Re: [squid-dev] Introduction

[Eliezer Croitoru]

Sorry for the late response, I somehow missed your response.

I will try to review the squid.conf and see if I can help with something.

 

If I'm not responding in a few days send me a PM to bump it up.

 

Eliezer

 



 <http://ngtech.co.il/lmgtfy/> Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il



 

From: Khushal Jain Shripal  
Sent: Friday, February 23, 2018 05:55
To: Eliezer Croitoru ; squid-dev@lists.squid-cache.org
Cc: SkoolLive_Offshore_Team ; Gowtham
Anandaraj 
Subject: RE: [squid-dev] Introduction

 

Hi Eliezer,

 

We have installed Squid Cache.

1.   We configured http port number.

2.   We gave hostname as localhost and port number in Proxy Settings of
Windows.

3.   Cache folder was created and cache data exists when we tried to
access http sites.

a.   For instance, we tried to access http://excelacom.in we were able
to cache and store the data in cache folder.

 

But when we tried to access https sites, we were not able to cache https
sites.

 

Attached is our Squid.conf for your reference.

 

Can you please provide us Squid.Conf file to access and cache https sites.

It would be more helpful to us.

 

 

Regards, 

 




Khushal Jain Shripal

Business Analyst


Excelacom Technologies Pvt Ltd

p: +91.9003028627

Skype ID: khushalshripal

From: squid-dev [mailto:squid-dev-boun...@lists.squid-cache.org] On Behalf
Of Eliezer Croitoru
Sent: Friday, February 23, 2018 12:14 AM
To: Gowtham Anandaraj mailto:gowtha...@excelacom.in> >; squid-dev@lists.squid-cache.org
<mailto:squid-dev@lists.squid-cache.org> 
Subject: Re: [squid-dev] Introduction

 

Hey,

 

Can you be more specific?

 

Eliezer

 



Eliezer Croitoru <http://ngtech.co.il/lmgtfy/> 
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il <mailto:elie...@ngtech.co.il> 



 

From: squid-dev [mailto:squid-dev-boun...@lists.squid-cache.org] On Behalf
Of Gowtham Anandaraj
Sent: Monday, February 12, 2018 14:29
To: squid-dev@lists.squid-cache.org <mailto:squid-dev@lists.squid-cache.org>

Subject: [squid-dev] Introduction

 

Hello Squid Dev,

 

It's a great opportunity to learn Squid.

My Name is Gowtham , working as Programmer Analyst with over 3 years of
experience.

 

Currently I'm using squid for my project for caching, but I'm not able to
cache https sites.

Any help would be appreciated. 

 

Thanks,




Gowtham Anandaraj

Program Analyst


Excelacom Technologies Pvt Ltd

5/D5-IT Park, SIPCOT, Navallur Post, Siruseri, Chennai 603103   

T +91 44 4743 3000 | F +91 44 3068 3111 | E  <mailto:gowtha...@excelacom.in>
gowtha...@excelacom.in  | S gowthammiley |M 9524031314

[NOTICE: This e-mail is confidential and may also be privileged. If you are
not the intended recipient, please notify us immediately by replying to this
message and then delete it from your system. You should not copy or use it
for any purpose, nor disclose its contents to any other person. Thank you.]

 

 

 

  _  


DISCLAIMER INFORMATION

The information contained in this email is confidential and may contain
proprietary information. It is meant solely for the intended recipient.
Access to this email by anyone else is unauthorized. If you are not the
intended recipient, any disclosure, copying, distribution or any action
taken or omitted in reliance on this, is prohibited and may be unlawful. No
liability or responsibility is accepted if information or data is, for
whatever reason corrupted or does not reach its intended recipient.
Excelacom Technologies Private Ltd reserves the right to take any action in
accordance with its email policy. If you have received this communication in
error, please delete this mail & notify us immediately at
webad...@excelacom.in <mailto:webad...@excelacom.in> 

WARNING:
Computer viruses can be transmitted via email. The recipient should check
this email and any attachments for the presence of viruses. The company will
not accept any liability or any damage caused by any virus transmitted by
this email

 

