Re: [squid-dev] [PATCH] splicing resumed sessions

[Tsantilas Christos]

Hi Amos,

   I make a new patch for squid-3.5. Use this one it should be OK.
It include changes from r14013.



On 04/13/2015 03:49 PM, Amos Jeffries wrote:

On 11/04/2015 10:01 p.m., Tsantilas Christos wrote:

Patch applied as r14012.
I am attaching the t13 patch for squid-3.5 too.



I've backported the server_name ACL patch before this one and your 3.5
patch does not seem to apply well on top of it.

However the regular backport method bzr merge -r15011..14013 trunk
seems to have only one minor collision.

I'm unsure its doing the right things though. Comparing your patch to
the changeset bzr merge produces I see these two odd chunks (in relation
to the server_name ACL changes):

--- christos.patch  2015-04-13 04:54:19.678645218 -0700
+++ bzr_merge.patch   2015-04-13 04:33:23.514618772 -0700
@@ -599,19 +598,15 @@
  +return helloMsgSize;
  +}
  +
- bool
--Ssl::Bio::sslFeatures::get(const unsigned char *hello)
++bool
  +Ssl::Bio::sslFeatures::checkForCcsOrNst(const unsigned char *msg,
size_t size)
- {
--// The SSL handshake message should starts with a 0x16 byte
--if (hello[0] == 0x16) {
--return parseV3Hello(hello);
++{
  +while (size  5) {
  +const int msgType = msg[0];
  +const int msgSslVersion = (msg[1]  8) | msg[2];
  +debugs(83, 7, SSL Message Version :  std::hex 
std::setw(8)  std::setfill('0')  msgSslVersion);
  +// Check for Change Cipher Spec message
-+// RFC5246 section 6.2.1
++// RFC5246 section 6.2.1
  +if (msgType == 0x14) {// Change Cipher Spec message found
  +debugs(83, 7, SSL  Change Cipher Spec message found);
  +return true;
@@ -636,9 +631,13 @@
  +return false;
  +}
  +
-+bool
+ bool
+-Ssl::Bio::sslFeatures::get(const unsigned char *hello)
  +Ssl::Bio::sslFeatures::get(const MemBuf buf, bool record)
-+{
+ {
+-// The SSL handshake message should starts with a 0x16 byte
+-if (hello[0] == 0x16) {
+-return parseV3Hello(hello);
  +int msgSize;
  +if ((msgSize = parseMsgHead(buf)) = 0) {
  +debugs(83, 7, Not a known SSL handshake message);


If you can try the bzr merge and confirm the diff/changeset is correct I
will do that normal cherrypicking backport.

Amos

___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev



Splicing resuming sessions

This patch adds code in squid to control SslBump behavior when dealing with
resuming SSL/TLS sessions. Without these changes, SslBump usually terminates
all resuming sessions with an error because such sessions do not include
server certificates, preventing Squid from successfully validating the server
identity.

After these changes, Squid splices resuming sessions. Splicing is the right
because Squid most likely has spliced the original connections that the client
and server are trying to resume now.
Without SslBump, session resumption would just work, and SslBump behaviour
should approach that ideal.

Future projects may add ACL checks for allowing resuming sessions and may
add more complex algorithms, including maintaining an SMP-shared
cache of sessions that may be resumed in the future and evaluating
client/server attempts to resume a session using that cache.

This patch also makes SSL client Hello message parsing more robust and
adds an SSL server Hello message parser.

Also add support for NPN (next protocol negotiation) and ALPN (Application-Layer Protocol Negotiation) tls extensions, required to correctly bump web clients
support these extensions

Technical details
-

In Peek mode, the old Squid code would forward the client Hello message to the
server. If the server tries to resume the previous (spliced) SSL session with
the client, then Squid SSL code gets an ssl/PeerConnector.cc ccs received
early error (or similar) because the Squid SSL object expects a server
certificate and does not know anything about the session being resumed.

With this patch, Squid detects session resumption attempts and splices

Session resumption detection


There are two mechanism in SSL/TLS for resuming sessions. The traditional
shared session IDs and the TLS ticket extensions:

* If Squid detects a shared ID in both client and server Hello messages, then
Squid decides whether the session is being resumed by comparing those client
and server shared IDs. If (and only if) the IDs are the same, then Squid
assumes that it is dealing with a resuming session (using session IDs).

