the “intercept” option
>>> on 3129, and you should change it to http_port since squid will
>>> be directly receiving HTTP “CONNECT” requests, not SSL
>>> connections.
>>>
>>> Regards, Guy
>>>
>> Guy, According to
>> http://www.squid-cache.org/Versions/v3/3.HEAD/cfgman/https_port.html
>> it says:
>>
>> https_port: The socket address where Squid will listen for client
>> requests made over TLS or SSL connections.
>
> Correct, but if you are configuring your browser to use this proxy
> for HTTPS, the browser will start its connection to the specified
> port with HTTP, not SSL -- the browser will initially send a
> plaintext "CONNECT xxx:443 HTTP/1.1” command, and then the browser
> will start using SSL. The plaintext HTTP command needs to be received
> at an http_port on the squid proxy, not https_port.
>
>> ssl-bump - blah blah "Requires tproxy or intercept.”
>
> Yes, because browsers can not be configured to do an SSL connection
> to the proxy - as I mention above, if you are configuring the
> browser, then the browser starts its HTTPS requests with a plaintext
> HTTP command before shifting to SSL. The only purpose for the
> https_port configuration parameter is to setup a port for a
> “transparent” interception proxy (in which the browser is NOT
> configured to talk to the proxy, but instead the proxy intercepts TCP
> connections).
>

Small corrections. The reason ssl-bump requires tproxy or intercept is
that it is an MITM attack for intercepting a TLS sesson.

The ssl-bump interception is only necessary when the browser is
configured to use plain-test HTTP to the proxy and trying to tunnel
HTTPS over it via CONNECT, or if NAT/TPROXY is used to divert port 443
traffic to an https_port.
 In both these cases Squid has to break open the TLS session that it is
not supposed to be a party to. Thus ssl-bump MITM action is necessary.

If the browser is configured explicitly to use a TLS connection to a
proxy https_port there is no interception necessary. An https_port with
regular SSL options is perfectly capable of receiving TLS connections
from any client without bumping the TLS session.

Chrome can be configured via PAC file to open TLS connections to a proxy.

Firefox are making moves in a similar direction although I have yet to
learn how one configures it.

stunnel and ssh have long been used as tools to setup TLS tunnels ending
at an https_port and securing plain old "insecure" HTTP over TLS to the
proxy.

>>
>> I have tried it all 3 ways, both with and without those 2 modes,
>> and at least with "intercept", it seems that squid is doing
>> something by the i/o and squid activity, although the logs remain
>> empty.

access.log is geared to log HTTP traffic. If the TCP or TLS connection
setup between the browser and Squid breaks in any way then nothing gets
logged there.

cache.log logs Squid errors. Failure to setup a TLS connection is not a
Squid error. AFAIK OpenSSL only logs on syntax or bad problems. Things
like rejecting the client for a bad set of ciphers or wrong cert are not
TLS errors. So if the SSL/TLS library is reporting successful operation
(setup OR reject) then nothing is logged there either.

>> Also according to the same documentation, since this will be SSL
>> proxy (not standard insecure HTTP proxy), "https_port" is
>> required. Initially I did try it with "http_port" but it tries
>> to treat CONNECT requests like a normal insecure http request
>> causing sslcrtd to constantly crash, taking squid down with it.
>> At least with "https_port 3129 intercept ssl-bump..." it doesn't
>> crash and is the only time it shows i/o and squid activity, thus
>> my request to the squid-users group.
>>
>> Thank you,
>>
>> Mike
>
> If you are configuring your browser to use the proxy for SSL, you
> will need to use http_port with ssl-bump enabled. It does not make
> it a “standard insecure HTTP proxy” but enables forward proxy of
> HTTPS traffic. I would suggest that you install wireshark and
> capture the browser’s traffic to the proxy to verify how this
> works.
>
> If squid then has trouble with the ssl_crtd helpers, that is
> another issue that requires resolution. The fact that squid does
> not crash when you are using https_port likely indicates that squid
> and your browser have a failure to communicate, and that is masking
> your ssl_crtd issue.

I agree. It sounds like you are having two problems and they each hide
whether the other is resolved.

PS. Fact of the day: standard HTTP is only as secure (or insecure) as
the connection it travels over. Some people run it over TLS
connections and call that "secure". But HTTPS is usually less secure
than HTTP (with no 'S') sent over an IPSEC, VPNSSL or SCTP connection.
Why? HTTPS depends on certificate authorities trust. The private
VPNSSL, IPSEC, SCTP relies on specific keys setup between the
end-points no external trust necessary.

Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJTmheKAAoJELJo5wb/XPRjpScIALk8Iv+dA7z6ofB4UIU4/LyL
1hOfGJBQx53CBnWhXTDiTm5X966/c/q/75GRCU+1uPGPWPRQ2hVt+4fE5DSGyZk5
9R0mCx8nYPQmkLNXoPM4zsQ1O8mWhze6x8HErzG+qFuJx6pVhQ6ceUTarjmblAIk
Hr7JYclgRUbX9nyAFB1INU9es8aH3G7rn/8JGQZ/yamdZVXcnjeUKbNMKf7i5O0c
3C9xX3ej6kG+g5NaEeX3FlZQBVZUtLf+SgnHQ6FdJqkgGA8Wd7V3zwmF3IBcNslk
e1WAnSdwN3NwAV3peg/jkbc3KxQhJWpDvT7AxQ78tIKofXsvql9Fof2Aa5Er1As=
=DrnB
-----END PGP SIGNATURE-----
Received on Thu Jun 12 2014 - 21:11:59 MDT

This archive was generated by hypermail 2.2.0 : Fri Jun 13 2014 - 12:00:06 MDT