  _  


DISCLAIMER INFORMATION

The information contained in this email is confidential and may contain
proprietary information. It is meant solely for the intended recipient.
Access to this email by anyone else is unauthorized. If you are not the
intended recipient, any disclosure, copying, distribution or any action
taken or omitted in reliance on this, is prohibited and may be unlawful. No
liability or responsibility is accepted if information or data is, for
whatever reason corrupted or does not reach its intended recipient.
Excelacom Technologies Private Ltd reserves the right to take any action in
accordance with its email policy. If you have received this communication in
error, please delete this mail & notify us immediately at
webad...@excelacom.in <mailto:webad...@excelacom.in> 

WARNING:
Computer viruses can be transmitted via em

Re: [squid-dev] Introduction

[Alex Rousskov]

On 02/05/2018 01:19 PM, Danilo V wrote:
> Hello, I'm a networking and security analyst who works for the
> government in Brazil.
> I work especially with free software. I am currently allocated to a
> content filter customization project using docker, puppet, squid,
> squidguard and sarg.
> 
> I would like to join the mailing list for help with the issues I have
> encountered.


Hello Danilo,

Please accept my apologies for the inappropriate first response to
your introduction email. To minimize overheads and delays, we do not
moderate squid-dev at the moment, but we will start doing it if folks
abuse this trust. I hope you can ignore this unfortunate incident, and I
am sorry you had to deal with this unprofessional behavior.

Your development-related emails are welcomed here. For Squid
usage/deployment questions, please consider using the squid-users
mailing list.


Thank you,

Alex.
___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev

Re: [squid-dev] Introduction

[Francesco Chemolli]

Please,
  Let’s all be respectful here. There is no need to call anyone names,
especially under the unfounded assumption of ill intent. There are plenty
of forums focused on policies and politics, and this isn’t one of them.



On Mon, 19 Mar 2018 at 12:08, Serge  wrote:

> >>Hello, I'm a networking and security analyst who works for the
> government in Brazil.
> >>bla-bla-bla content filter
>
> Rephrasing your words, you're whore for the government and you're fighting
> against basic human freedoms. Freedom to gather information of any kind.
> Freedom to know the truth about corrupt politicians.
> Freedom of speech. In addition, your country's goverment structures even
> can not afford to pay for professional products so they're asking you to
> use free software, whose ideas are directly
> contary to what you are doing.
>
> After this, you're stupid enough to write to this mailing list asking
> community for the further assistance in your "noble endeavors" and you're
> even not asking some particular question. Well, may god help you.
>
> 18.03.2018, 15:06, "Danilo V" :
>
> Hello, I'm a networking and security analyst who works for the government
> in Brazil.
> I work especially with free software. I am currently allocated to a
> content filter customization project using docker, puppet, squid,
> squidguard and sarg.
>
> I would like to join the mailing list for help with the issues I have
> encountered.
>
> Thanks,
> Danilo Teixeira
> ,
>
> ___
> squid-dev mailing list
> squid-dev@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-dev
>
> ___
> squid-dev mailing list
> squid-dev@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-dev
>
-- 
@mobile
___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev

Re: [squid-dev] Introduction

[Serge]

>>Hello, I'm a networking and security analyst who works for the government in Brazil.>>bla-bla-bla content filter Rephrasing your words, you're whore for the government and you're fighting against basic human freedoms. Freedom to gather information of any kind. Freedom to know the truth about corrupt politicians. Freedom of speech. In addition, your country's goverment structures even can not afford to pay for professional products so they're asking you to use free software, whose ideas are directlycontary to what you are doing. After this, you're stupid enough to write to this mailing list asking community for the further assistance in your "noble endeavors" and you're even not asking some particular question. Well, may god help you. 18.03.2018, 15:06, "Danilo V" :Hello, I'm a networking and security analyst who works for the government in Brazil.I work especially with free software. I am currently allocated to a content filter customization project using docker, puppet, squid, squidguard and sarg. I would like to join the mailing list for help with the issues I have encountered. Thanks,Danilo Teixeira,___squid-dev mailing listsquid-dev@lists.squid-cache.orghttp://lists.squid-cache.org/listinfo/squid-dev___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev

[squid-dev] Introduction

[Danilo V]

Hello, I'm a networking and security analyst who works for the government
in Brazil.
I work especially with free software. I am currently allocated to a content
filter customization project using docker, puppet, squid, squidguard and
sarg.

I would like to join the mailing list for help with the issues I have
encountered.