* If Squid detects a TLS ticket in the client Hello message and TLS ticket
support in the server Hello message as well as a Change Cipher Spec or a New
TLS Ticket message (following the server Hello message), then (and only then)
Squid assumes that it is dealing with a resuming session (using TLS tickets).

The TLS tickets check is not performed if Squid detects a shared session ID
in both client and 

Re: [squid-dev] [PATCH] splicing resumed sessions

[Amos Jeffries]

On 11/04/2015 10:01 p.m., Tsantilas Christos wrote:
 Patch applied as r14012.
 I am attaching the t13 patch for squid-3.5 too.
 

I've backported the server_name ACL patch before this one and your 3.5
patch does not seem to apply well on top of it.

However the regular backport method bzr merge -r15011..14013 trunk
seems to have only one minor collision.

I'm unsure its doing the right things though. Comparing your patch to
the changeset bzr merge produces I see these two odd chunks (in relation
to the server_name ACL changes):

--- christos.patch  2015-04-13 04:54:19.678645218 -0700
+++ bzr_merge.patch   2015-04-13 04:33:23.514618772 -0700
@@ -599,19 +598,15 @@
 +return helloMsgSize;
 +}
 +
- bool
--Ssl::Bio::sslFeatures::get(const unsigned char *hello)
++bool
 +Ssl::Bio::sslFeatures::checkForCcsOrNst(const unsigned char *msg,
size_t size)
- {
--// The SSL handshake message should starts with a 0x16 byte
--if (hello[0] == 0x16) {
--return parseV3Hello(hello);
++{
 +while (size  5) {
 +const int msgType = msg[0];
 +const int msgSslVersion = (msg[1]  8) | msg[2];
 +debugs(83, 7, SSL Message Version :  std::hex 
std::setw(8)  std::setfill('0')  msgSslVersion);
 +// Check for Change Cipher Spec message
-+// RFC5246 section 6.2.1
++// RFC5246 section 6.2.1
 +if (msgType == 0x14) {// Change Cipher Spec message found
 +debugs(83, 7, SSL  Change Cipher Spec message found);
 +return true;
@@ -636,9 +631,13 @@
 +return false;
 +}
 +
-+bool
+ bool
+-Ssl::Bio::sslFeatures::get(const unsigned char *hello)
 +Ssl::Bio::sslFeatures::get(const MemBuf buf, bool record)
-+{
+ {
+-// The SSL handshake message should starts with a 0x16 byte
+-if (hello[0] == 0x16) {
+-return parseV3Hello(hello);
 +int msgSize;
 +if ((msgSize = parseMsgHead(buf)) = 0) {
 +debugs(83, 7, Not a known SSL handshake message);


If you can try the bzr merge and confirm the diff/changeset is correct I
will do that normal cherrypicking backport.

Amos

___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev

Re: [squid-dev] [PATCH] splicing resumed sessions

[Tsantilas Christos]

Patch applied as r14012.
I am attaching the t13 patch for squid-3.5 too.


On 04/11/2015 06:18 AM, Amos Jeffries wrote:

On 11/04/2015 1:49 a.m., Tsantilas Christos wrote:

I am attaching patch for trunk and squid-3.5



Thank you. Looks pretty good now.


On 04/09/2015 04:13 PM, Amos Jeffries wrote:


* Ssl::Bio::sslFeatures::parseV3Hello()
   - similar issues with s/Client Hello/ClientHello/ and SSL Extension
as above.


I did it only for the comments added or modified by this patch to avoid
increasing the size of this patch.
If required we can do it as separate patch.


Theres still one s/SSL Extension/TLS Extension/ near the end of this method.


* Ssl::Bio::sslFeatures::print()
   - seems to be lacking display of ALPN received
   - missing the format details for sslVersion used elsewhere:
   std::hex  std::setw(8)  std::setfill('0')



I did not fix this. The ALPN is in an encoded form and requires some
development to correctly print it. We do not have to gain something
implementing this.
Also the Ssl::Bio::sslFeatures::print currently is not used. It is here
for using it for debugging if required.



That means the print() will be incomplete, and needs a TODO added about
the above.





* parseMsgHead() documentation about return result 0 is wrong.
- it does not return 0 when the contents of the buffer are a TLS
(non-SSL) message.


This is what it does!



The .h comment says it will return a negative number if the Hello
message is not SSL. TLS != SSL.

