Re: [squid-users] squid sslbump server-first local loops?
On 04/13/2014 08:35 PM, Eliezer Croitoru wrote: Why https_port? and why ssl_bump on https_port ? it should run ontop of http_port as far as I can understand and know. https_port is needed when you intercept port 443 traffic. http_port intercepts port 80 and https_port intercepts port 443. There was an issue which I reported about and which is similar and I have used couple acls to block the access and the loop from the port to itself. Can you share acl? Because there is already default acl called Safe_ports. And it does not list port 8081. Only ports listed in Safe_ports should be allowed. But this sslbump still continues and cause infinite loop. Eliezer Amm.
Re: [squid-users] squid sslbump server-first local loops?
Why https_port? and why ssl_bump on https_port ? it should run ontop of http_port as far as I can understand and know. There was an issue which I reported about and which is similar and I have used couple acls to block the access and the loop from the port to itself. Eliezer On 04/13/2014 02:11 PM, Amm wrote: I dont have any "via" line, so that means default in "on" Again tested it. Very easy to crash squid. It just takes 2 seconds for squid to report: WARNING! Your cache is running out of filedescriptors And takes away 100% CPU too. Regards, Amm
Re: [squid-users] squid sslbump server-first local loops?
On 04/13/2014 04:27 PM, Amos Jeffries wrote: On 12/04/2014 5:23 p.m., Amm wrote: So I ran this command: openssl s_client -connect 192.168.1.2:8081 where 8081 is https_port on which squid runs. (with sslbump) And BOOM, squid went in to infinite loop! And started running out of file descriptors. Is this happening with "via on" ? It is an expected vulnerability with "via off". Amos I dont have any "via" line, so that means default in "on" Again tested it. Very easy to crash squid. It just takes 2 seconds for squid to report: WARNING! Your cache is running out of filedescriptors And takes away 100% CPU too. Regards, Amm
Re: [squid-users] squid sslbump server-first local loops?
On 12/04/2014 5:23 p.m., Amm wrote: > Hello, > > I accidentally came across this. I was trying to test what TLS version > my squid reports. > > So I ran this command: > openssl s_client -connect 192.168.1.2:8081 > > where 8081 is https_port on which squid runs. (with sslbump) > > And BOOM, squid went in to infinite loop! And started running out of > file descriptors. > Is this happening with "via on" ? It is an expected vulnerability with "via off". Amos
[squid-users] squid sslbump server-first local loops?
Hello, I accidentally came across this. I was trying to test what TLS version my squid reports. So I ran this command: openssl s_client -connect 192.168.1.2:8081 where 8081 is https_port on which squid runs. (with sslbump) And BOOM, squid went in to infinite loop! And started running out of file descriptors. It continued the loop even after I ctrl-c'ed the openssl. I suppose this happens due to server-first in sslbump, where squid keeps trying to connect to self in an infinite loop. Port 8081 is NOT listed in Safe_ports. So shouldn't squid be blocking it before trying server-first? Or shouldn't squid check something like this? If (destIP == selfIP and destPort == selfPort) then break? I am also not sure if this can be used to DoS. So just reporting, Amm.