Thanks,
Danilo Teixeira
___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev

Re: [squid-dev] Introduction

[Khushal Jain Shripal]

Hi Eliezer,

We have installed Squid Cache.

1.   We configured http port number.

2.   We gave hostname as localhost and port number in Proxy Settings of 
Windows.

3.   Cache folder was created and cache data exists when we tried to access 
http sites.

a.   For instance, we tried to access http://excelacom.in we were able to 
cache and store the data in cache folder.

But when we tried to access https sites, we were not able to cache https sites.

Attached is our Squid.conf for your reference.

Can you please provide us Squid.Conf file to access and cache https sites.
It would be more helpful to us.


Regards,

[cid:image001.png@01D1F16D.82E610E0]

Khushal Jain Shripal
Business Analyst

Excelacom Technologies Pvt Ltd
p: +91.9003028627
Skype ID: khushalshripal


From: squid-dev [mailto:squid-dev-boun...@lists.squid-cache.org] On Behalf Of 
Eliezer Croitoru
Sent: Friday, February 23, 2018 12:14 AM
To: Gowtham Anandaraj ; squid-dev@lists.squid-cache.org
Subject: Re: [squid-dev] Introduction

Hey,

Can you be more specific?

Eliezer


Eliezer Croitoru<http://ngtech.co.il/lmgtfy/>
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il<mailto:elie...@ngtech.co.il>
[cid:image001.png@01D3AC87.4851F710]

From: squid-dev [mailto:squid-dev-boun...@lists.squid-cache.org] On Behalf Of 
Gowtham Anandaraj
Sent: Monday, February 12, 2018 14:29
To: squid-dev@lists.squid-cache.org<mailto:squid-dev@lists.squid-cache.org>
Subject: [squid-dev] Introduction

Hello Squid Dev,

It's a great opportunity to learn Squid.
My Name is Gowtham , working as Programmer Analyst with over 3 years of 
experience.

Currently I'm using squid for my project for caching, but I'm not able to cache 
https sites.
Any help would be appreciated.

Thanks,
[cid:image001.png@01D1F16D.82E610E0]

Gowtham Anandaraj
Program Analyst

Excelacom Technologies Pvt Ltd

5/D5-IT Park, SIPCOT, Navallur Post, Siruseri, Chennai 603103
T +91 44 4743 3000 | F +91 44 3068 3111 | E 
gowtha...@excelacom.in<mailto:gowtha...@excelacom.in>  | S gowthammiley |M 
9524031314
[NOTICE: This e-mail is confidential and may also be privileged. If you are not 
the intended recipient, please notify us immediately by replying to this 
message and then delete it from your system. You should not copy or use it for 
any purpose, nor disclose its contents to any other person. Thank you.]





DISCLAIMER INFORMATION

The information contained in this email is confidential and may contain 
proprietary information. It is meant solely for the intended recipient. Access 
to this email by anyone else is unauthorized. If you are not the intended 
recipient, any disclosure, copying, distribution or any action taken or omitted 
in reliance on this, is prohibited and may be unlawful. No liability or 
responsibility is accepted if information or data is, for whatever reason 
corrupted or does not reach its intended recipient. Excelacom Technologies 
Private Ltd reserves the right to take any action in accordance with its email 
policy. If you have received this communication in error, please delete this 
mail & notify us immediately at 
webad...@excelacom.in<mailto:webad...@excelacom.in>

WARNING:
Computer viruses can be transmitted via email. The recipient should check this 
email and any attachments for the presence of viruses. The company will not 
accept any liability or any damage caused by any virus transmitted by this email



DISCLAIMER INFORMATION

The information contained in this email is confidential and may contain 
proprietary information. It is meant solely for the intended recipient. Access 
to this email by anyone else is unauthorized. If you are not the intended 
recipient, any disclosure, copying, distribution or any action taken or omitted 
in reliance on this, is prohibited and may be unlawful. No liability or 
responsibility is accepted if information or data is, for whatever reason 
corrupted or does not reach its intended recipient. Excelacom Technologies 
Private Ltd reserves the right to take any action in accordance with its email 
policy. If you have received this communication in error, please delete this 
mail & notify us immediately at webad...@excelacom.in

WARNING:
Computer viruses can be transmitted via email. The recipient should check this 
email and any attachments for the presence of viruses. The company will not 
accept any liability or any damage caused by any virus transmitted by this email


squid.conf
Description: squid.conf
___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev

Re: [squid-dev] Introduction

[Eliezer Croitoru]

Hey,

 

Can you be more specific?

