Re: [squid-users] Size of icap request chanks

2015-10-26 Thread Vadim Rogoziansky 

Thank you Amos.

I'll try that!


I've made an investigation here and looks like Squid 3.5.9 separates the
ICAP payload on little chunks with the size of 27 bytes.

This is probably a side effect of the bug 4353 / 4206 issue on the main
I/O socket from the client. On a fast Squid the small input blobs being
read in would stay small though all the rest of Squid operations,
including the chunk sizes written to ICAP.
See if the workaround patch in the bug report helps:
  


---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] ssl_bump problem with tw.bid.yahoo.com in transparent proxy

2015-04-01 Thread Vadim Rogoziansky 

Hello Yuri,

I have the same problem with transparent proxy (can't bypass bad web 
sites) and as I know squid guys did not fix SNI issue yet. Forward proxy 
works smoothly.

Tell me something if I was wrong)

My configuration is following:
/
acl step1 at_step SslBump1//
//ssl_bump stare step1 all//
//acl sslBumpDeniedDstDomain dstdomain .google.com//
//ssl_bump splice sslBumpDeniedDstDomain//
//ssl_bump bump all//
/
And sqiud version is
/Squid Cache: Version 3.5.3//
//Service Name: squid//
//configure options:  '--with-openssl' '--enable-linux-netfilter' 
'--disable-ipv6' '--enable-icap-client' '--enable-ssl-crtd' 
'--prefix=/opt/squid' '--enable-external-acl-helpers=none' 
'--enable-auth-negotiate=none' '--enable-follow-x-forwarded-for' 
'--disable-auth-ntlm' '--disable-arch-native' '--enable-wccpv2' 
'--enable-snmp' 
'PKG_CONFIG_PATH=%{_PKG_CONFIG_PATH}:/usr/lib64/pkgconfig:/usr/share/pkgconfig' 
--enable-ltdl-convenience/


Regards

On 4/1/2015 12:34 PM, Yuri Voinov wrote:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

What version of Squid you are using?

01.04.15 13:06, Yu-Hsuan Liao пишет:
 Hello Everyone,

 I got  'ssl_error_bad_cert_domain' message from browser when I was 
trying

 to bump tw.bid.yahoo.com in transparent mode

 I found that the certificate is signed to tw.otplogin.reg.yahoo.com, 
which

 should be signed to tw.bid.yahoo.com

 but for now I can't bypass using the following configure:

 acl yahoo_url tw.otplogin.reg.yahoo.com tw.bid.yahoo.com
 ssl_bump none yahoo_url

 yet everything is OK when I use forward proxy, the certificate is 
correct

 signed to tw.bid.yahoo.com

 any ideas?



 ___
 squid-users mailing list
 squid-users@lists.squid-cache.org
 http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJVG7u1AAoJENNXIZxhPexGiZwH/19TdE+jGhb29JPXqvf1cVqv
HAjmuq7nj9dQt/SmW2CM+rPeS6pgHuJIH2/rVsxU/ydbDhuomNBmOuZyhguaUBM0
xke1UBjHFbPsTHczfmlaW3/q+V1wg1BJ0Le8lNnJ4dZMxH5rK/O6L0zb6HwS7SMJ
Nn15VpqGWY6cESWMvV3ZYrdQ2dgiQRO9CEQkpXSAy5xV4C+5B4L10FfsN1JeMPZF
NZ/trRZFpZha2cQk65zYE4oBuiT137I4EKv+ldLu3uWhkGS8oqKSiPxjSmckzjhw
jFUONqSKGOxbT4HSBQSjZgmEvPLg/HKlVR99eH+Vyc/kOfGh7rt63bQ6AUYM3Jc=
=+MVl
-END PGP SIGNATURE-



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Transparent proxy with Peek and Splice feature.

2014-12-10 Thread Vadim Rogoziansky 
Yeap, squid perfectly splice the destination domain after step1 or 
step2 or step3 when the browser is set to use proxy directly.
But, it does not work in case of transparent proxy. Squid uses the 
destination IP address instead of SNI details.


The example of using client IP address is below:
2014/11/27 01:15:22.851| DomainData.cc(110) match: aclMatchDomainList: 
'212.42.77.232' NOT found


Thank you guys.


11/29/2014 6:17 AM, Amos Jeffries написав(ла):

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 28/11/2014 2:48 a.m., Vadim Rogoziansky wrote:

Hello Amos.

Thank you for answer.

There was made an investigation related to squid's peek and splice
issues in transparent mode. One-line explanation is as follows - in
intercept mode squid can't get a server host name from the request
header and uses clent IP address instead for both fake cert
generation and as a SNI record in server bump SSL handshaking. This
is the root of the problem. However this can be fixed if squid uses
SNI field taken from client TLS Hello message for that purposes.
Can you hack squid in this way? What do you think?

I think peek-n-splice is supposed to already be doing that.

However it does depend on whether you are bumping the connection at
step 1 (before ClientHello), step 2 (after ClientHello, before
ServerHello), or step 3 (after both ClientHello and ServerHello) of
the TLS handshake whether the SNI details are present.