For the case of head[0] == 0x16 the only SSL indicator (SSLv3) is
*exactly* {0x16, 0x03, 0x00}

For TLS versions that final 0x00 byte changes. The method correctly
accepts those and returns the Hello size (N0) - in contradiction to
what is documented.
The comment should either say SSLv3 or TLS, or not mention the
protocol name at all.


OK I made this fixes too.




+1. I dont think this needs another review, once those comments are
added/updated it can merge.


Amos
___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev



Splicing resuming sessions

This patch adds code in squid to control SslBump behavior when dealing with
resuming SSL/TLS sessions. Without these changes, SslBump usually terminates
all resuming sessions with an error because such sessions do not include
server certificates, preventing Squid from successfully validating the server
identity.

After these changes, Squid splices resuming sessions. Splicing is the right
because Squid most likely has spliced the original connections that the client
and server are trying to resume now.
Without SslBump, session resumption would just work, and SslBump behaviour
should approach that ideal.

Future projects may add ACL checks for allowing resuming sessions and may
add more complex algorithms, including maintaining an SMP-shared
cache of sessions that may be resumed in the future and evaluating
client/server attempts to resume a session using that cache.

This patch also makes SSL client Hello message parsing more robust and
adds an SSL server Hello message parser.

Also add support for NPN (next protocol negotiation) and ALPN (Application-Layer Protocol Negotiation) tls extensions, required to correctly bump web clients
support these extensions

Technical details
-

In Peek mode, the old Squid code would forward the client Hello message to the
server. If the server tries to resume the previous (spliced) SSL session with
the client, then Squid SSL code gets an ssl/PeerConnector.cc ccs received
early error (or similar) because the Squid SSL object expects a server
certificate and does not know anything about the session being resumed.

With this patch, Squid detects session resumption attempts and splices


Session resumption detection


There are two mechanism in SSL/TLS for resuming sessions. The traditional
shared session IDs and the TLS ticket extensions:

* If Squid detects a shared ID in both client and server Hello messages, then
Squid decides whether the session is being resumed by comparing those client
and server shared IDs. If (and only if) the IDs are the same, then Squid
assumes that it is dealing with a resuming session (using session IDs).

* If Squid detects a TLS ticket in the client Hello message and TLS ticket
support in the server Hello message as well as a Change Cipher Spec or a New
TLS Ticket message (following the server Hello message), then (and only then)
Squid assumes that it is dealing with a resuming session (using TLS tickets).

The TLS tickets check is not performed if Squid detects a shared session ID
in both client and server Hello messages.

NPN and ALPN tls extensions
---

Even if squid has some SSL hello messages parsing code, we are relying to 
openSSL for full parsing. The openSSL used in peek and splice mode to  parse
server hello message, check for errors and verify server 

Re: [squid-dev] [PATCH] splicing resumed sessions

[Amos Jeffries]

On 11/04/2015 1:49 a.m., Tsantilas Christos wrote:
 I am attaching patch for trunk and squid-3.5
 

Thank you. Looks pretty good now.

 On 04/09/2015 04:13 PM, Amos Jeffries wrote:

 * Ssl::Bio::sslFeatures::parseV3Hello()
   - similar issues with s/Client Hello/ClientHello/ and SSL Extension
 as above.
 
 I did it only for the comments added or modified by this patch to avoid
 increasing the size of this patch.
 If required we can do it as separate patch.

Theres still one s/SSL Extension/TLS Extension/ near the end of this method.

 * Ssl::Bio::sslFeatures::print()
   - seems to be lacking display of ALPN received
   - missing the format details for sslVersion used elsewhere:
   std::hex  std::setw(8)  std::setfill('0')
 
 
 I did not fix this. The ALPN is in an encoded form and requires some
 development to correctly print it. We do not have to gain something
 implementing this.
 Also the Ssl::Bio::sslFeatures::print currently is not used. It is here
 for using it for debugging if required.
 

That means the print() will be incomplete, and needs a TODO added about
the above.

 

 * parseMsgHead() documentation about return result 0 is wrong.
- it does not return 0 when the contents of the buffer are a TLS
 (non-SSL) message.
 
 This is what it does!
 

The .h comment says it will return a negative number if the Hello
message is not SSL. TLS != SSL.

For the case of head[0] == 0x16 the only SSL indicator (SSLv3) is
*exactly* {0x16, 0x03, 0x00}

For TLS versions that final 0x00 byte changes. The method correctly
accepts those and returns the Hello size (N0) - in contradiction to
what is documented.
The comment should either say SSLv3 or TLS, or not mention the
protocol name at all.


+1. I dont think this needs another review, once those comments are
added/updated it can merge.


Amos
___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev

Re: [squid-dev] [PATCH] splicing resumed sessions

[Tsantilas Christos]

A new version of the patch.

This is removes the ssl_bump_resuming_sessions directive, includes many 
fixes over the previous patch.
Also include support for NPN and ALPN tls extensions, required to 
correctly bump SSL connections.
Please read carefully the patch preamble , specially the technical note 
part.


The resumed sessions and the NPN/ALPN extensions problem appeared in 
squid after our decision to not allow splicing of connections for which 
we do not have access on the server certificates. The resumed sessions 
does not include server certificates, and the NPN/ALPN extensions causes 
openSSL to abort before retrieve and verify server certificates.


The problem affects the ssl bumping and make it unusable for many cases. 
Many of the problems which reported by the users for squid-3.5 should be 
related to this.
So probably this patch should applied to squid-3.5 too. If yes I will 
post the patch for squid-3.5 too.


Regards,
   Christos



On 03/17/2015 07:21 PM, Tsantilas Christos wrote:

This patch adds the ssl_bump_resuming_sessions directive that controls
SslBump behavior when dealing with resuming SSL/TLS sessions. Without
these changes, SslBump usually terminates all resuming sessions with an
error because such sessions do not include server certificates,
preventing Squid from successfully validating the server identity.

After these changes, Squid either terminates or splices resuming
sessions, depending on configuration. Splicing is the right default
because Squid most likely has spliced the original connections that the
client and server are trying to resume now.  Most likely, the splicing
decision would not change now (but the lack of the server certificate
information means we cannot repeat the original ACL checks and need a
special directive to tell Squid what to do). Also, without SslBump,
session resumption would just work, and SslBump default should approach
that ideal.

In many deployment scenarios, this straightforward splice or terminate
resuming sessions implementation is exactly what the admin wants.
Future projects may add more complex algorithms, including maintaining
an SMP-shared cache of sessions that may be resumed in the future and
evaluating client/server attempts to resume a session using that cache.


Example:
   # splice all resuming sessions [this is the default]
   ssl_bump_resuming_sessions allow all

This patch also makes SSL client Hello message parsing more robust and
adds an SSL server Hello message parser.

This patch also prevents occasional segfaults when dealing with SSL
cache_peer negotiation failures.

The last two changes should applied to squid-3.5 even if this patch will
not go into squid-3.5.

Regards,
Christos



Added ssl_bump_resuming_sessions to control treatment of resuming sessions
by SslBump.

This patch adds code in squid to control SslBump behavior when dealing with
resuming SSL/TLS sessions. Without these changes, SslBump usually terminates
all resuming sessions with an error because such sessions do not include
server certificates, preventing Squid from successfully validating the server
identity.

After these changes, Squid splices resuming sessions. Splicing is the right
because Squid most likely has spliced the original connections that the client
and server are trying to resume now.
Without SslBump, session resumption would just work, and SslBump behaviour
should approach that ideal.

Future projects may add ACL checks for allowing resuming sessions and may
add more complex algorithms, including maintaining an SMP-shared
cache of sessions that may be resumed in the future and evaluating
client/server attempts to resume a session using that cache.

This patch also makes SSL client Hello message parsing more robust and
adds an SSL server Hello message parser.

Also add support for NPN (next protocol negotiation) and ALPN (Application-Layer Protocol Negotiation) tls extensions, required to correctly bump web clients
support these extensions

Technical details
-

In Peek mode, the old Squid code would forward the client Hello message to the
server. If the server tries to resume the previous (spliced) SSL session with
the client, then Squid SSL code gets an ssl/PeerConnector.cc ccs received
early error (or similar) because the Squid SSL object expects a server
certificate and does not know anything about the session being resumed.

With this patch, Squid detects session resumption attempts and splices


Session resumption detection


There are two mechanism in SSL/TLS for resuming sessions. The traditional
shared session IDs and the TLS ticket extensions:

* If Squid detects a shared ID in both client and server Hello messages, then
Squid decides whether the session is being resumed by comparing those client
and server shared IDs. If (and only if) the IDs are the same, then Squid
assumes that it is dealing with a resuming session (using session IDs).

* If Squid detects a TLS ticket in the 

Re: [squid-dev] [PATCH] splicing resumed sessions

[Alex Rousskov]

On 04/09/2015 07:13 AM, Amos Jeffries wrote:

 So for now this patch is okay, but we/you should already be thinking
 about how to auto-translate NPN from clients into ALPN to servers.


Please keep in mind that it is not possible to translate something and
still splice a new SSL session (the client checksum will mismatch if we
alter its handshake bytes).

I am not 100% sure about resumed sessions, but I would expect them to
use the same level of handshake modification protection, preventing
splicing of resumed SSL connections with translated handshakes.

Optional translation for bumped sessions sounds like a potentially
useful feature, but let's wait for somebody actually needing it.

For regular (no SslBump) reverse proxy connections to SSL servers, there
is no _translation_ because Squid just sends whatever extensions it
(i.e., OpenSSL) supports, including NPN and/or ALPN.


Cheers,

Alex.

___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev

Re: [squid-dev] [PATCH] splicing resumed sessions

[Alex Rousskov]

On 04/08/2015 07:13 PM, Amos Jeffries wrote:
 On 4/04/2015 9:17 a.m., Alex Rousskov wrote:
 On 03/27/2015 05:58 AM, Amos Jeffries wrote:
 Indeed. Its the hostname vs SNI case we can check and SHOULD do so. The
 raw-IP ones we can skip the check. Some nasties will still get passed,
 but less than without any checks.


 This is all outside this patch scope though, right?! Whether or not
 Squid should compare peeked SNI with CONNECT hostname seems totally
 unrelated to splicing of resumed sessions. If so, let's get this fix in
 and [continue to] discuss what kind of additional checks to add to
 SslBump separately.

 While I disagree that adding the security related checks after the fact
 is a good approach, I can live with it.

Great. If it is any comfort, this is not really after the fact. The
two issues are orthogonal. One could add more checks before, after, or
even instead the fix proposed on this thread.


 The config directive does need to go though.

No objections.


 Christos said on IRC there were some issues after updating the patch. So
 I'm unsure if it will need another review before merge. If you want to
 make that call, I'll go with it.

Christos is in a better position to make that call than I am. Either way
is OK with me. Just do not want to delay this much further without a
good reason because there are several pending patches and fixes that
start to conflict with each other.


Thank you,

Alex.

___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev

Re: [squid-dev] [PATCH] splicing resumed sessions

[Amos Jeffries]

On 25/03/2015 8:35 p.m., Tsantilas Christos wrote:
 On 03/21/2015 07:45 AM, Amos Jeffries wrote:
 On 21/03/2015 10:47 a.m., Alex Rousskov wrote:
 On 03/20/2015 12:11 PM, Amos Jeffries wrote:
 On 21/03/2015 4:35 a.m., Alex Rousskov wrote:
 On 03/20/2015 02:06 AM, Amos Jeffries wrote:
 On 18/03/2015 6:21 a.m., Tsantilas Christos wrote:
 This patch adds the ssl_bump_resuming_sessions directive that
 controls
 SslBump behavior when dealing with resuming SSL/TLS sessions.
 Without
 these changes, SslBump usually terminates all resuming sessions
 with an
 error because such sessions do not include server certificates,
 preventing Squid from successfully validating the server identity.


 Squid is behaving wrong right now. Fix that.

 Yes, the proposed patch fixes that.


 I dont see any need for the new directive to exist

 We can remove the configuration option. The option was added to minimize
 the chance that you will object to the patch because, without the new
 option, the old terminate behavior would be lost. Clearly, my plan to
 avoid that discussion has failed! Removing the configuration option is
 totally fine with me because nobody has asked for it [yet]. We can
 always add it later if needed.


 The validation I'm talking about is the spec requirement that we dont
 allow the following scenario:

CONNECT example.com:443 HTTP/1.1
...
ClientHello SNI:  example.org


 I still think this part of the discussion is out of scope, but is there
 really a spec requirement that talks about comparing CONNECT- and
 SNI-provided server names? Where? CONNECT is about blind TCP *tunnels*.
 SNI is about becoming an *end point* of a TLS connection. Those two
 things seem mutually exclusive to me.


 * if the CONNECT and SNI both contain different domains the
 specification says SSL MUST terminate with a specified reject error.

 Which specification? RFC 2818 does not mention CONNECT. It contains some
 requirements for HTTP clients, but Squid is not an HTTP client in this
 issue scope; Squid is a TCP client.


 Sorry the specifics here are mostly in RFC 6066 section 3, the final two
 paragraphs.
   http://tools.ietf.org/html/rfc6066#section-3
 
   If an application negotiates a server name using an application
   protocol and then upgrades to TLS, and if a server_name extension is
   sent, then the extension SHOULD contain the same name that was
   negotiated in the application protocol.  If the server_name is
   established in the TLS session handshake, the client SHOULD NOT
   attempt to request a different server name at the application layer.
 

   ie CONNECT with hostname contains the same value as SNI from the
 client.

 RFC 2818 section 3.1 leads into that with its paragraph 2,
 
   If the client has external information as to the expected identity of
   the server, the hostname check MAY be omitted.
   ...
   In such cases, it is important to narrow the scope of
   acceptable certificates as much as possible in order to prevent man
   in the middle attacks.  In special cases, it may be appropriate for
   the client to simply ignore the server's identity, but it must be
   understood that this leaves the connection open to active attack.
 

 such narrowing can be Squid doing the check that CONNECT == SNI and
 aborting if not.
 My emphasis is in doing what we can to avoid that risk indicated in the
 final line.

 
 At the first stages of the ssl bumping , I remember that there was cases
 where the browser used the IP address in CONNECT request and not the
 hostname. I do not know if there are still browsers which uses the same
 form.

I covered that. We ignore raw-IP in CONNECT. The vulnerability is when
the client sending false CONNECT URI/domain gets past security
permissions. With raw-IP that does not work nearly so easily.


 
 I must note that the SSL-bumping is not covered by any RFC.
 It is not something it should happen, because IT IS a man in the middle.

Which is precisely why we should be careful to be well behaved and do
what verification we can to avoid bad behaviour happening over the
proxy. We cannot catch every case, but preventing even some cases is a
good increase in security.


 The proxy is not expected to validate the client HELLO SNI information,
 with the CONNECT hostname, should not interposed into the client/server
 negotiation.


In the case of a CONNECT we are essentially pretending that SSL-Bump was
an Upgrade request:

If an application negotiates a server name using an application protocol
and then upgrades to TLS, then the extension SHOULD contain the same
name that was negotiated in the application protocol.

(http://tools.ietf.org/html/rfc6066#section-3)

All I am saying is that we should / SHOULD enforce that requirement in
the spirit of the standard even though technically MITM cases are
officially not mentioned by any IETF document.



 The browsers can use either the IP or hostname in CONNECT string,
 nothing prevents them for doing this.

Indeed. Its the hostname 

Re: [squid-dev] [PATCH] splicing resumed sessions

[Amos Jeffries]

On 18/03/2015 6:21 a.m., Tsantilas Christos wrote:
 This patch adds the ssl_bump_resuming_sessions directive that controls
 SslBump behavior when dealing with resuming SSL/TLS sessions. Without
 these changes, SslBump usually terminates all resuming sessions with an
 error because such sessions do not include server certificates,
 preventing Squid from successfully validating the server identity.
 

The RFC 2818 has mandatory validation of the HTTP CONNECT, client SNI
(with server ack), and server certificate dNSname values before session
resume may be performed.

I dont think we have any such validation in Squid yet. So the current
behaviour of terminate is mandatory for compliance with TLS.

Amos

___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev

Re: [squid-dev] [PATCH] splicing resumed sessions

[Amos Jeffries]

On 18/03/2015 6:21 a.m., Tsantilas Christos wrote:
 This patch adds the ssl_bump_resuming_sessions directive that controls
 SslBump behavior when dealing with resuming SSL/TLS sessions. Without
 these changes, SslBump usually terminates all resuming sessions with an
 error because such sessions do not include server certificates,
 preventing Squid from successfully validating the server identity.
 
 After these changes, Squid either terminates or splices resuming
 sessions, depending on configuration. Splicing is the right default
 because Squid most likely has spliced the original connections that the
 client and server are trying to resume now.  Most likely, the splicing
 decision would not change now (but the lack of the server certificate
 information means we cannot repeat the original ACL checks and need a
 special directive to tell Squid what to do). Also, without SslBump,
 session resumption would just work, and SslBump default should approach
 that ideal.
 