 

Eliezer

 



 <http://ngtech.co.il/lmgtfy/> Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il



 

From: squid-dev [mailto:squid-dev-boun...@lists.squid-cache.org] On Behalf
Of Gowtham Anandaraj
Sent: Monday, February 12, 2018 14:29
To: squid-dev@lists.squid-cache.org
Subject: [squid-dev] Introduction

 

Hello Squid Dev,

 

It's a great opportunity to learn Squid.

My Name is Gowtham , working as Programmer Analyst with over 3 years of
experience.

 

Currently I'm using squid for my project for caching, but I'm not able to
cache https sites.

Any help would be appreciated. 

 

Thanks,




Gowtham Anandaraj

Program Analyst


Excelacom Technologies Pvt Ltd

5/D5-IT Park, SIPCOT, Navallur Post, Siruseri, Chennai 603103   

T +91 44 4743 3000 | F +91 44 3068 3111 | E  <mailto:gowtha...@excelacom.in>
gowtha...@excelacom.in  | S gowthammiley |M 9524031314

[NOTICE: This e-mail is confidential and may also be privileged. If you are
not the intended recipient, please notify us immediately by replying to this
message and then delete it from your system. You should not copy or use it
for any purpose, nor disclose its contents to any other person. Thank you.]

 

 

 

  _  


DISCLAIMER INFORMATION

The information contained in this email is confidential and may contain
proprietary information. It is meant solely for the intended recipient.
Access to this email by anyone else is unauthorized. If you are not the
intended recipient, any disclosure, copying, distribution or any action
taken or omitted in reliance on this, is prohibited and may be unlawful. No
liability or responsibility is accepted if information or data is, for
whatever reason corrupted or does not reach its intended recipient.
Excelacom Technologies Private Ltd reserves the right to take any action in
accordance with its email policy. If you have received this communication in
error, please delete this mail & notify us immediately at
webad...@excelacom.in <mailto:webad...@excelacom.in> 

WARNING:
Computer viruses can be transmitted via email. The recipient should check
this email and any attachments for the presence of viruses. The company will
not accept any liability or any damage caused by any virus transmitted by
this email

___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev

[squid-dev] Introduction

[Gowtham Anandaraj]

Hello Squid Dev,

It's a great opportunity to learn Squid.
My Name is Gowtham , working as Programmer Analyst with over 3 years of 
experience.

Currently I'm using squid for my project for caching, but I'm not able to cache 
https sites.
Any help would be appreciated.

Thanks,
[cid:image001.png@01D1F16D.82E610E0]

Gowtham Anandaraj
Program Analyst

Excelacom Technologies Pvt Ltd

5/D5-IT Park, SIPCOT, Navallur Post, Siruseri, Chennai 603103
T +91 44 4743 3000 | F +91 44 3068 3111 | E 
gowtha...@excelacom.in  | S gowthammiley |M 
9524031314
[NOTICE: This e-mail is confidential and may also be privileged. If you are not 
the intended recipient, please notify us immediately by replying to this 
message and then delete it from your system. You should not copy or use it for 
any purpose, nor disclose its contents to any other person. Thank you.]





DISCLAIMER INFORMATION

The information contained in this email is confidential and may contain 
proprietary information. It is meant solely for the intended recipient. Access 
to this email by anyone else is unauthorized. If you are not the intended 
recipient, any disclosure, copying, distribution or any action taken or omitted 
in reliance on this, is prohibited and may be unlawful. No liability or 
responsibility is accepted if information or data is, for whatever reason 
corrupted or does not reach its intended recipient. Excelacom Technologies 
Private Ltd reserves the right to take any action in accordance with its email 
policy. If you have received this communication in error, please delete this 
mail & notify us immediately at webad...@excelacom.in

WARNING:
Computer viruses can be transmitted via email. The recipient should check this 
email and any attachments for the presence of viruses. The company will not 
accept any liability or any damage caused by any virus transmitted by this email
___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev

Re: [squid-dev] Introduction

[Amos Jeffries]