Amos
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUeUjPAAoJELJo5wb/XPRj6QEIAOHrR8wmDcjkfgUh2UtPwpHP
vVkPMEuIrUq9Gxx3uSojCZjlFJPuCQ2UafS1p8LuxcEQ+TRmUFbAu4AkKoO2RoZ5
7fCGoiXTwn4TzFf0pLh9SPBq9j12OJ3uT28EEqbILrT0sbKP02xK/qiJfCLR61Ev
vprAdggapbKg/ns1l1H3BBgZR2A4W/abQPIq6/Eu/r+7nYK6L2oOdqPDWTJjudMV
8D9sdOD9mYYryrdptU0GLh9Q/V5QEhipSkuA936iZ0Dfa2ZSr4gphJyaRAFWSMf3
q502lZy+ASkDa2vAbjALRBgn3VwYWl8KBQcypUKF4UXtaLtF0EIrLMun+p4QxUM=
=44aG
-END PGP SIGNATURE-
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Transparent proxy with Peek and Splice feature.

2014-11-25 Thread Vadim Rogoziansky 

Hello All.

My goal is to do ssl bumping in transparent proxy mode with domain 
exclude possibility.

Let me tell you about squid's strange behaviour when I'm trying to do it.

In browsers it says something like this:
/This server could not prove that it is www.ukr.net; its security 
certificate is from212.42.76.253. This may be caused by a 
misconfiguration or an attacker intercepting your connection.//

//NET::ERR_CERT_COMMON_NAME_INVALID//
//Subject: 212.42.76.253//
/
Looks like squid takes the CN from the certificate as IP address of the 
destination domain.
But, everything works smoothly when I use proxy in non transparent mode 
and put it to the browser directly . I can successfully bypass bad sites 
and do ssl bumping on others. There are no certificate errors except of 
some of them, you know)


My OS is /Centos 6.5 //2.6.32-358.6.2.el6.x86_64/
My squid's version:
//opt/squid/sbin/squid -v//
//Squid Cache: Version 3.5.0.2//
//Service Name: squid//
//configure options:  '--with-openssl' '--enable-linux-netfilter' 
'--disable-ipv6' '--enable-icap-client' '--enable-ssl-crtd' 
'--prefix=/opt/squid' '--enable-external-acl-helpers=none' 
'--enable-auth-negotiate=none' '--enable-follow-x-forwarded-for' 
'--disable-auth-ntlm' '--disable-arch-native' '--enable-wccpv2' 
'--enable-snmp' 
'PKG_CONFIG_PATH=/usr/lib64/pkgconfig:/usr/share/pkgconfig' 
--enable-ltdl-convenience//

/
My iptables which is doing redirecting to internal squid ports: /
//Table: nat//
//Chain PREROUTING (policy ACCEPT)//
//num  target prot opt source   destination//
//1ACCEPT tcp  --  0.0.0.0/0 192.168.0.121   tcp dpt:443 /* 
accept connection *///
//2REDIRECT   tcp  --  192.168.0.0/24 0.0.0.0/0   tcp 
dpt:443 /* redirect */ redir ports 3132//
//3ACCEPT tcp  --  0.0.0.0/0 192.168.0.121   tcp dpt:80 /* 
accept connection *///
//4REDIRECT   tcp  --  192.168.0.0/24 0.0.0.0/0   tcp dpt:80 
/* redirect */ redir ports 3131/


Here is my squid configuration file:
___
visible_hostname local.local
always_direct allow all
dns_nameservers 8.8.8.8

acl step2 at_step SslBump2
ssl_bump stare step2 all
acl sslBumpDeniedDstDomain dstdomain ukr.net www.ukr.net
ssl_bump splice sslBumpDeniedDstDomain
ssl_bump bump all

http_port 3128 ssl-bump generate-host-certificates=on 
dynamic_cert_mem_cache_size=4MB cert=/opt/squid/var/ssl_cert/cert.pem


http_port 3131 transparent
https_port 3132 transparent ssl-bump generate-host-certificates=on 
dynamic_cert_mem_cache_size=4MB cert=/opt/squid/var/ssl_cert/cert.pem


http_access allow all

sslcrtd_program /opt/squid/libexec/ssl_crtd -s /opt/squid/var/ssl_db -M 4MB
sslcrtd_children 15

logformat logaccess  [%{%d/%b/%Y  %H:%M:%S}tl] %a %Ss/%03Hs %st %rm 
%ru %un %Sh/%A %mt

access_log daemon:/opt/squid/var/logs/access.log logaccess
__

Also, I've run squid like this *//opt/squid/sbin/squid -N -X -d 2/*  and 
got interesting strings like:
/2014/11/26 04:28:08.622| client_side.cc(3849) 
httpsSslBumpAccessCheckDone: sslBump needed 
for//*local=212.42.76.246:443**remote=192.168.0.122:63719*//FD 40 
flags=33 method 5/


Here, the local and remote IP addresses are switched (I checked such 
lines when went through the squid directly).


Please, tell me what can be wrong in configuration or squid.  I can 
provide you with any logs which you may need.

BTW, cache.log is clean.

Best regards
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] fallback to TLS1.0 if server closes TLS1.2?

2014-07-10 Thread Vadim Rogoziansky 

Hello All.

Do you have any ideas how we can resolve it? I have the same issue.