 In many deployment scenarios, this straightforward splice or terminate
 resuming sessions implementation is exactly what the admin wants.
 Future projects may add more complex algorithms, including maintaining
 an SMP-shared cache of sessions that may be resumed in the future and
 evaluating client/server attempts to resume a session using that cache.
 
 
 Example:
   # splice all resuming sessions [this is the default]
   ssl_bump_resuming_sessions allow all
 
 This patch also makes SSL client Hello message parsing more robust and
 adds an SSL server Hello message parser.
 
 This patch also prevents occasional segfaults when dealing with SSL
 cache_peer negotiation failures.
 
 The last two changes should applied to squid-3.5 even if this patch will
 not go into squid-3.5.
 

As discussed in the other branch of this thread, please remove the
access control directive until its actually required.

I think the whole thing can go back to 3.5 if its applying cleanly.


in src/ssl/bio.cc

* has many places with unnecessary whitespace additions.
 Such as  size ),   size), and   sessIdLen);



in src/ssl/bio.h
* parseV3ServerHello() documented as what is a v3 server Hello A
message. ?
 - looks like the 'A' is misplaced, or there is a RFC reference missing
that would explain better.


+1. Otherwise, looks good to me.

Amos


___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev

Re: [squid-dev] [PATCH] splicing resumed sessions

[Amos Jeffries]

On 21/03/2015 4:35 a.m., Alex Rousskov wrote:
 On 03/20/2015 02:06 AM, Amos Jeffries wrote:
 On 18/03/2015 6:21 a.m., Tsantilas Christos wrote:
 This patch adds the ssl_bump_resuming_sessions directive that controls
 SslBump behavior when dealing with resuming SSL/TLS sessions. Without
 these changes, SslBump usually terminates all resuming sessions with an
 error because such sessions do not include server certificates,
 preventing Squid from successfully validating the server identity.
 
 
 The RFC 2818 has mandatory validation of the HTTP CONNECT, client SNI
 (with server ack), and server certificate dNSname values before session
 resume may be performed.
 
 
 I am afraid you have misunderstood the problem domain because RFC 2818
 is irrelevant here. That RFC is about sending HTTP over TLS. Here, Squid
 does not establish a secure HTTP connection with the client or server so
 Squid is not subject to that RFC (the client and server are).
 
 Without the patch, a client and server cannot resume secure sessions.
 Users suffer from disconnects and various associated errors even though
 Squid does not bump their connections. With the patch, things work, and
 work without violating any TLS/SSL rules. Moreover, an admin can now
 explicitly control whether resumed sessions are allowed or not (the
 default allow is what nearly everybody should want).


Squid is behaving wrong right now. Fix that.

I dont see any need for the new directive to exist because Squid should
be resuming by default and terminate the SSL only when the domain checks
which are possible confirm bad behaviour.

It sounds a bit like a fail open, but is actually an opportunistic
terminate [see below].


 
 I dont think we have any such validation in Squid yet. So the current
 behaviour of terminate is mandatory for compliance with TLS.
 
 
 As Christos has said, proper validation is impossible in this case even
 if we wanted to do it: Squid most likely have already spliced the
 previous TLS session (a compliant behavior!) and now does not have
 enough information to validate the new connection to the server (because
 the server does not send its certificate during session resumption) and
 splices the connections again.
 

I think we are talking past each other here again, and again its the
word validation. Previous connection has nothing to do with it. HTTP
messages inside the previous connection have nothing to do with it.

 HTTP, TLS, and SSL RFCs do not apply to traffic on spliced connections.
 When splicing, Squid works as a TCP proxy. The fact that Squid may have
 peeked into the connections (before deciding to splice them) is
 irrelevant because that peeking did not affect the security of those
 connections.


The validation I'm talking about is the spec requirement that we dont
allow the following scenario:

  CONNECT example.com:443 HTTP/1.1
  ...
  ClientHello SNI:  example.org


* if the CONNECT contains a raw-IP we can ignore it.
 - this includes our fake-CONNECT on intercept.

* if the SNI is missing we can ignore it.

* if the CONNECT and SNI both contain different domains the
specification says SSL MUST terminate with a specified reject error.

  - CONNECT having a domain means we are in the RFC 2818 scenario of
TLS-over-HTTP.

  - checking and terminating ourselves helps protect naive/old servers
against SNI abuses.