On 20/12/17 02:11, Daniel Berredo wrote:
> Hello all,
> 
> My name is Daniel Santos and I am a DevOps in Brazil. I am working on a
> Hotspot Captive Portal project using Squid and need to be to able to
> evict an user from the Auth Cache before its ttl expired.
> What would be the best way to start on a proper PR? Is there any dev
> guidelines I should be aware of?
> 
> I am thinking about adding a new method to the CredentialsCache class
> ("evict", for example) and somehow make squid able to respond to a
> variation of the "PURGE" method. Than I would be able to use squid
> client to evict users from Auth Cache.
> 
> Is there anyone that could give me some directions on how to do this?
> 
> Thanks in advance,
> Daniel
> 

Hi Daniel,

 Sorry for the delay your post got stuck in our moderation queue. Please
note that this list now has a normal mailing list subscription process.
You subscribe with the form at
 and follow the bots
instructions.


Information for developers about Squid and the processes used by the
Squid Project is all linked from
.


A feature similar to what you describe has been on the wishlist for a
very long time now. Do not go to the effort of a whole new HTTP method,
or anything like PURGE. The CacheMgr interface already has most of the
HTTP message functionality in place to do this type of thing through GET
or POST.

It looks like the external ACL cache is still using the old C-style
dump() code. So it will first need converting into an class inheriting
from Mgr::Action. Then processing added to parse "user=X" tokens from
the URL query-string, and to act on the value found.


Before you go to too much trouble, is there a specific reason why you
are considering this approach instead of just setting shorter TTLs on
the details the helper is supplying Squid?
Be aware the TTL in Squid is simply how often it asks the helper for
updates on the validity. It does *not* relate to when those credentials
expire except as a _maximum_ time until Squid notices actual expiry.


Amos Jeffries
The Squid Software Foundation
___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev

[squid-dev] Introduction

[Daniel Berredo]

Hello all,

My name is Daniel Santos and I am a DevOps in Brazil. I am working on a
Hotspot Captive Portal project using Squid and need to be to able to evict
an user from the Auth Cache before its ttl expired.
What would be the best way to start on a proper PR? Is there any dev
guidelines I should be aware of?

I am thinking about adding a new method to the CredentialsCache class
("evict", for example) and somehow make squid able to respond to a
variation of the "PURGE" method. Than I would be able to use squid client
to evict users from Auth Cache.

Is there anyone that could give me some directions on how to do this?

Thanks in advance,
Daniel
___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev

Re: [squid-dev] Introduction / SslBump upstream ssl proxy support

[Amos Jeffries]

On 21/07/17 01:11, Mihai Ene wrote:

Hello,

I'm a developer with higher level languages experience very little 
commercial c++ development on my hands.


I've been following the SslBump feature for a while now, and this 
includes source code changes. SslBumping with upstream proxies was 
completely restricted when bug 3209 was patched in 2011, however, I 
believe the patch is too restrictive. I agree with Amos's statement that 
a plaintext information leak is highly unsafe, but the patch also 
prevents ssl upstream proxies usage.




Hi Mihai,

That bug was 6 years ago, and the comments were specifically about using 
plain-text peer connections. The patch was made to cover all parent 
peers because ...


The problem Squid still has with SSL/TLS peers is not that they leak 
info (they are contacted using TLS after all). It is that explicit-TLS 
proxies use their own certs instead of mimic'd ones so they present 
Squid with a cert other than the origin server cert. That has 
side-effects at the child proxy where bumping cannot mimic the origin 
cert details, and SSL-Bump ends up presenting a clearly invalid cert 
which reasonable clients reject.


In order for the bumping to work without user-visible issues at present 
the best way is for the child proxy to go to its DIRECT or ORIGINAL_DST, 
then get re-intercepted into the parent and re-bumped there. Such that 
the parent mimics the origin cert and it gets to the child proxy, then 
the client.



In order to prevent plaintext and still use upstream proxies, I propose 
the following changes (tested in intranet, in production) which enable 
upstream proxies after ssl bumping, as long as the proxies are ssl 
themselves:


- version 4.x 
https://github.com/randunel/squid4/commit/c91995833370771f9903b374f17a0d774643c2b3
- version 3.5.x 
https://github.com/randunel/squid3/commit/a72a47cf0d54bf17faefcfe7692182d82d6520ab




FYI: we are now using github PR system as the only way to accept changes 
to Squid.


Can you please do your submission as a PR request against the 
https://github.com/squid-cache/squid repository master branch. It needs 
to be accepted there before PR against the beta and stable branches code 
will be considered (in that order).


Thank you
Amos
___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev

[squid-dev] Introduction / SslBump upstream ssl proxy support

[Mihai Ene]

Hello,
I'm a developer with higher level languages experience very little commercial 
c++ development on my hands.
I've been following the SslBump feature for a while now, and this includes 
source code changes. SslBumping with upstream proxies was completely restricted 
when bug 3209 was patched in 2011, however, I believe the patch is too 
restrictive. I agree with Amos's statement that a plaintext information leak is 
highly unsafe, but the patch also prevents ssl upstream proxies usage.
In order to prevent plaintext and still use upstream proxies, I propose the 
following changes (tested in intranet, in production) which enable upstream 
proxies after ssl bumping, as long as the proxies are ssl themselves:
- version 4.x 
https://github.com/randunel/squid4/commit/c91995833370771f9903b374f17a0d774643c2b3-
 version 3.5.x 
https://github.com/randunel/squid3/commit/a72a47cf0d54bf17faefcfe7692182d82d6520ab
Best regards,Mihai Ene___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev

Re: [squid-dev] Introduction / SslBump prototype patch to ignore unknown ciphers

[Alex Rousskov]

On 05/17/2017 03:18 PM, David Hogan wrote:

> I found that applying a blacklist at step3 resulted in too many false 
> positives
> caused by subjectAltName matches.

Factory is working on a patch to address that problem.


> I am hoping separately to figure
> out how to match missing SNI and terminate, either by acl config or a patch.

The above-mentioned patch might allow for matching missing SNIs as well
(as a side effect of other changes), but I am not sure. If it does not,
the infrastructure introduced by that patch would make it easier to
properly add such a feature. Or you can just hard-code a check in your
personal Squid, of course.


> are you saying that the OpenSSL validation code could be used directly,
> rather than having OpenSSL think it's doing a real handshake?

Yes, of course. For example, the "openssl verify" command line tool does
not do handshakes.


HTH,

Alex.

___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev

Re: [squid-dev] Introduction / SslBump prototype patch to ignore unknown ciphers

[David Hogan]

Hi Alex,

Thank you for your response.

On 17 May 2017 at 21:01, Alex Rousskov  wrote:
> On 05/17/2017 12:09 PM, David Hogan wrote:
>> ssl_bump peek   step1
>> ssl_bump peek   step2 whitelist
>> ssl_bump terminate  step2 blacklist
>> ssl_bump peek   step2
>> ssl_bump splice step3
>
> The above configuration looks strange but this is squid-dev not
> squid-users, so I trust you have good reasons for terminating only at
> step2 but also validating certificates (at step3). If not, you may want
> to discuss your needs on squid-users.

I found that applying a blacklist at step3 resulted in too many false positives
caused by subjectAltName matches. For example, the certificate for
www.bing.com also lists hosts related to their ad network, which meant that
applying an ad blocklist at step3 would also block www.bing.com. I realise
that blocking at step2 is flawed as bypassing the blacklist is as simple as
not including SNI in the request, however I am hoping separately to figure
out how to match missing SNI and terminate, either by acl config or a patch.

I just tested that sending a fake SNI causes certificate verification error,
which is great.

>> kid1| Error negotiating SSL on FD 13: error:140920F8:SSL
>> routines:SSL3_GET_SERVER_HELLO:unknown cipher returned (1/-1/0)
>>
>> This is due to CHACHA20_POLY1305 being negotiated, which openssl on
>> CentOS 7 doesn’t recognise. This error prevents squid from further
>> validating the certificate or splicing the connection, even though use
>> of the cipher within squid isn't actually necessary for splicing.
>
> That is correct. You are hitting a known limitation of the current
> implementation -- step3 requires OpenSSL wire-level participation even
> when splicing the connections. Squid v4 got rid of OpenSSL when
> peeking/splicing during step2 (trunk r14670), but the same kind of
> changes for splicing during step3 has not been sponsored.

