Re: [squid-users] A bunch of SSL errors I am not sure why

2017-01-18 Thread Amos Jeffries 
On 19/01/2017 12:53 p.m., Sameh Onaissi wrote:
> Hello, Amos… all
> 
> Yuri, thanks for the reply.
> 
> 
> Amos,
> 
> I added: Thanks to Eliezer)
> sslproxy_cert_error allow all
> sslproxy_flags DONT_VERIFY_PEER

That is a spot-check config to see if TLS is fully broken or if the fix
can be done in Squid. It should never, ever, ever, be used in a
production proxy.

> to the config file, I am not too worried about the verification since the 
> accessed sites showing problems are government site or local paying 
> services/partners.
> 

The peer verify is not about whether communication to them is safe (it
might not be even when verify succeeds).

It is about whether you are actually communicating with the right
destination or with some hijacker responding to your TCP connections.

In other words, to check that the endpoint you are sending those
financial details actually is your bank. Not mine.


The situation I am trying to get you to is checking the certs actually
belong to the right entity. But ignoring some minor(-ish) details like
missing CA in their cert chain, their bad choice of cipher etc.


> However, some sites are still showing the Handshake problem. 
> https://ibin.co/38uz8akvWayM.png
> 
> You had previously replied to this saying:
> 
> "If you actually read that error message it tells you exactly what the
> problem is.
> 
> "Handshake with SSL server failed: [blah blah codes]: dh key too small"
> 
> The server is trying to use a Diffi-Helman cipher with a too-short key.
> DH cipher with short keys has recently been broken. By recently I mean
> about a whole year ago.”
> 
> However, I still wonder what the solution is? is it possible to fix this? and 
> who needs to fix it? is it a squid side error? is it an OS level error?
> 

The only solution for that one is for the server admin to change/fix
their DH key settings to make it longer.

You are unlikely to be the only one having such problem, so with any
luck they will fix it soon. You can try to contact their admin and tell
them about the problem.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Connect strongSwan and Squid on same server

2017-01-18 Thread Varun Singh 
Hi,
I have installed strongSwan and Squid HTTP Proxy on the same Ubuntu
16.04 server and I am trying to connect both. By connect I mean, I am
trying to achieve following:

[VPN Client] <--> [VPN Server] <-> [Squid] <--> [Internet]

My objective is to connect a VPN client to VPN server and use Squid
for filtering out blocked Urls. strongSwan and Squid work fine on
their own. I can access internet when connected to VPN server and also
when configured HTTP Proxy without VPN.

From what I understand, to achieve what I want, I am supposed to
redirect incoming HTTP traffic from port 80 to port using IPTables. I
enter following IPTables rule:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
--to-port 3128

Once I do this and try to access internet from a connected VPN client,
I get error. Pasting a log of /var/log/squid/access.log


1484738365.632  0 114.143.194.190 TCP_DENIED/403 4066 CONNECT
api-glb-sin.smoot.apple.com:443 - HIER_NONE/- text/html
1484738365.642  0 114.143.194.190 TCP_DENIED/403 4870 GET
http://www.apple.com/ac/globalfooter/2.0/en_US/styles/ac-globalfooter.built.css
- HIER_NONE/- text/html
1484738365.643  0 114.143.194.190 TCP_DENIED/403 4852 GET
http://www.apple.com/ac/globalnav/2.0/en_US/styles/ac-globalnav.built.css
- HIER_NONE/- text/html
1484738365.731  0 114.143.194.190 TCP_DENIED/403 4753 GET
http://www.apple.com/wss/fonts/? - HIER_NONE/- text/html
1484738365.760  0 114.143.194.190 TCP_DENIED/403 4817 GET
http://www.apple.com/metrics/ac-analytics/1.1/scripts/ac-analytics.js
- HIER_NONE/- text/html
1484738367.798  0 114.143.194.190 TCP_DENIED/403 4066 CONNECT
init.itunes.apple.com:443 - HIER_NONE/- text/html
1484738367.922  0 114.143.194.190 TCP_DENIED/403 4334 GET
http://www.apple.com/apple-touch-icon-76x76-precomposed.png -
HIER_NONE/- text/html
1484738367.963  0 114.143.194.190 TCP_DENIED/403 4025 CONNECT
gsp10-ssl.apple.com:443 - HIER_NONE/- text/html
1484738368.036  0 114.143.194.190 TCP_DENIED/403 4298 GET
http://www.apple.com/apple-touch-icon-76x76.png - HIER_NONE/-
text/html
1484738368.148  0 114.143.194.190 TCP_DENIED/403 4352 GET
http://www.apple.com/apple-touch-icon.png - HIER_NONE/- text/html
1484738368.255  0 114.143.194.190 TCP_DENIED/403 4352 GET
http://www.apple.com/apple-touch-icon.png - HIER_NONE/- text/html
1484738368.296  0 114.143.194.190 TCP_DENIED/403 4316 GET
http://www.apple.com/apple-touch-icon-precomposed.png - HIER_NONE/-
text/html
1484738368.348  0 114.143.194.190 TCP_DENIED/403 4253 GET
http://www.apple.com/favicon.ico - HIER_NONE/- text/html
1484738376.374  0 114.143.194.190 TCP_DENIED/403 4655 GET
http://www.apple.com/ - HIER_NONE/- text/html
1484738376.456  0 114.143.194.190 TCP_DENIED/403 4711 GET
http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
HIER_NONE/- text/html
1484738385.761  0 114.143.194.190 TCP_DENIED/403 4655 GET
http://www.apple.com/ - HIER_NONE/- text/html
1484738385.828  0 114.143.194.190 TCP_DENIED/403 4747 GET
http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
HIER_NONE/- text/html
1484738858.272  0 10.99.1.1 TAG_NONE/400 4154 GET
/assets/com_apple_MobileAsset_SafariCloudHistoryConfiguration/com_apple_MobileAsset_SafariCloudHistoryConfiguration.xml
- HIER_NONE/- text/html
1484738858.990  0 10.99.1.1 TAG_NONE/400 4004 GET
/us/shop/bag/status?apikey=SFX9YPYY9PPXCU9KH - HIER_NONE/- text/html
1484738860.362  0 10.99.1.1 TAG_NONE/400 5350 GET
/b/ss/appleglobal,applehome,applestoreww,applestoreamr,applestoreus/1/H.27/s5505031635984?AQB=1=1=18%2F0%2F2017%2016%3A57%3A40%203%20-330=21A4DCCB11396F92-26B205C305B2B2DF=apple%20-%20index%2Ftab%20%28us%29=http%3A%2F%2Fwww.apple.com%2F=USD=www.us.homepage=new%20approach%20ac-analytics=aos%3A%20us=D%3Dg=ipad=ios%209.3.5=aos%3A%20us%3A%20apple%20-%20index%2Ftab%20%28us%29=aos%3A%20us=direct%20entry=4=D%3D2C39962A85032063-4000118780008FDC=http%3A%2F%2Fwww.apple.com%2F=www.us.homepage=768x1024=32=1.6=N=Y=768=960=1
- HIER_NONE/- text/html
1484739056.258  0 10.99.1.1 TAG_NONE/400 3918 GET / - HIER_NONE/- text/html
1484739056.480  0 10.99.1.1 TCP_DENIED/403 4290 GET
http://ip-172-31-9-90:3128/squid-internal-static/icons/SN.png -
HIER_NONE/- text/html
1484739057.106  0 10.99.1.1 TAG_NONE/400 3994 GET
/apple-touch-icon-76x76-precomposed.png - HIER_NONE/- text/html
1484739057.166  0 10.99.1.1 TAG_NONE/400 3970 GET
/apple-touch-icon-76x76.png - HIER_NONE/- text/html
1484739057.211  0 10.99.1.1 TAG_NONE/400 3958 GET
/apple-touch-icon.png - HIER_NONE/- text/html
1484739057.267  0 10.99.1.1 TAG_NONE/400 3958 GET
/apple-touch-icon.png - HIER_NONE/- text/html
1484739057.340  0 10.99.1.1 TAG_NONE/400 3982 GET
/apple-touch-icon-precomposed.png - HIER_NONE/- text/html
1484739057.436  0 10.99.1.1 TAG_NONE/400 3940 GET /favicon.ico -
HIER_NONE/- text/html
1484739060.563  0 10.99.1.1 TAG_NONE/400 3924 GET /bag -
HIER_NONE/- text/html
1484739071.241  0

Re: [squid-users] A bunch of SSL errors I am not sure why

2017-01-18 Thread Sameh Onaissi 
Hello, Amos… all

Yuri, thanks for the reply.


Amos,

I added: Thanks to Eliezer)
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
to the config file, I am not too worried about the verification since the 
accessed sites showing problems are government site or local paying 
services/partners.

However, some sites are still showing the Handshake problem. 
https://ibin.co/38uz8akvWayM.png

You had previously replied to this saying:

"If you actually read that error message it tells you exactly what the
problem is.

"Handshake with SSL server failed: [blah blah codes]: dh key too small"

The server is trying to use a Diffi-Helman cipher with a too-short key.
DH cipher with short keys has recently been broken. By recently I mean
about a whole year ago.”

However, I still wonder what the solution is? is it possible to fix this? and 
who needs to fix it? is it a squid side error? is it an OS level error?

Any more information is greatly appreciated.






Thanks again,
Sam


On Jan 18, 2017, at 12:44 PM, Yuri Voinov 
> wrote:



18.01.2017 23:40, Eliezer Croitoru пишет:
Thanks for the detail Amos,

I noticed that couple major Root CA certificates was revoked so it could be one 
thing.
And can you give some more details on how to fetch the certificated using the 
openssl tools?
(Maybe redirect towards an article about it)
There is no article about trivial things.

root @ khorne / # openssl s_client -connect 
symantec.com:443
CONNECTED(0003)
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU =
"(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class
3 Public Primary Certification Authority - G5
verify return:1
depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust Network,
CN = Symantec Class 3 EV SSL CA - G3
verify return:1
depth=0 1.3.6.1.4.1.311.60.2.1.3 = US, 1.3.6.1.4.1.311.60.2.1.2 =
Delaware, businessCategory = Private Organization, serialNumber =
2158113, C = US, postalCode = 94043, ST = California, L = Mountain View,
street = 350 Ellis Street, O = Symantec Corporation, OU = Symantec Web -
Redir, CN = symantec.com
verify return:1
---
Certificate chain
0
s:/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private
Organization/serialNumber=2158113/C=US/postalCode=94043/ST=California/L=Mountain
View/street=350 Ellis Street/O=Symantec Corporation/OU=Symantec Web -
Redir/CN=symantec.com
  i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec
Class 3 EV SSL CA - G3
1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec
Class 3 EV SSL CA - G3
  i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006
VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public
Primary Certification Authority - G5
2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006
VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public
Primary Certification Authority - G5
  i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006
VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public
Primary Certification Authority - G5
---
Server certificate
-BEGIN CERTIFICATE-
MIIJ7jCCCNagAwIBAgIQGxlwar89MNsXoPlBKLC9ZjANBgkqhkiG9w0BAQsFADB3
MQswCQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAd
BgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxKDAmBgNVBAMTH1N5bWFudGVj
IENsYXNzIDMgRVYgU1NMIENBIC0gRzMwHhcNMTYwNjEzMDAwMDAwWhcNMTcwNjEz
MjM1OTU5WjCCARsxEzARBgsrBgEEAYI3PAIBAxMCVVMxGTAXBgsrBgEEAYI3PAIB
AgwIRGVsYXdhcmUxHTAbBgNVBA8TFFByaXZhdGUgT3JnYW5pemF0aW9uMRAwDgYD
VQQFEwcyMTU4MTEzMQswCQYDVQQGEwJVUzEOMAwGA1UEEQwFOTQwNDMxEzARBgNV
BAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxGTAXBgNVBAkM
EDM1MCBFbGxpcyBTdHJlZXQxHTAbBgNVBAoMFFN5bWFudGVjIENvcnBvcmF0aW9u
MR0wGwYDVQQLDBRTeW1hbnRlYyBXZWIgLSBSZWRpcjEVMBMGA1UEAwwMc3ltYW50
ZWMuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwRqh8lRuQgtO
ZDvGmr2+JKD5dgS8do3CQttE0wUosst5uMBoI0JdWCcD+dBKBMf+5PD2TZie75qY
Dwg4TPWhiJhLVDtriB4xPHIaI3l4HNyiC2QbCYIlNxiYBApEX3xi7V94ZJBiQGhD
jBjVBlWTwYMgcEP+1ivUL0h/ShZOjcJaqdlvLrne7WFQVDzcGcezqXEovgl/63sB
5tL0MDY5lpqUIllNLoMhk+o/NAu19NSQRTqVPmfSQZIQM/aki70LKQWmXzM7yjWk
TYVfoqgj7zE9fwfyEZ3mdohSkxaNKdbnafCLHI6Yzc9t9wnnmYvBWDfTCSE+kdYC
m/hEfFJaTQIDAQABo4IFzjCCBcowggNqBgNVHREEggNhMIIDXYIMc3ltYW50ZWMu
Y29tggpub3J0b24uY29tggt2ZXJpdGFzLmNvbYISYWNjb3VudC5ub3J0b24uY29t
ghRjYXJlZXJzLnN5bWFudGVjLmNvbYIZY3VzdG9tZXJjYXJlLnN5bWFudGVjLmNv
bYIOZGUubm9ydG9uLm1vYmmCGmRvd25sb2Fkcy5ndWFyZGlhbmVkZ2UuY29tghFl
bWVhLnN5bWFudGVjLmNvbYIQZXUuc3RvcmUucGdwLmNvbYIRam9icy5zeW1hbnRl
Yy5jb22CFW1vc3RkYW5nZXJvdXN0b3duLmNvbYITbXlub3J0b25hY2NvdW50LmNv
bYIQbmEuc3RvcmUucGdwLmNvbYIRbm9ydG9uYWNjb3VudC5jb22CFW5vcnRvbmxl
YXJuaW5naHViLmNvbYIKbnVrb25hLmNvbYIRcm93LnN0b3JlLnBncC5jb22CEHNz
bC5zeW1hbnRlYy5jb22CDXN0b3JlLnBncC5jb22CEHVrLnN0b3JlLnBncC5jb22C
Fnd3dy5hY2NvdW50Lm5vcnRvbi5jb22CFXd3dy5lbWVhLnN5bWFudGVjLmNvbYIZ
d3d3Lm1vc3RkYW5nZXJvdXN0b3duLmNvbYIVd3d3Lm5vcnRvbmFjY291bnQuY29t

[squid-users] Native FTP relay - connection closes when FTP data connection is used (?)

2017-01-18 Thread Alexander 
Hello, I have a question regarding a native FTP relay.

I have tried to test this feature like this:

[Filezilla Client, 1.1.1.2] <-> [ Router: iptables + squid ]
<-> [vsftpd server, 5.5.5.10]

Firewall settings on the router are:

ip route flush table 100
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100

iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 0x01/0x01
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -p tcp --dport 21 -j TPROXY
--tproxy-mark 0x1/0x1 --on-port 2121
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
--tproxy-mark 0x1/0x1 --on-port 3128

No other rules are defined, default policies in chains is ACCEPT.

Squid's configuration file is attached.

With HTTP traffic everything works fine, however FTP causes a problem.
A client successfully connects and authenticates, but when it tries to
execute LIST or RETR (when data connection should be established),
Filezilla says "Connection closed by server". In squid's log I have
noticed some errors when establishing data connection (?), like
"failed to connect FTP server data channel". The log is also attached.

What can be wrong with this setup?


cache2.log
Description: Binary data


squid.conf
Description: Binary data
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] A bunch of SSL errors I am not sure why

2017-01-18 Thread Yuri Voinov 


18.01.2017 23:40, Eliezer Croitoru пишет:
> Thanks for the detail Amos,
>
> I noticed that couple major Root CA certificates was revoked so it could be 
> one thing.
> And can you give some more details on how to fetch the certificated using the 
> openssl tools?
> (Maybe redirect towards an article about it)
There is no article about trivial things.

root @ khorne / # openssl s_client -connect symantec.com:443
CONNECTED(0003)
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU =
"(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class
3 Public Primary Certification Authority - G5
verify return:1
depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust Network,
CN = Symantec Class 3 EV SSL CA - G3
verify return:1
depth=0 1.3.6.1.4.1.311.60.2.1.3 = US, 1.3.6.1.4.1.311.60.2.1.2 =
Delaware, businessCategory = Private Organization, serialNumber =
2158113, C = US, postalCode = 94043, ST = California, L = Mountain View,
street = 350 Ellis Street, O = Symantec Corporation, OU = Symantec Web -
Redir, CN = symantec.com
verify return:1
---
Certificate chain
 0
s:/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private
Organization/serialNumber=2158113/C=US/postalCode=94043/ST=California/L=Mountain
View/street=350 Ellis Street/O=Symantec Corporation/OU=Symantec Web -
Redir/CN=symantec.com
   i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec
Class 3 EV SSL CA - G3
 1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec
Class 3 EV SSL CA - G3
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006
VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public
Primary Certification Authority - G5
 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006
VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public
Primary Certification Authority - G5
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006
VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public
Primary Certification Authority - G5
---
Server certificate
-BEGIN CERTIFICATE-
MIIJ7jCCCNagAwIBAgIQGxlwar89MNsXoPlBKLC9ZjANBgkqhkiG9w0BAQsFADB3
MQswCQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAd
BgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxKDAmBgNVBAMTH1N5bWFudGVj
IENsYXNzIDMgRVYgU1NMIENBIC0gRzMwHhcNMTYwNjEzMDAwMDAwWhcNMTcwNjEz
MjM1OTU5WjCCARsxEzARBgsrBgEEAYI3PAIBAxMCVVMxGTAXBgsrBgEEAYI3PAIB
AgwIRGVsYXdhcmUxHTAbBgNVBA8TFFByaXZhdGUgT3JnYW5pemF0aW9uMRAwDgYD
VQQFEwcyMTU4MTEzMQswCQYDVQQGEwJVUzEOMAwGA1UEEQwFOTQwNDMxEzARBgNV
BAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxGTAXBgNVBAkM
EDM1MCBFbGxpcyBTdHJlZXQxHTAbBgNVBAoMFFN5bWFudGVjIENvcnBvcmF0aW9u
MR0wGwYDVQQLDBRTeW1hbnRlYyBXZWIgLSBSZWRpcjEVMBMGA1UEAwwMc3ltYW50
ZWMuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwRqh8lRuQgtO
ZDvGmr2+JKD5dgS8do3CQttE0wUosst5uMBoI0JdWCcD+dBKBMf+5PD2TZie75qY
Dwg4TPWhiJhLVDtriB4xPHIaI3l4HNyiC2QbCYIlNxiYBApEX3xi7V94ZJBiQGhD
jBjVBlWTwYMgcEP+1ivUL0h/ShZOjcJaqdlvLrne7WFQVDzcGcezqXEovgl/63sB
5tL0MDY5lpqUIllNLoMhk+o/NAu19NSQRTqVPmfSQZIQM/aki70LKQWmXzM7yjWk
TYVfoqgj7zE9fwfyEZ3mdohSkxaNKdbnafCLHI6Yzc9t9wnnmYvBWDfTCSE+kdYC
m/hEfFJaTQIDAQABo4IFzjCCBcowggNqBgNVHREEggNhMIIDXYIMc3ltYW50ZWMu
Y29tggpub3J0b24uY29tggt2ZXJpdGFzLmNvbYISYWNjb3VudC5ub3J0b24uY29t
ghRjYXJlZXJzLnN5bWFudGVjLmNvbYIZY3VzdG9tZXJjYXJlLnN5bWFudGVjLmNv
bYIOZGUubm9ydG9uLm1vYmmCGmRvd25sb2Fkcy5ndWFyZGlhbmVkZ2UuY29tghFl
bWVhLnN5bWFudGVjLmNvbYIQZXUuc3RvcmUucGdwLmNvbYIRam9icy5zeW1hbnRl
Yy5jb22CFW1vc3RkYW5nZXJvdXN0b3duLmNvbYITbXlub3J0b25hY2NvdW50LmNv
bYIQbmEuc3RvcmUucGdwLmNvbYIRbm9ydG9uYWNjb3VudC5jb22CFW5vcnRvbmxl
YXJuaW5naHViLmNvbYIKbnVrb25hLmNvbYIRcm93LnN0b3JlLnBncC5jb22CEHNz
bC5zeW1hbnRlYy5jb22CDXN0b3JlLnBncC5jb22CEHVrLnN0b3JlLnBncC5jb22C
Fnd3dy5hY2NvdW50Lm5vcnRvbi5jb22CFXd3dy5lbWVhLnN5bWFudGVjLmNvbYIZ
d3d3Lm1vc3RkYW5nZXJvdXN0b3duLmNvbYIVd3d3Lm5vcnRvbmFjY291bnQuY29t
ghl3d3cubm9ydG9ubGVhcm5pbmdodWIuY29tgg53d3cubnVrb25hLmNvbYILd3d3
LnBncC5jb22CFHd3dy5zc2wuc3ltYW50ZWMuY29tgg93d3cudmVyaXRhcy5jb22C
End3dy5zeW1hbnRlYy5jby5qcIISd3d3LnN5bWFudGVjLmNvLnVrgg93d3cuc3lt
YW50ZWMuZnKCD3d3dy5zeW1hbnRlYy5kZYIPd3d3LnN5bWFudGVjLml0ghN3d3cu
c3ltYW50ZWMuY29tLmF1ghJ3d3cuc3ltYW50ZWMuY28ua3KCE3d3dy5zeW1hbnRl
Yy5jb20uYnKCD3d3dy5zeW1hbnRlYy5teIIPd3d3LnN5bWFudGVjLmVzgg93d3cu
c3ltYW50ZWMuY2GCD3d3dy5zeW1hbnRlYy5oa4ISd3d3LnN5bWFudGVjLmNvLmlu
gg93d3cuc3ltYW50ZWMudHeCD3d3dy5zeW1hbnRlYy5zZzAJBgNVHRMEAjAAMA4G
A1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwbwYD
VR0gBGgwZjAHBgVngQwBATBbBgtghkgBhvhFAQcXBjBMMCMGCCsGAQUFBwIBFhdo
dHRwczovL2Quc3ltY2IuY29tL2NwczAlBggrBgEFBQcCAjAZDBdodHRwczovL2Qu
c3ltY2IuY29tL3JwYTAfBgNVHSMEGDAWgBQBWavn3ToLWaZkY9bPIAdX1ZHnajAr
BgNVHR8EJDAiMCCgHqAchhpodHRwOi8vc3Iuc3ltY2IuY29tL3NyLmNybDBXBggr
BgEFBQcBAQRLMEkwHwYIKwYBBQUHMAGGE2h0dHA6Ly9zci5zeW1jZC5jb20wJgYI
KwYBBQUHMAKGGmh0dHA6Ly9zci5zeW1jYi5jb20vc3IuY3J0MIIBBgYKKwYBBAHW
eQIEAgSB9wSB9ADyAHcA3esdK3oNT6Ygi4GtgWhwfi6OnQHVXIiNPRHEzbbsvswA
AAFVS+V56QAABAMASDBGAiEAlwG/vUrML+CkdGkmUuyjvTHeWMaIvR409GHqmKjC

Re: [squid-users] A bunch of SSL errors I am not sure why

2017-01-18 Thread Eliezer Croitoru 
Thanks for the detail Amos,

I noticed that couple major Root CA certificates was revoked so it could be one 
thing.
And can you give some more details on how to fetch the certificated using the 
openssl tools?
(Maybe redirect towards an article about it)
I think that if some sites are have issues then a simple script that will run 
the openssl tools to fetch the certificates and add them to the system can be 
useful for those which are running 3.5 and yet to jump into the 4.0 testing.
I can write the script that will do come of the work for these admins.

Eliezer


Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il


-Original Message-
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Amos Jeffries
Sent: Wednesday, January 18, 2017 6:06 PM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] A bunch of SSL errors I am not sure why

On 19/01/2017 3:29 a.m., Sameh Onaissi wrote:
> Hello Eliezer, all
> 
> Sorry for the late reply.
> 
> When I configure the browser to access a non intercept port, the errors do 
> not show up and the site is accessed without a problem.
> 
> The client machine has the .crt file installed, but still shows the error.
> 
> Other pages with errors:
> http://pasteboard.co/nA20FD7om.png
> http://pasteboard.co/nA2yWRyTE.png
> 
> Here is the second page in a browser without an intercepted port:
> http://pasteboard.co/nA39CEFGU.png
> 
> 
> Thanks in advance.
> Some of these sites are used to pay company bills, so it’s important to get 
> this issue resolves ASAP.

I assume from that first part that the most important of these sites are a 
small enough set to deal with as a special case without becoming a maintenance 
nightmare.

The error messages both show that Squid at least cannot find one of the CA 
required to verify the servers cert.

Soo...
 you can probably use the openssl client tool to identify and fetch the certs 
manually; then

1a) add the root CA (only if needed) into your machines global CA set,

1b) add any intermediary certs to the file Squid loads through 
sslproxy_foreign_intermediate_certs directive.


OR

2) create a cache_peer to the domains server port 443, using the originserver 
option and sslcafile= option to specify what its CA chain is supposed to be.



> Worth mentioning that this was not a problem about 10 days ago.

Nod, these types of things can appear out of nowhere as servers certs expire or 
get blacklisted, ciphers etc suddenly get rejected by browsers as insecure. TLS 
advocates deny it, but F*ups happen far too often in reality when dealing with 
certs.


> 
> 
> * Try the latest Squid-4, which can auto-download intermediate certificates.
> 
> Is squid-4 stable for production?
> 

Sorry I missed this in your earlier post.

Well strictly speaking no. It still has a handful of critical bugs to be 
tracked down and quashed. But whether those affect you, or if they do whether 
its worth an occasional crash to avoid these SSL isues is a different matter.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] A bunch of SSL errors I am not sure why

2017-01-18 Thread Amos Jeffries 
On 19/01/2017 3:29 a.m., Sameh Onaissi wrote:
> Hello Eliezer, all
> 
> Sorry for the late reply.
> 
> When I configure the browser to access a non intercept port, the errors do 
> not show up and the site is accessed without a problem.
> 
> The client machine has the .crt file installed, but still shows the error.
> 
> Other pages with errors:
> http://pasteboard.co/nA20FD7om.png
> http://pasteboard.co/nA2yWRyTE.png
> 
> Here is the second page in a browser without an intercepted port:
> http://pasteboard.co/nA39CEFGU.png
> 
> 
> Thanks in advance.
> Some of these sites are used to pay company bills, so it’s important to get 
> this issue resolves ASAP.

I assume from that first part that the most important of these sites are
a small enough set to deal with as a special case without becoming a
maintenance nightmare.

The error messages both show that Squid at least cannot find one of the
CA required to verify the servers cert.

Soo...
 you can probably use the openssl client tool to identify and fetch the
certs manually; then

1a) add the root CA (only if needed) into your machines global CA set,

1b) add any intermediary certs to the file Squid loads through
sslproxy_foreign_intermediate_certs directive.


OR

2) create a cache_peer to the domains server port 443, using the
originserver option and sslcafile= option to specify what its CA chain
is supposed to be.



> Worth mentioning that this was not a problem about 10 days ago.

Nod, these types of things can appear out of nowhere as servers certs
expire or get blacklisted, ciphers etc suddenly get rejected by browsers
as insecure. TLS advocates deny it, but F*ups happen far too often in
reality when dealing with certs.


> 
> 
> * Try the latest Squid-4, which can auto-download intermediate certificates.
> 
> Is squid-4 stable for production?
> 

Sorry I missed this in your earlier post.

Well strictly speaking no. It still has a handful of critical bugs to be
tracked down and quashed. But whether those affect you, or if they do
whether its worth an occasional crash to avoid these SSL isues is a
different matter.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid as Reverse Proxy for Windows

2017-01-18 Thread Amos Jeffries 
On 19/01/2017 12:50 a.m., Zoltan Flavius wrote:
> Hello all,
> 
> 
> 
> I have an API for which we would like to implement a reverse proxy
> caching with squid on Windows Server 2008.As I can see here
> KnowledgeBase/Windows - Squid Web Proxy Wiki there are some known
> limitations and I would like to ask you some questions:
> 
> 
> 1. What do you mean by "Some code sections can make blocking calls".
> Please give me  details on this.

One of them was use of poll() for I/O. Most likely someone familiar with
the Windows APIs reading through the compat/os/windows.* code files
would spot a few more.

Sorry, it has been too long since I last hacked away at the MinGW
project I have forgotten the specific API calls behind that statement.

Given your other questions and stated use, the details are probably not
that important for you anyway. It essentially means native Windows
builds are *slow*, which brings me to your next Q...



> 2.  Also what do you mean by "Some
> external helpers may not work"? Is the Squid for Windows a stable
> solution for reverse proxy caching or do you recommend using UNIX
> based operations system instead?

We do recommend using non-Windows operating systems. But primarily for
performance reasons. Windows is just plain slow, and I dont mean by a
little - its peak request per second capacity (top traffic speed) is an
order of magnitude lower than any other OS.

Diladele B.V. linked from that wiki page are providing stable /
producion suitable binaries built with Cygwin for the latest Squid
releases. I dare say that is the best Windows version you will be able
to find anytime soon.

NP: Squid-3 and later still do not build with Visual Studio or MinGW. So
those builds are very much non-stable.


> Could you give me more details in
> regards to the license, since it is licensed under GNU General Public
> License and I use it as a reverse proxy?

If you just build the source code we provide as-is you can *use* the
resulting binaries in any way you wish.

The GPL requirements start to have effect if you make changes to the
Squid code or copy bits of it for use elsewhere.


> Do I have to give to my end
> users the freedom to run, study, share and modify our software for
> which I use Squid as reverse proxy?

The traffic messages (HTTP etc.) going through Squid to the public are
not affected by the Squid license (and vice versa).


HTH
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] A bunch of SSL errors I am not sure why

2017-01-18 Thread Sameh Onaissi 
The server is ubuntu 16.04

Clients are mostly Windows 7 Pro, Windows 8.1 Pro, Windows 10 Pro and a few Mac 
OS El Capitan 10.11





[cid:2FD1C3AB-E45C-49F0-84AB-0F8AC658BD11@routerb408e2.com]Piensa en el medio 
ambiente antes de imprimir este email.

On Jan 18, 2017, at 9:39 AM, Eliezer Croitoru 
> wrote:

You will need to verify if there is an update to the certificates of the OS.
I know that couple authorities certificates was removed in the last month or 
two and it might be because of this.
What OS are you using?


Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il


From: Sameh Onaissi [mailto:sameh.onai...@solcv.com]
Sent: Wednesday, January 18, 2017 4:32 PM
To: Eliezer Croitoru >
Subject: Fwd: [squid-users] A bunch of SSL errors I am not sure why

Hello Eliezer, all

Sorry for the late reply.

When I configure the browser to access a non intercept port, the errors do not 
show up and the site is accessed without a problem.

The client machine has the .crt file installed, but still shows the error.

Other pages with errors:
http://pasteboard.co/nA20FD7om.png
http://pasteboard.co/nA2yWRyTE.png

Here is the second page in a browser without an intercepted port:
http://pasteboard.co/nA39CEFGU.png



Thanks in advance.
Some of these sites are used to pay company bills, so it’s important to get 
this issue resolves ASAP.
Worth mentioning that this was not a problem about 10 days ago.

Thanks again!


Sameh Onaissi
Ingeniero de Soporte
Sol Cable Visión
Cel: 316-3023424
Email: sameh.onai...@solcv.com



Piensa en el medio ambiente antes de imprimir este email.

On Jan 15, 2017, at 3:59 AM, Eliezer Croitoru 
> wrote:

Non intercepted is not bypassed…
Squid has coupe options for the “http_port” option.
One that you are using is intercept and the other is without intercept.
What happens when you try to connect to this website when you are defining 
another port without “Intercept”  and define the proxy in the browser settings?
Let me know if something is missing in the picture.

Eliezer


http://ngtech.co.il/lmgtfy/
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il


From: Sameh Onaissi [mailto:sameh.onai...@solcv.com]
Sent: Sunday, January 15, 2017 3:25 AM
To: Eliezer Croitoru >
Cc: Amos Jeffries >; 
squid-users@lists.squid-cache.org
Subject: Re: [squid-users] A bunch of SSL errors I am not sure why

Hello,

I assume bypassed are non intercepted? Once the site IP is on the bypass list, 
it opened without an issue. There are a few other 
.http://gov.co sites who have the same problem too.

Attached is a screenshot of the error before I added the site to the bypass 
list.

squid -v
Squid Cache: Version 3.5.22
Service Name: squid
Ubuntu linux
configure options:  '--build=x86_64-linux-gnu' '--prefix=/usr' 
'--includedir=${prefix}/include' '--mandir=${prefix}/share/man' 
'--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' 
'--libexecdir=${prefix}/lib/squid3' '--srcdir=.' '--disable-maintainer-mode' 
'--disable-dependency-tracking' '--disable-silent-rules' 'BUILDCXXFLAGS=-g -O2 
-fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time 
-D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now 
-Wl,--as-needed' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' 
'--libexecdir=/usr/lib/squid' '--mandir=/usr/share/man' '--enable-inline' 
'--disable-arch-native' '--enable-async-io=8' 
'--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' 
'--enable-delay-pools' '--enable-cache-digests' '--enable-icap-client' 
'--enable-follow-x-forwarded-for' 
'--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB' 
'--enable-auth-digest=file,LDAP' '--enable-auth-negotiate=kerberos,wrapper' 
'--enable-auth-ntlm=fake,smb_lm' 
'--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,time_quota,unix_group,wbinfo_group'
 '--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi' 
'--enable-icmp' '--enable-zph-qos' '--enable-ecap' '--disable-translation' 
'--with-swapdir=/var/spool/squid' '--with-logdir=/var/log/squid' 
'--with-pidfile=/var/run/squid.pid' '--with-filedescriptors=65536' 
'--with-large-files' '--with-default-user=proxy' '--with-openssl' 
'--enable-ssl' '--enable-ssl-crtd' '--enable-build-info=Ubuntu linux' 
'--enable-linux-netfilter' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fPIE 
-fstack-protector-strong -Wformat -Werror=format-security -Wall'

Re: [squid-users] Help with Certificate validation

2017-01-18 Thread Yuri 



18.01.2017 17:37, Amos Jeffries пишет:

On 18/01/2017 8:31 a.m., Yuri Voinov wrote:

Put your regression server to SSL Bump splice rule.


If the situation requires SSL-Bump at all then there is no good
solution, because the browser itself is doing CRL checks and rejection.
Squid cannot change browsers internal coding.

Agreed.



18.01.2017 1:27, Mustafa Mohammad пишет:

I’m using squid proxy to connect to our regression server. When our
configuration file is doing a CRLCheck, I’m unable to connect to the
server.  I have tried SSL bump and ssl_proxy option but was unable to
make it work. When I checked the logs, It says it was unable to
validate certificate. This is a high priority issue for our company.
Please respond as soon as possible.


How are browser(s) getting to the proxy?

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid as Reverse Proxy for Windows

2017-01-18 Thread Zoltan Flavius 
Hello all,



I have an API for which we would like to implement a reverse proxy caching with 
squid on Windows Server 2008.As I can see here KnowledgeBase/Windows - Squid 
Web Proxy Wiki there are some known limitations and I would like to ask you 
some questions:
  
|  
|  
|  
|   ||

  |

  |
|  
|   |  
KnowledgeBase/Windows - Squid Web Proxy Wiki
   |   |

  |

  |

 
1. What do you mean by "Some code sections can make blocking calls". Please 
give me  details on this.2.  Also what do you mean by "Some external helpers 
may not work"?Is the Squid for Windows a stable solution for reverse proxy 
caching or do you recommend using UNIX based operations system instead? 
Could you give me more details in regards to the license, since it is licensed 
under GNU General Public License and I use it as a reverse proxy? Do I have to 
give to my end users the freedom to run, study, share and modify our software 
for which I use Squid as reverse proxy?
Regards,Zoltan Flavius



   ___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Limit clients per port

2017-01-18 Thread Amos Jeffries 
On 18/01/2017 11:01 p.m., Oğuz İsmail Uysal wrote:
> I want to configure squid not to let more than one client per port at a
> time. Is it possible ? There are 10 users who use my proxy server and I
> have given them different ports to connect to. But I also want to block
> multiple clients at one port. How could I do this ?
> 

With an external ACL helper you can do almost any access conditions you
want.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Help with Certificate validation

2017-01-18 Thread Amos Jeffries 
On 18/01/2017 8:31 a.m., Yuri Voinov wrote:
> Put your regression server to SSL Bump splice rule.
> 

If the situation requires SSL-Bump at all then there is no good
solution, because the browser itself is doing CRL checks and rejection.
Squid cannot change browsers internal coding.

> 
> 18.01.2017 1:27, Mustafa Mohammad пишет:
>> I’m using squid proxy to connect to our regression server. When our
>> configuration file is doing a CRLCheck, I’m unable to connect to the
>> server.  I have tried SSL bump and ssl_proxy option but was unable to
>> make it work. When I checked the logs, It says it was unable to
>> validate certificate. This is a high priority issue for our company.
>> Please respond as soon as possible.
>>

How are browser(s) getting to the proxy?

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Limit clients per port

2017-01-18 Thread Oğuz İsmail Uysal 
I want to configure squid not to let more than one client per port at a
time. Is it possible ? There are 10 users who use my proxy server and I
have given them different ports to connect to. But I also want to block
multiple clients at one port. How could I do this ?
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users