  - given what Squid is doing, we are allowed to just splice always and
let the endpoints do the error stuff. BUT, that is a waste of resources
when we could abort early and log a nice alert.

In all other cases we can allow the splice to resume with no loss of
safety. The endpoints will do (or not) anything they would do anyway
without the proxy.


So ...
 if we allow an admin directive it would be to force terminate when
resume was otherwise allowed.

 1) Do you have any existing need for that?

 2) Would not ssl_bump terminate blah be a better way to express the
policy?


I think we should fix the currently broken Squid behaviour without a new
directive.

Amos
___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev

Re: [squid-dev] [PATCH] splicing resumed sessions

[Alex Rousskov]

On 03/20/2015 12:11 PM, Amos Jeffries wrote:
 On 21/03/2015 4:35 a.m., Alex Rousskov wrote:
 On 03/20/2015 02:06 AM, Amos Jeffries wrote:
 On 18/03/2015 6:21 a.m., Tsantilas Christos wrote:
 This patch adds the ssl_bump_resuming_sessions directive that controls
 SslBump behavior when dealing with resuming SSL/TLS sessions. Without
 these changes, SslBump usually terminates all resuming sessions with an
 error because such sessions do not include server certificates,
 preventing Squid from successfully validating the server identity.


 Squid is behaving wrong right now. Fix that.

Yes, the proposed patch fixes that.


 I dont see any need for the new directive to exist

We can remove the configuration option. The option was added to minimize
the chance that you will object to the patch because, without the new
option, the old terminate behavior would be lost. Clearly, my plan to
avoid that discussion has failed! Removing the configuration option is
totally fine with me because nobody has asked for it [yet]. We can
always add it later if needed.


 The validation I'm talking about is the spec requirement that we dont
 allow the following scenario:
 
   CONNECT example.com:443 HTTP/1.1
   ...
   ClientHello SNI:  example.org


I still think this part of the discussion is out of scope, but is there
really a spec requirement that talks about comparing CONNECT- and
SNI-provided server names? Where? CONNECT is about blind TCP *tunnels*.
SNI is about becoming an *end point* of a TLS connection. Those two
things seem mutually exclusive to me.


 * if the CONNECT and SNI both contain different domains the
 specification says SSL MUST terminate with a specified reject error.

Which specification? RFC 2818 does not mention CONNECT. It contains some
requirements for HTTP clients, but Squid is not an HTTP client in this
issue scope; Squid is a TCP client.


   - CONNECT having a domain means we are in the RFC 2818 scenario of
 TLS-over-HTTP.

No, CONNECT means establish a TCP tunnel by splicing client and server
TCP connections together. CONNECT does not imply SSL or TLS. When Squid
bumps a secure connection, then Squid becomes subject to various SSL and
TLS rules. Here, we are not bumping anything, just splicing at TCP level.


   - given what Squid is doing, we are allowed to just splice always and
 let the endpoints do the error stuff. BUT, that is a waste of resources
 when we could abort early and log a nice alert.

Yes, there are cases where doing error stuff in Squid is useful, and
there are cases where it is harmful. There are cases where logging a
nice alert is useful and cases where it is at best pointless (unless
the client gets an error message as well). This patch does not try to
improve any of that doing error stuff. I am certainly not against
adding [more] SNI checks, but not as a part of the fix for an
SNI-unrelated error.


 In all other cases we can allow the splice to resume with no loss of
 safety. The endpoints will do (or not) anything they would do anyway
 without the proxy.

I do not think the proposed changes _introduce_ a safety loss in *any*
case. They just make session resumption work in the presence of a
splicing Squid. Could Squid check more things? Yes! Are those additional
checks both trivial to add and relevant to this fix? No.


 So ...
  if we allow an admin directive it would be to force terminate when
 resume was otherwise allowed.

Yes.


  1) Do you have any existing need for that?

None other than avoiding this discussion, which has already failed to work.


  2) Would not ssl_bump terminate blah be a better way to express the
 policy?

Probably not. We have considered that design, but most ssl_bump rules
rely on information unavailable when sessions are resumed. If we force
admins to use ssl_bump to control which resuming sessions are
terminated, the ssl_bump rules become needlessly complex and difficult
to write correctly.


 I think we should fix the currently broken Squid behaviour without a new
 directive.

Sounds good to me! If we do not hear otherwise, we will commit the
proposed patch without the new [already optional] directive.


Thank you,

Alex.

___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev