Re: [squid-users] Squid ssl_bump splice configuration

[Amos Jeffries]

On 30/08/23 07:57, Ben Goz wrote:

ב"ה

I managed to get the ssl splice configurations to work but when I'm 
splicing for example: play.google.com 


I see in cache log the following:

2023/08/29 22:54:53.688 kid1| 33,2| client_side.cc(3214) 
fakeAConnectRequest: fake a CONNECT request to force connState to tunnel 
for ssl-bump
2023/08/29 22:54:53.700 kid1| 33,2| client_side.cc(3214) 
fakeAConnectRequest: fake a CONNECT request to force connState to tunnel 
for splice
2023/08/29 22:54:53 kid1| SECURITY ALERT: Host header forgery detected 
on conn3362 local=172.217.22.110:443  
remote=192.168.26.100:55331  FD 540 
flags=17 (local IP does not match any domain IP)

     current master transaction: master2737
2023/08/29 22:54:53 kid1| SECURITY ALERT: on URL: play.google.com:443 



The host header forgery issue for play.google.com 
 is observed only for spliced connections, but 
when this url is bumped I don't see this error.

Why is splicing making this error?



Likely because splice is emulating a client-generated CONNECT request, 
which then faces the same forgery checks that hits the issues Google DNS 
TTL choices cause with the forgery detection. That is just an educated 
guess though.







‫בתאריך יום ב׳, 28 באוג׳ 2023 ב-13:54 מאת ‪Ben Goz‬‏ 
:‬


ב"ה

I'm using squid version:
nativ@arachimprodsrv3:/usr/local/squid/etc$
/usr/local/squid/sbin/squid -v
Squid Cache: Version 6.1-VCS
Service Name: squid

This binary uses OpenSSL 3.0.2 15 Mar 2022. configure options:
  '--with-large-files' '--with-openssl' '--enable-ssl'


FYI "--enable-ssl" no longer exists.

It was replaced by "--with-openssl".



'--enable-ssl-crtd' '--enable-icap-client'
'--enable-linux-netfilter' '--disable-ident-lookups'

Configured with ssl_bump and tproxy:
http_port 0.0.0.0:3128 
http_port 0.0.0.0:3129  tproxy
https_port 0.0.0.0:3130  tproxy ssl-bump \
   cert=/usr/local/squid/etc/ssl_cert/myCA.pem \
   generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
options=ALL,NO_SSLv3 sslflags=NO_DEFAULT_CA


Use tls-default-ca=off instead of the deprecated sslflags=NO_DEFAULT_CA.





And the following configurations:
acl NoSSLInterceptRegexp_always ssl::server_name "splice.list"
always_direct allow all


The above line tells Squid to never use cache_peer.

Without cache_peer directives to ignore this is just a pointless waste 
of Squid CPU cycles.





on_unsupported_protocol tunnel
acl DiscoverSNIHost at_step SslBump1
ssl_bump splice NoSSLInterceptRegexp_always
ssl_bump peek DiscoverSNIHost
ssl_bump bump all

the content of the file splice.list:
.prog.co.il
prog.co.il
www.prog.co.il


These later two patterns are sub-sets of the first pattern. The 
resulting pattern tree may be producing false negative ACL matches.





The tproxy redirections works fine with squid server but
unfortunately the urls in splice.list bumped although they should be
spliced as seen in the access log:

1693219853.255    626 192.168.28.254 TCP_MISS/200 64439 GET
https://www.prog.co.il/ -
HIER_DIRECT/172.67.196.36 text/html

And I see in the browser's certificate viewer my squid self signed
certificate.

What am I missing here?




Not clear. Maybe adding the TLS SNI, server certificate serverAltName 
field, ssl-bump stage/decision, and Host header (specifically the 
header, not the URI domain) to your log may show something useful.


HTH
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] How to upgrade correctly?

[Amos Jeffries]

You should only need to:

 * stop squid

 * backup your existing installation (as mentioned by Eliezer)

 * install the current Debian "squid-openssl" package

 * run "squid -k parse" to check for squid.conf settings upgrade

 * manually check what "/opt/squid/var" was being used for;
- any configuration related files need to be updated to the 
/etc/squid system location.
- any logs etc in there being used by scripts or non-squid other 
software need those third-party code to be updated to the new squid 
default log locations.


 * start squid


HTH
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid ssl_bump splice configuration

[Ben Goz]

ב"ה

I managed to get the ssl splice configurations to work but when I'm
splicing for example: play.google.com

I see in cache log the following:

2023/08/29 22:54:53.688 kid1| 33,2| client_side.cc(3214)
fakeAConnectRequest: fake a CONNECT request to force connState to tunnel
for ssl-bump
2023/08/29 22:54:53.700 kid1| 33,2| client_side.cc(3214)
fakeAConnectRequest: fake a CONNECT request to force connState to tunnel
for splice
2023/08/29 22:54:53 kid1| SECURITY ALERT: Host header forgery detected on
conn3362 local=172.217.22.110:443 remote=192.168.26.100:55331 FD 540
flags=17 (local IP does not match any domain IP)
current master transaction: master2737
2023/08/29 22:54:53 kid1| SECURITY ALERT: on URL: play.google.com:443

The host header forgery issue for play.google.com is observed only for
spliced connections, but when this url is bumped I don't see this error.
Why is splicing making this error?




‫בתאריך יום ב׳, 28 באוג׳ 2023 ב-13:54 מאת ‪Ben Goz‬‏ <‪ben.go...@gmail.com
‬‏>:‬

> ב"ה
>
> I'm using squid version:
> nativ@arachimprodsrv3:/usr/local/squid/etc$ /usr/local/squid/sbin/squid -v
> Squid Cache: Version 6.1-VCS
> Service Name: squid
>
> This binary uses OpenSSL 3.0.2 15 Mar 2022. configure options:
>  '--with-large-files' '--with-openssl' '--enable-ssl' '--enable-ssl-crtd'
> '--enable-icap-client' '--enable-linux-netfilter' '--disable-ident-lookups'
>
> Configured with ssl_bump and tproxy:
> http_port 0.0.0.0:3128
> http_port 0.0.0.0:3129 tproxy
> https_port 0.0.0.0:3130 tproxy ssl-bump \
>   cert=/usr/local/squid/etc/ssl_cert/myCA.pem \
>   generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> options=ALL,NO_SSLv3 sslflags=NO_DEFAULT_CA
>
> And the following configurations:
> acl NoSSLInterceptRegexp_always ssl::server_name "splice.list"
> always_direct allow all
> on_unsupported_protocol tunnel
> acl DiscoverSNIHost at_step SslBump1
> ssl_bump splice NoSSLInterceptRegexp_always
> ssl_bump peek DiscoverSNIHost
> ssl_bump bump all
>
> the content of the file splice.list:
> .prog.co.il
> prog.co.il
> www.prog.co.il
> .shipuzim.info
>
> The tproxy redirections works fine with squid server but unfortunately the
> urls in splice.list bumped although they should be spliced as seen in the
> access log:
>
> 1693219853.255626 192.168.28.254 TCP_MISS/200 64439 GET
> https://www.prog.co.il/ - HIER_DIRECT/172.67.196.36 text/html
>
> And I see in the browser's certificate viewer my squid self signed
> certificate.
>
> What am I missing here?
>
> Thanks,
> Ben
>
>
>
>
>
>
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] sharing generated certs between squid instances

[Alex Rousskov]

On 8/26/23 1:53 PM, Brendan Kearney wrote:

list members,

i have a couple squid instances that are performing bump/peek/splice and 
generating dynamic certs.  i want to share the certs that are generated 
by the individual instances across the rest of them, via NFS or some 
shared mechanism.  so, if squid1 creates a certs i want squid2, squidN 
to be able to leverage that cert and not have to create the cert again.


having tried to put the certs on a NFS share, i am seeing that all of 
the instances run into file locking issues when updating the database 
file "index.txt".


is there any way to share the certs between instances to save processing 
power/time?


I believe there is. Use a file system that supports the locking 
mechanism used by Squid (sorry, I cannot recommend anything specific, 
but something basic like sshfs might work in some environments) or 
implement your own certificate generation helper that does 
locking/sharing the way you want it to.


The generated certificates themselves are meant to be 
interchangeable/stable.



HTH,

Alex.

___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users