Or are you saying that the OpenSSL validation code could be used directly,
rather than having OpenSSL think it's doing a real handshake?

>> As an experiment, I developed a patch for the Centos 7 Squid 3.5.20
>> source (attached)
>
> FYI: Please use "universal" diff patches (diff options -U 30 and
> --show-c-function). The Squid wiki has more instructions for developers.

Sorry, i've attached an updated patch for any future discussion.

>> 2. Can anyone offer any advice on how server certificate validation
>> could proceed as normal after detecting (and ignoring) an unknown
>> cipher?
>
> I am not sure I understand the question, but
>
> * pure certificate validation is unrelated to ciphers
>
> * actual validation code (in Squid or the validation helper) may look at
> ciphers as well (e.g., to reject weak ciphers [for some sites])

We set up a server with both ChaCha20 and a self signed cert, with my
patch, no validation was performed and the connection was spliced.

>> I have read elsewhere that this issue can be overcome by linking squid
>> against LibreSSL instead of OpenSSL,
>
> Squid does not support LibreSSL (well). You might be able to resolve the
> issue by linking with a newer OpenSSL version, but I have not checked
> whether that is actually true.

I tried the Fedora 26 alpha with Squid 4.0.11 and OpenSSL 1.1.0e, but had
the same unknown cipher issue.

> Do you need Squid to validate certificates? If yes, you can probably
> hack your personal Squid along the lines of your initial patch OR
> sponsor/wait for OpenSSL wire-level removal from the splicing pathway.
> If not, you may be able to solve your problem by adjusting your Squid
> configuration.

Certificate validation is a killer feature and given that it almost works all of
the time, I think i'll try and come up with a patch that ignores the unknown
cipher whilst still validating the certificate.

Thanks for your help,
Dave


squid-3.5.20-unknown-cipher-ignore.patch
Description: Binary data
___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev

Re: [squid-dev] Introduction / SslBump prototype patch to ignore unknown ciphers

[Alex Rousskov]

On 05/17/2017 12:09 PM, David Hogan wrote:
> ssl_bump peek   step1
> ssl_bump peek   step2 whitelist
> ssl_bump terminate  step2 blacklist
> ssl_bump peek   step2
> ssl_bump splice step3

The above configuration looks strange but this is squid-dev not
squid-users, so I trust you have good reasons for terminating only at
step2 but also validating certificates (at step3). If not, you may want
to discuss your needs on squid-users.


> kid1| Error negotiating SSL on FD 13: error:140920F8:SSL
> routines:SSL3_GET_SERVER_HELLO:unknown cipher returned (1/-1/0)
> 
> This is due to CHACHA20_POLY1305 being negotiated, which openssl on
> CentOS 7 doesn’t recognise. This error prevents squid from further
> validating the certificate or splicing the connection, even though use
> of the cipher within squid isn't actually necessary for splicing.

That is correct. You are hitting a known limitation of the current
implementation -- step3 requires OpenSSL wire-level participation even
when splicing the connections. Squid v4 got rid of OpenSSL when
peeking/splicing during step2 (trunk r14670), but the same kind of
changes for splicing during step3 has not been sponsored.


> As an experiment, I developed a patch for the Centos 7 Squid 3.5.20
> source (attached) 

FYI: Please use "universal" diff patches (diff options -U 30 and
--show-c-function). The Squid wiki has more instructions for developers.


> 1. What is the impact of calling checkForPeekAndSplice() from
> Ssl::PeerConnector::handleNegotiateError()? 

IIRC, Ssl::PeerConnector::checkForPeekAndSplice() is the start of
SslBump step3. If your step2 action is not final, then you have to do
step3 or the transaction will stall.


> 2. Can anyone offer any advice on how server certificate validation
> could proceed as normal after detecting (and ignoring) an unknown
> cipher?

I am not sure I understand the question, but

* pure certificate validation is unrelated to ciphers

* actual validation code (in Squid or the validation helper) may look at
ciphers as well (e.g., to reject weak ciphers [for some sites])


> I have read elsewhere that this issue can be overcome by linking squid
> against LibreSSL instead of OpenSSL,

Squid does not support LibreSSL (well). You might be able to resolve the
issue by linking with a newer OpenSSL version, but I have not checked
whether that is actually true.


> however I would much rather put
> together a solution that doesn’t stray too far from the supported
> packages of an operating system vendor.

Your vendor is probably not fast enough compared with the rate of
SslBump changes (unfortunately).


> I would also prefer to not
> have to periodically deal with this each time a new cipher appears.

... or some other aspect of TLS communication changes.

Do you need Squid to validate certificates? If yes, you can probably
hack your personal Squid along the lines of your initial patch OR
sponsor/wait for OpenSSL wire-level removal from the splicing pathway.
If not, you may be able to solve your problem by adjusting your Squid
configuration.


HTH,

Alex.

___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev

[squid-dev] Introduction / SslBump prototype patch to ignore unknown ciphers

[David Hogan]

Hi all,

I am new to the Squid source and I am hoping for some advice about the
SslBump peek and splice code in PeerConnector.cc . I have about a
decade of commercial C++ experience although for the last 8 years or so
I've been using higher level languages. I have a reasonable amount of
experience related to network code and concepts.

Sorry for the essay length message .. thanks in advance to anyone who
reads it :)

BACKGROUND:

I been trying to set up a reliable transparent squid blacklist
enforcing proxy using an operating system vendor supplied version of
Squid, without decrypting client traffic. The Ubuntu squid package
isn’t linked against OpenSSL so I am playing with CentOS 7, which
provides Squid 3.5.20 with a few backported fixes.

I have a config that blocks based on matching SNI at SslBump step 2
and then splices at step3 having validated the server certificate. I
am currently assuming that when the server certificate is validated,
squid checks that the SNI server name received in step2 is actually
present in the certificate.

ssl_bump peek   step1
ssl_bump peek   step2 whitelist
ssl_bump terminate  step2 blacklist
ssl_bump peek   step2
ssl_bump splice step3

This setup appeared to work, however when connecting to wikipedia.org
with Chrome I would sometimes see the following error:

kid1| Error negotiating SSL on FD 13: error:140920F8:SSL
routines:SSL3_GET_SERVER_HELLO:unknown cipher returned (1/-1/0)

This is due to CHACHA20_POLY1305 being negotiated, which openssl on
CentOS 7 doesn’t recognise. This error prevents squid from further
validating the certificate or splicing the connection, even though use
of the cipher within squid isn't actually necessary for splicing.

As an experiment, I developed a patch for the Centos 7 Squid 3.5.20
source (attached) that prevents the usual error handling from
occurring when OpenSSL returns a SSL_R_UNKNOWN_CIPHER_RETURNED error.
This works in the sense that the splice is then successful, however
according to my tests it bypasses the usual server certificate
validation against certificate authorities.

MY QUESTIONS:

1. What is the impact of calling checkForPeekAndSplice() from
Ssl::PeerConnector::handleNegotiateError()? Particularly, in the case
that an ssl error of SSL_R_UNKNOWN_CIPHER_RETURNED is detected? I
found that by simply returning without calling this, the connection
stalled. I will admit that I don't know yet what
checkForPeekAndSplice() is doing or why it works.

2. Can anyone offer any advice on how server certificate validation
could proceed as normal after detecting (and ignoring) an unknown
cipher?

I have read elsewhere that this issue can be overcome by linking squid
against LibreSSL instead of OpenSSL, however I would much rather put
together a solution that doesn’t stray too far from the supported
packages of an operating system vendor. I would also prefer to not
have to periodically deal with this each time a new cipher appears.

Cheers,
Dave


squid-3.5.20-unknown-cipher-ignore.patch
Description: Binary data
___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev

Re: [squid-dev] Introduction

[Kinkie]

Hello Eduard,
  nice meeting you, and welcome!

On Mon, Jan 11, 2016 at 9:55 AM, Eduard Bagdasaryan
 wrote:
> Hello,
>
> I would like to participate in this mailing-list, since I am involved
> in Measurement Factory projects such as fixing Squid bugs
> and adding new features.
>
> Regards,
>
> Eduard.
> ___
> squid-dev mailing list
> squid-dev@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-dev



-- 
Francesco
___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev

[squid-dev] Introduction

[Eduard Bagdasaryan]

Hello,

I would like to participate in this mailing-list, since I am involved
in Measurement Factory projects such as fixing Squid bugs
and adding new features.

Regards,

Eduard.
___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev