Re: [squid-users] after changed from 3.4.13 to 3.5.8 sslbump doesn't work for the site https://banking.postbank.de/
On 03/10/15 19:16, Amos Jeffries wrote: > Anyhow, there have been long periods (12-18 months IIRC) where they > were not trusted as a global CA. If your CA certificates set is from one > of those periods your Squid will not be able to verify trust of the > origin cert. Should that show up in the logs somewhere? Put it this way: we have a situation where "something" is causing a website that works without bump to not work with it. If squid doesn't "like" something, could it "auto-splice" - or at the very least log that there's a problem? I'd like to find out what squid doesn't like about it because I could probably update my external_acl_type script to detect that situation and make squid splice the session (BTW my script already verifies the real cert using the same CAs file that squid uses and it says it's legit - so I don't think it's actually got anything to do with the CA itself) -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] after changed from 3.4.13 to 3.5.8 sslbump doesn't work for the site https://banking.postbank.de/
On 3/10/2015 7:08 a.m., Jason Haar wrote: > On 02/10/15 23:43, Amos Jeffries wrote: >> I'm suspecting the order of these options screws things up. Or maybe >> just the use of "ALL". sslproxy_options NO_SSLv2:NO_SSLv3:ALL > > ...but I don't even use sslproxy_options There have been at least 3 > people saying that bump doesn't work with that site - we all won't have > identical configs. > > Chrome reports "ERR_CONNECTION_CLOSED" and Firefox "The connection to > banking.postbank.de was interrupted while the page was loading." - that > doesn't even sound cert-related - more TCP related (between client and > squid). Remember: the site works fine when squid is set to splice that site > > I have compared the fake cert generated by squid against the real one > and there's obvious differences (using "openssl s_client -connect > banking.postbank.de:443 -servername banking.postbank.de|openssl x509 > -noout -text"). References to "Certificate Policies" and "Certificate > Transparency" are present in the real cert and there's no equivalent in > the Fake cert. How that could trigger a TCP reset is beyond me? I've > also cranked up logging and there was nothing overt showing an issue > > Real: > > X509v3 Certificate Policies: > Policy: 2.16.840.1.113733.1.7.23.6 > CPS: https://d.symcb.com/cps > User Notice: > Explicit Text: https://d.symcb.com/rpa >X509v3 Basic Constraints: > CA:FALSE >1.3.6.1.4.1.11129.2.4.2: > ...k.i.w...X..gp > .N.H0F.!..< > ...u.V.../...D.>.Fv\U...N...J.F0D. > .W!z...@'..n...C.W m.K/.. > S.R,...KTu..)e...w.hd..:...(.L.qQ]g..D. > g..OO.N.H0F.!.~F.n# > Y..&^.v.x.+!..n..J@9.[.J.C.1.L5.(.%%..9.. > Signature Algorithm: sha256WithRSAEncryption > > > Fake: > > X509v3 Basic Constraints: > CA:FALSE > Signature Algorithm: sha256WithRSAEncryption > Those bits how the origin certificate to be an EV (Extended Validation) certificate issued by Symantec. That could be causing trouble. I've not looked into EV in particular detail, but it is supposed to be one of the better ways to use TLS to prevent MITM like ssl-bump. Also, Symantec have had a unusually large amount of trouble getting certain of their CA certs to stay in the global trusted set. Something to do with the clients they vouch for turning out to be bad, and again, and again. Anyhow, there have been long periods (12-18 months IIRC) where they were not trusted as a global CA. If your CA certificates set is from one of those periods your Squid will not be able to verify trust of the origin cert. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] after changed from 3.4.13 to 3.5.8 sslbump doesn't work for the site https://banking.postbank.de/
Just a reminder people, but you've gone off-topic. The postbank.de website issue has NOTHING to do with pining Someone mentioned earlier it's due to the HTTPS cert not having a complete cert-chain, and that web browsers auto-correct that situation, but squid does not. So I would say either squid should: 1. implement the same sort of auto-correction code (say) Firefox does (which I bet is a lot of work), or 2. flick into splice-mode when there's a cert error (which could be as much work - I dunno) I use external_acl_type to call an external script that tries to achieve that. Basically it manually downloads the homepage to get the cert, checks if it's valid against the OS CA list and if not, returns ERR so that squid splice's the connection instead of bump-ing it. Means the entire connection blocks of course the first time this occurs, but after that caches it and it mostly works. -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] after changed from 3.4.13 to 3.5.8 sslbump doesn't work for the site https://banking.postbank.de/
On 2/10/2015 7:58 p.m., Jason Haar wrote: > Just a reminder people, but you've gone off-topic. The postbank.de > website issue has NOTHING to do with pining > > Someone mentioned earlier it's due to the HTTPS cert not having a > complete cert-chain, and that web browsers auto-correct that situation, > but squid does not. So I would say either squid should: > > 1. implement the same sort of auto-correction code (say) Firefox does > (which I bet is a lot of work), or > 2. flick into splice-mode when there's a cert error (which could be as > much work - I dunno) > > I use external_acl_type to call an external script that tries to achieve > that. Basically it manually downloads the homepage to get the cert, > checks if it's valid against the OS CA list and if not, returns ERR so > that squid splice's the connection instead of bump-ing it. Means the > entire connection blocks of course the first time this occurs, but after > that caches it and it mostly works. I'm not sure but a custom certificate validator helper can probably do all this better. An example helper in Perl can be found at helpers/ssl/cert_valid.pl Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] after changed from 3.4.13 to 3.5.8 sslbump doesn't work for the site https://banking.postbank.de/
On 02/10/15 21:38, Amos Jeffries wrote: > I'm not sure but a custom certificate validator helper can probably do > all this better. An example helper in Perl can be found at > helpers/ssl/cert_valid.pl That website worked for me because my external validator had an exception rule for valid certs containing "bank" (which makes it "ERR" - causing squid to splice it instead of bump it). To see this problem for myself I removed that check and indeed bump-ing then failed to work (squid-3.5.10) I then pointed sslabs.com at that site and it got a "B" rating and there's no obvious signs of a cert error - so I can't figure out what is going wrong. I've manually downloaded the server cert using "openssl s_client" and the cert chain validates just fine - so what is squid doing to it? Weird... -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] after changed from 3.4.13 to 3.5.8 sslbump doesn't work for the site https://banking.postbank.de/
On 02/10/15 23:43, Amos Jeffries wrote: > I'm suspecting the order of these options screws things up. Or maybe > just the use of "ALL". sslproxy_options NO_SSLv2:NO_SSLv3:ALL ...but I don't even use sslproxy_options There have been at least 3 people saying that bump doesn't work with that site - we all won't have identical configs. Chrome reports "ERR_CONNECTION_CLOSED" and Firefox "The connection to banking.postbank.de was interrupted while the page was loading." - that doesn't even sound cert-related - more TCP related (between client and squid). Remember: the site works fine when squid is set to splice that site I have compared the fake cert generated by squid against the real one and there's obvious differences (using "openssl s_client -connect banking.postbank.de:443 -servername banking.postbank.de|openssl x509 -noout -text"). References to "Certificate Policies" and "Certificate Transparency" are present in the real cert and there's no equivalent in the Fake cert. How that could trigger a TCP reset is beyond me? I've also cranked up logging and there was nothing overt showing an issue Real: X509v3 Certificate Policies: Policy: 2.16.840.1.113733.1.7.23.6 CPS: https://d.symcb.com/cps User Notice: Explicit Text: https://d.symcb.com/rpa X509v3 Basic Constraints: CA:FALSE 1.3.6.1.4.1.11129.2.4.2: ...k.i.w...X..gp .N.H0F.!..< ...u.V.../...D.>.Fv\U...N...J.F0D. .W!z...@'..n...C.W m.K/.. S.R,...KTu..)e...w.hd..:...(.L.qQ]g..D. g..OO.N.H0F.!.~F.n# Y..&^.v.x.+!..n..J@9.[.J.C.1.L5.(.%%..9.. Signature Algorithm: sha256WithRSAEncryption Fake: X509v3 Basic Constraints: CA:FALSE Signature Algorithm: sha256WithRSAEncryption -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] after changed from 3.4.13 to 3.5.8 sslbump doesn't work for the site https://banking.postbank.de/
we wish that somebody can build a good fingerprinting algorithm for pinning clients Thank you Alex -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/after-changed-from-3-4-13-to-3-5-8-sslbump-doesn-t-work-for-the-site-https-banking-postbank-de-tp4673245p4673516.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] after changed from 3.4.13 to 3.5.8 sslbump doesn't work for the site https://banking.postbank.de/
On 29/09/2015 5:20 p.m., Yuri Voinov wrote: > Don't think so we can detect pinned apps automatically. You need find it > manually this time AFAIK. Correct. There is no way for Squid to know that some app running on a separate client device, installed a random time earlier via another network contains crypto keys. Or what they are used for when not transmitted over the network. > > 29.09.15 2:29, HackXBack пишет: >> Yuri, Dear friend. >> use splice HAA ? ok and how you cant detect automatically to make squid >> splice the pinned app automatically ? >> other wise , it is a real problem if cant detected automatically , >> and in >> my opinion it is a bug . Completely unknown state in the remote client-end environment is not a bug in the server software. It is not even a bug in the client software, since this exact outcome is the designed purpose of cert pinning. Do not forget that ssl-bump is an MITM injecting itself forcibly into the private conversation between the client and server. ** When TLS is used properly HTTPS cannot be ssl-bumped. ** Cert pinning is not quite "properly" IMHO. But its close enough to ideal to prevent bump working. The only way to know about cert pinning is to inspect investigate the client app. That means manually at present. NP: I have no idea or opinion about whether the site in question is doing pinning or not. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] after changed from 3.4.13 to 3.5.8 sslbump doesn't work for the site https://banking.postbank.de/
i dont know, but if connection cant bump .. if connection cant established , then squid bypass this connection directly ... this is how ... -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/after-changed-from-3-4-13-to-3-5-8-sslbump-doesn-t-work-for-the-site-https-banking-postbank-de-tp4673245p4673470.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] after changed from 3.4.13 to 3.5.8 sslbump doesn't work for the site https://banking.postbank.de/
Its Okay, i dont say that we want to bump pinned connection , why squid not automatically bypass pinned connection with out decryption ?? if this happen then all problems solved .. -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/after-changed-from-3-4-13-to-3-5-8-sslbump-doesn-t-work-for-the-site-https-banking-postbank-de-tp4673245p4673468.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] after changed from 3.4.13 to 3.5.8 sslbump doesn't work for the site https://banking.postbank.de/
On 09/29/2015 05:02 PM, HackXBack wrote: > i dont know, but if connection cant bump .. if connection cant established , > then squid bypass this connection directly ... > this is how ... The pinning client (not Squid!) decides that the [successfully bumped from Squid point of view] connection is insecure and terminates it. When the pinning client terminates its bumped connection to Squid, it is too late for Squid to establish a spliced connection to the origin server -- the client is already done talking to Squid as far as this transaction is concerned... Moreover, there is so little information about the client available to Squid at the bumping decision point, that I doubt Squid can "learn" to recognize similar client connections in the future and avoid bumping them again (unless you are willing to tolerate lots of false positives and, hence, splice a lot of traffic from non-pinning clients). Said that, if somebody can build a good fingerprinting algorithm for pinning clients, you would be able to configure Squid to splice their connections. Alex. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] after changed from 3.4.13 to 3.5.8 sslbump doesn't work for the site https://banking.postbank.de/
On Tuesday 29 September 2015 at 23:50:15, HackXBack wrote: > i dont say that we want to bump pinned connection , > why squid not automatically bypass pinned connection with out decryption ?? How can Squid know that the client is using pinning? Antony. -- BASIC is to computer languages what Roman numerals are to arithmetic. Please reply to the list; please *don't* CC me. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] after changed from 3.4.13 to 3.5.8 sslbump doesn't work for the site https://banking.postbank.de/
On 09/29/2015 03:16 AM, Amos Jeffries wrote: > On 29/09/2015 5:20 p.m., Yuri Voinov wrote: >> Don't think so we can detect pinned apps automatically. You need find it >> manually this time AFAIK. > Correct. There is no way for Squid to know that some app running on a > separate client device, installed a random time earlier via another > network contains crypto keys. Or what they are used for when not > transmitted over the network. And this lack of information is unlikely to be resolved in the foreseeable future because most of those who are doing the pinning probably do not want to make bumping safer or, better, unnecessary. They want to make it impractical or impossible. Judging by the level of fanaticism of some of the primary players in the area, and the increasing level of control they currently enjoy over the "web", things will continue to overall worsen for the bumping crowd, despite our efforts to make bumping safer. Alex. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] after changed from 3.4.13 to 3.5.8 sslbump doesn't work for the site https://banking.postbank.de/
Don't think so we can detect pinned apps automatically. You need find it manually this time AFAIK. 29.09.15 2:29, HackXBack пишет: Yuri, Dear friend. use splice HAA ? ok and how you cant detect automatically to make squid splice the pinned app automatically ? other wise , it is a real problem if cant detected automatically , and in my opinion it is a bug . -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/after-changed-from-3-4-13-to-3-5-8-sslbump-doesn-t-work-for-the-site-https-banking-postbank-de-tp4673245p4673449.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] after changed from 3.4.13 to 3.5.8 sslbump doesn't work for the site https://banking.postbank.de/
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 I suggest, a good idea to bypass bankings around bump. As by as pinned Apple apps. In another word - use splice, Luke! ;) 28.09.15 20:43, HackXBack пишет: > this happen with me on all apple applications, and to make them work fine you > must none bump for the ip's they used, > it is the same problem, same log output as yours. > Thanks. > > > > -- > View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/after-changed-from-3-4-13-to-3-5-8-sslbump-doesn-t-work-for-the-site-https-banking-postbank-de-tp4673245p4673443.html > Sent from the Squid - Users mailing list archive at Nabble.com. > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJWCW8BAAoJENNXIZxhPexGrn0H/3HcsC9vQPJdOgbrHFLPGZR/ RTiQHrmqx8zQefba/hwP2Kp8LD1g9LM0a/lQAF0pZtgqtz1dtBeHdQfeRcVY0ctu tD+t0jl2WHTtlRsS6h1BMSWHETAE2v6Wr5AaYIFOHtH8rPuDxRJ/y9wFgYoaqMGf fx7LG6wdoKdQIhugOyo/TYDfRnPAjulFVYq/N/T887bZFl9Y3fognJx8Hq3VAqwb UgM80GNpQS8k/2gXDzBA3GErcqrNF+YVbLlr/OlPq96q32PC+J8g6kbG4E8P8ev+ DrVQQzUn1Q5rXyG6Rp9pdKJuM07fPzQ+oNjSIjKT2Yk8LDbGR9j7UFDZH5ZcEc0= =znXL -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] after changed from 3.4.13 to 3.5.8 sslbump doesn't work for the site https://banking.postbank.de/
this happen with me on all apple applications, and to make them work fine you must none bump for the ip's they used, it is the same problem, same log output as yours. Thanks. -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/after-changed-from-3-4-13-to-3-5-8-sslbump-doesn-t-work-for-the-site-https-banking-postbank-de-tp4673245p4673443.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] after changed from 3.4.13 to 3.5.8 sslbump doesn't work for the site https://banking.postbank.de/
I increased the log level and performed a GET to https://banking.postbank.de/ , what I don't get is why squid start to generate a certificate for the ssl bump ? cache.log 2015/09/28 14:25:28.964 kid1| 33,5| client_side.cc(4135) getSslContextStart: Generating SSL certificate for banking.postbank.de using ssl_crtd. 2015/09/28 14:25:28.964 kid1| 33,5| client_side.cc(4139) getSslContextStart: SSL crtd request: new_certificate 8149 host=banking.postbank.de Sign=signTrusted SignHash=SHA256 -BEGIN CERTIFICATE- -END CERTIFICATE- 2015/09/28 14:25:28.964 kid1| 84,5| helper.cc(1167) GetFirstAvailable: GetFirstAvailable: Running servers 5 2015/09/28 14:25:28.964 kid1| 5,5| AsyncCall.cc(26) AsyncCall: The AsyncCall helperDispatchWriteDone constructed, this=0x80775fc00 [call183] 2015/09/28 14:25:28.964 kid1| 5,5| Write.cc(35) Write: local=[::] remote=[::] FD 7 flags=1: sz 8171: asynCall 0x80775fc00*1 2015/09/28 14:25:28.964 kid1| 5,5| ModPoll.cc(131) SetSelect: FD 7, type=2, handler=1, client_data=0x806800400, timeout=0 2015/09/28 14:25:28.964 kid1| 84,5| helper.cc(1309) helperDispatch: helperDispatch: Request sent to ssl_crtd #Hlpr1, 8171 bytes 2015/09/28 14:25:28.964 kid1| 17,4| AsyncJob.cc(152) callEnd: Http::Server status out: [ job6] 2015/09/28 14:25:28.964 kid1| 17,4| AsyncCallQueue.cc(57) fireNext: leaving ConnStateData::ConnStateData::httpsPeeked(local=wan.ip.adress:8985 remote=62.153.105.15:443 FD 17 flags=1) 2015/09/28 14:25:28.964 kid1| 93,5| AsyncCallQueue.cc(55) fireNext: entering Initiate::noteInitiatorAborted() 2015/09/28 14:25:28.964 kid1| 93,5| AsyncCall.cc(38) make: make call Initiate::noteInitiatorAborted [call182] 2015/09/28 14:25:28.964 kid1| 93,5| AsyncCall.cc(56) cancel: will not call Initiate::noteInitiatorAborted [call182] because job gone 2015/09/28 14:25:28.964 kid1| 93,5| AsyncCall.cc(48) make: will not call Initiate::noteInitiatorAborted [call182] because of job gone 2015/09/28 14:25:28.964 kid1| 93,5| AsyncCallQueue.cc(57) fireNext: leaving Initiate::noteInitiatorAborted() 2015/09/28 14:25:28.964 kid1| 5,5| ModPoll.cc(435) DoSelect: comm_poll: 2+0 FDs ready 2015/09/28 14:25:28.964 kid1| 5,5| Write.cc(66) HandleWrite: local=[::] remote=[::] FD 7 flags=1: off 0, sz 8171. 2015/09/28 14:25:28.964 kid1| 5,5| Write.cc(108) HandleWrite: write() returns 8171 2015/09/28 14:25:28.964 kid1| 5,3| IoCallback.cc(116) finish: called for local=[::] remote=[::] FD 7 flags=1 (0, 0) 2015/09/28 14:25:28.964 kid1| 5,5| AsyncCall.cc(93) ScheduleCall: IoCallback.cc(135) will call helperDispatchWriteDone(local=[::] remote=[::] FD 7 flags=1, data=0x804bc2718, size=8171, buf=0x804bfb000) [call183] 2015/09/28 14:25:28.965 kid1| 5,3| IoCallback.cc(116) finish: called for local=wan.ip.adress:8985 remote=62.153.105.15:443 FD 17 flags=1 (0, 0) 2015/09/28 14:25:28.965 kid1| 33,3| AsyncCall.cc(93) ScheduleCall: IoCallback.cc(135) will call ConnStateData::clientPinnedConnectionRead(local=wan.ip.adress:8985 remote=62.153.105.15:443 FD 17 flags=1, data=0x804b6e798) [call181] 2015/09/28 14:25:28.965 kid1| 5,5| AsyncCallQueue.cc(55) fireNext: entering helperDispatchWriteDone(local=[::] remote=[::] FD 7 flags=1, data=0x804bc2718, size=8171, buf=0x804bfb000) 2015/09/28 14:25:28.965 kid1| 5,5| AsyncCall.cc(38) make: make call helperDispatchWriteDone [call183] 2015/09/28 14:25:28.965 kid1| 5,5| AsyncCallQueue.cc(57) fireNext: leaving helperDispatchWriteDone(local=[::] remote=[::] FD 7 flags=1, data=0x804bc2718, size=8171, buf=0x804bfb000) 2015/09/28 14:25:28.965 kid1| 33,3| AsyncCallQueue.cc(55) fireNext: entering ConnStateData::clientPinnedConnectionRead(local=wan.ip.adress:8985 remote=62.153.105.15:443 FD 17 flags=1, data=0x804b6e798) 2015/09/28 14:25:28.965 kid1| 33,3| AsyncCall.cc(38) make: make call ConnStateData::clientPinnedConnectionRead [call181] 2015/09/28 14:25:28.965 kid1| 33,3| AsyncJob.cc(123) callStart: Http::Server status in: [ job6] 2015/09/28 14:25:28.965 kid1| 33,3| client_side.cc(5010) clientPinnedConnectionRead: idle pinned local=wan.ip.adress:8985 remote=62.153.105.15:443 FD 17 flags=1 read 0 with idle client 2015/09/28 14:25:28.965 kid1| 5,3| comm.cc(868) _comm_close: comm_close: start closing FD 17 2015/09/28 14:25:28.965 kid1| 5,4| AsyncCall.cc(26) AsyncCall: The AsyncCall commStartSslClose constructed, this=0x80777d4e0 [call184] 2015/09/28 14:25:28.965 kid1| 5,4| AsyncCall.cc(93) ScheduleCall: comm.cc(902) will call commStartSslClose(FD 17) [call184] 2015/09/28 14:25:28.965 kid1| 5,3| comm.cc(540) commUnsetFdTimeout: Remove timeout for FD 17 2015/09/28 14:25:28.965 kid1| 5,5| comm.cc(721) commCallCloseHandlers: commCallCloseHandlers: FD 17 2015/09/28 14:25:28.965 kid1| 5,5| comm.cc(729) commCallCloseHandlers: commCallCloseHandlers: ch->handler=0x80775b740*2 2015/09/28 14:25:28.965 kid1| 33,5| AsyncCall.cc(93) ScheduleCall: comm.cc(730) will call ConnStateData::clientPinnedConnectionClosed(local=wan.ip.adress:8985 remote=62.153.105.15:443 FD
Re: [squid-users] after changed from 3.4.13 to 3.5.8 sslbump doesn't work for the site https://banking.postbank.de/
On 09/26/2015 03:03 PM, Dieter Bloms wrote: Hallo Marcus, On Thu, Sep 17, Marcus Kool wrote: I just tried accessing https://banking.postbank.de/ using Squid 3.5.8 and Chrome. I also got the ERR_CONNECTION_CLOSED error. thank you for testing, so I think the fault is not my config. May it be a bug in squid or openssl, or maybe the webserver ? The webserver has an error: it must supply the complete certificate chain but it sends only one certificate. Squid has correctly implemented the web standards and refuses to use the incomplete certificate chain. Most browsers fix the problem caused by web servers by downloading the missing certificates. This is not defined in a relevant standard but very handy. As I described in my previous post, you can fix this webserver problem by the appropriate ACL in squid.conf and you may also send a complaint to the webmaster responsible for the faulty webserver. Marcus ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] after changed from 3.4.13 to 3.5.8 sslbump doesn't work for the site https://banking.postbank.de/
Hallo Marcus, On Thu, Sep 17, Marcus Kool wrote: > I just tried accessing https://banking.postbank.de/ > using Squid 3.5.8 and Chrome. > I also got the ERR_CONNECTION_CLOSED error. thank you for testing, so I think the fault is not my config. May it be a bug in squid or openssl, or maybe the webserver ? > Then I changed the Squid configuration and added ".postbank.de" in our list > of banks (acl tls_server_is_bank) to prevent bumping. ... > And tried to access https://banking.postbank.de again from Chrome and the > site works normal. ok, without sslbump the website works for me, but what is the reason that sslbump to this site doesn't work ? -- Regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] after changed from 3.4.13 to 3.5.8 sslbump doesn't work for the site https://banking.postbank.de/
Hello Amos, thank you for your hints. On Thu, Sep 17, Amos Jeffries wrote: > > the relevant part ist: > > > > --snip-- > > acl nodecryptdomains dstdomain "/etc/squid/nodecrypt.domains" > > http_port MYIP:8080 ssl-bump cert=/etc/squid/ca.pem key=/etc/squid/ca.key > > generate-host-certificates=on dhparams=/etc/squid/dhparams.pem > > > Replace these... > > > ssl_bump none nodecryptdomains > > ssl_bump server-first all > > ... with: > > acl nodecrypt ssl::server_name "/etc/squid/nodecrypt.domains" > acl step1 at_step SslBump1 > ssl_bump peek step1 > ssl_bump splice nodecrypt > ssl_bump bump all > > Maybe also remove the nodecryptdomains ACL. Depends on whether you use > it anywhere else. I've changed my config, but same results. SSLBump works so far, only the site banking.postbank.de makes trouble. My chrome browser says "ERR_CONNECTION_CLOSED" and in the squid log looks like: --snip-- 1442473894.771 49 10.252.16.100 TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 - 1442473894.832 49 10.252.16.100 TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 - 1442473895.074 48 10.252.16.100 TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 - 1442473895.134 47 10.252.16.100 TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 - 1442473895.193 45 10.252.16.100 TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 - --snip-- here the ssl relevant part of my squid.conf --snip-- http_port MYIP:8080 ssl-bump cert=/etc/squid/ca.pem key=/etc/squid/ca.key generate-host-certificates=on dhparams=/etc/squid/dhparams.pem ssl_bump peek step1 ssl_bump bump all sslproxy_capath /etc/ssl/certs sslproxy_options NO_SSLv2:NO_SSLv3:ALL sslproxy_cipher ALL:!SSLv2:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL:!eNULL --snip-- so it would be nice, if anybody with enabled sslbump on squid3.5.8 can do a GET Request to https://banking.postbank.de/ to see if that works. -- Regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] after changed from 3.4.13 to 3.5.8 sslbump doesn't work for the site https://banking.postbank.de/
Hello Antony, On Wed, Sep 16, Antony Stone wrote: > On Wednesday 16 September 2015 at 15:39:35, Dieter Bloms wrote: > > > I did an upgrade of my squid from 3.4.13 to 3.5.8 and most sites are > > accessible via HTTPS and sslbump enable. > > But I can't get any access to the destination > > https://banking.postbank.de, which is accessible with 3.4.13. > > I use the same config for both squid versions. > > 1. What is that configuration (squid.conf without comments or blank lines, > please)? the relevant part ist: --snip-- acl nodecryptdomains dstdomain "/etc/squid/nodecrypt.domains" http_port MYIP:8080 ssl-bump cert=/etc/squid/ca.pem key=/etc/squid/ca.key generate-host-certificates=on dhparams=/etc/squid/dhparams.pem ssl_bump none nodecryptdomains ssl_bump server-first all sslproxy_capath /etc/ssl/certs sslproxy_options NO_SSLv2:NO_SSLv3:ALL sslproxy_cipher ALL:!SSLv2:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL:!eNULL sslproxy_cert_error deny all --snip-- the destination banking.postbank.de is not listed in the /etc/squid/nodecrypt.domains file with squid-3.4.13 the logs look like: --snip-- 1442410263.639 23 CLIENTIP TCP_CLIENT_REFRESH_MISS/200 7531 GET https://banking.postbank.de/rai/rai/image/pb-logo.png - HIER_DIRECT/62.153.105.15 image/png 1442410263.737 20 CLIENTIP TCP_CLIENT_REFRESH_MISS/200 986 GET https://banking.postbank.de/rai/rai/css/image/rgn-sprite.png - HIER_DIRECT/62.153.105.15 image/png 1442410263.738 20 CLIENTIP TCP_CLIENT_REFRESH_MISS/200 1066 GET https://banking.postbank.de/rai/rai/css/image/fld-input.png - HIER_DIRECT/62.153.105.15 image/png 1442410263.739 22 CLIENTIP TCP_CLIENT_REFRESH_MISS/200 4181 GET https://banking.postbank.de/rai/rai/css/image/rgn-noise.png - HIER_DIRECT/62.153.105.15 image/png 1442410263.751 33 CLIENTIP TCP_CLIENT_REFRESH_MISS/200 27373 GET https://banking.postbank.de/rai/rai/css/type/pb_medium_cnd-webfont.woff - HIER_DIRECT/62.153.105.15 application/x-font-woff 1442410263.822 22 CLIENTIP TCP_CLIENT_REFRESH_MISS/200 1877 GET https://banking.postbank.de/rai/rai/css/image/aside-shadow.png - HIER_DIRECT/62.153.105.15 image/png 1442410263.823 23 CLIENTIP TCP_CLIENT_REFRESH_MISS/200 8047 GET https://banking.postbank.de/rai/rai/css/image/action-links.png - HIER_DIRECT/62.153.105.15 image/png --snip-- with squid 3.5.8 the logs look like: --snip-- 1442410295.266 32 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 - 1442410295.297 28 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 - 1442410295.328 29 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 - 1442410300.379 43 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 - 1442410300.420 39 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 - 1442410300.460 38 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 - 1442410300.500 37 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 - 1442410330.548 39 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 - 1442410330.590 39 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 - 1442410330.629 36 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 - HIER_DIRECT/62.153.105.15 - --snip-- > 2. What differences do you get in the log files between the two versions when > you try to access that site? > > This information may give us something to go on in helping with your problem. > > > Regards, > > > Antony. > > -- > "Black holes are where God divided by zero." > > - Steven Wright > >Please reply to the list; > please *don't* CC me. > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users -- Gruß Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] after changed from 3.4.13 to 3.5.8 sslbump doesn't work for the site https://banking.postbank.de/
On 17/09/2015 3:16 a.m., Dieter Bloms wrote: > Hello Antony, > > > On Wed, Sep 16, Antony Stone wrote: > >> On Wednesday 16 September 2015 at 15:39:35, Dieter Bloms wrote: >> >>> I did an upgrade of my squid from 3.4.13 to 3.5.8 and most sites are >>> accessible via HTTPS and sslbump enable. >>> But I can't get any access to the destination >>> https://banking.postbank.de, which is accessible with 3.4.13. >>> I use the same config for both squid versions. >> >> 1. What is that configuration (squid.conf without comments or blank lines, >> please)? > > the relevant part ist: > > --snip-- > acl nodecryptdomains dstdomain "/etc/squid/nodecrypt.domains" > http_port MYIP:8080 ssl-bump cert=/etc/squid/ca.pem key=/etc/squid/ca.key > generate-host-certificates=on dhparams=/etc/squid/dhparams.pem Replace these... > ssl_bump none nodecryptdomains > ssl_bump server-first all ... with: acl nodecrypt ssl::server_name "/etc/squid/nodecrypt.domains" acl step1 at_step SslBump1 ssl_bump peek step1 ssl_bump splice nodecrypt ssl_bump bump all Maybe also remove the nodecryptdomains ACL. Depends on whether you use it anywhere else. > sslproxy_capath /etc/ssl/certs > sslproxy_options NO_SSLv2:NO_SSLv3:ALL > sslproxy_cipher > ALL:!SSLv2:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL:!eNULL > sslproxy_cert_error deny all > --snip-- > > the destination banking.postbank.de is not listed in the > /etc/squid/nodecrypt.domains file > > with squid-3.4.13 the logs look like: > > --snip-- > 1442410263.639 23 CLIENTIP TCP_CLIENT_REFRESH_MISS/200 7531 GET > https://banking.postbank.de/rai/rai/image/pb-logo.png - > HIER_DIRECT/62.153.105.15 image/png > 1442410263.737 20 CLIENTIP TCP_CLIENT_REFRESH_MISS/200 986 GET > https://banking.postbank.de/rai/rai/css/image/rgn-sprite.png - > HIER_DIRECT/62.153.105.15 image/png > 1442410263.738 20 CLIENTIP TCP_CLIENT_REFRESH_MISS/200 1066 GET > https://banking.postbank.de/rai/rai/css/image/fld-input.png - > HIER_DIRECT/62.153.105.15 image/png > 1442410263.739 22 CLIENTIP TCP_CLIENT_REFRESH_MISS/200 4181 GET > https://banking.postbank.de/rai/rai/css/image/rgn-noise.png - > HIER_DIRECT/62.153.105.15 image/png > 1442410263.751 33 CLIENTIP TCP_CLIENT_REFRESH_MISS/200 27373 GET > https://banking.postbank.de/rai/rai/css/type/pb_medium_cnd-webfont.woff - > HIER_DIRECT/62.153.105.15 application/x-font-woff > 1442410263.822 22 CLIENTIP TCP_CLIENT_REFRESH_MISS/200 1877 GET > https://banking.postbank.de/rai/rai/css/image/aside-shadow.png - > HIER_DIRECT/62.153.105.15 image/png > 1442410263.823 23 CLIENTIP TCP_CLIENT_REFRESH_MISS/200 8047 GET > https://banking.postbank.de/rai/rai/css/image/action-links.png - > HIER_DIRECT/62.153.105.15 image/png > --snip-- > > with squid 3.5.8 the logs look like: > > --snip-- > 1442410295.266 32 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 > - HIER_DIRECT/62.153.105.15 - > 1442410295.297 28 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 > - HIER_DIRECT/62.153.105.15 - > 1442410295.328 29 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 > - HIER_DIRECT/62.153.105.15 - > 1442410300.379 43 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 > - HIER_DIRECT/62.153.105.15 - > 1442410300.420 39 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 > - HIER_DIRECT/62.153.105.15 - > 1442410300.460 38 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 > - HIER_DIRECT/62.153.105.15 - > 1442410300.500 37 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 > - HIER_DIRECT/62.153.105.15 - > 1442410330.548 39 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 > - HIER_DIRECT/62.153.105.15 - > 1442410330.590 39 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 > - HIER_DIRECT/62.153.105.15 - > 1442410330.629 36 CLIENTIP TAG_NONE/200 0 CONNECT banking.postbank.de:443 > - HIER_DIRECT/62.153.105.15 - > --snip-- This is the CONNECT request which was made prior to the ssl_bump rules being checked. 3.5 will log this regardless of bumping (or not). The absence of "TCP_TUNNEL" means the bumping did happen. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
