Ssl-bump deep dive (sni and access control) some success

James Lay <jlay@xxxxxxxxxxxxxxxxxxx> · Sat, 30 May 2015 09:16:19 -0600

Config first:

####################################################

acl localnet src 192.168.1.0/24

acl SSL_ports port 443

acl Safe_ports port 80

acl Safe_ports port 443

acl CONNECT method CONNECT

acl step1 at_step SslBump1

acl step2 at_step SslBump2

ssl_bump peek step1 all

#https_server_names.txt has \.google\.com, \.yahoo\.com, \.msn\.com

acl allowed_https_sites ssl::server_name_regex "/opt/etc/squid/https_server_names.txt"

http_access allow all

ssl_bump bump allowed_https_sites

ssl_bump terminate !allowed_https_sites

sslproxy_cert_error allow all

sslproxy_capath /etc/ssl/certs

sslproxy_flags DONT_VERIFY_PEER 

sslproxy_options ALL

sslcrtd_program /opt/libexec/ssl_crtd -s /opt/var/ssl_db -M 4MB

sslcrtd_children 5

http_port 3128 intercept

https_port 3129 intercept ssl-bump cert=/opt/etc/squid/certs/sslsplit_ca_cert.pem cafile=/opt/etc/squid/certs/sslsplit_ca_cert.pem key=/opt/etc/squid/certs/sslsplit_ca_key.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB sslflags=NO_SESSION_REUSE

logformat mine %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %ssl::>sni %>Hs %<st %Ss:%Sh %ssl::bump_mode 

access_log syslog:daemon.info mine

refresh_pattern -i (cgi-bin|\?)	0	0%	0

refresh_pattern .		0	20%	4320

coredump_dir /opt/var

####################################################

so the above works to bump and filter out (the order of these lines absolutely seemed to matter) if the site you go to isn't in the allowed_https_sites acl.  The sticking point is the http_access....the above will filter https based on the allowed_https_server_names.txt, but completely allows ALL http, so this isn't complete yet.  Below is going to a site in the allowed_https_sites acl:

[08:59:44 jlay@powerbook:~/test$ wget --ca-certificate=/etc/ssl/certs/sslsplit_ca_cert.pem -d https://www.msn.com

DEBUG output created by Wget 1.16 on linux-gnu.

URI encoding = ‘UTF-8’

--2015-05-30 08:59:57--  https://www.msn.com/

Certificates loaded: 173

Resolving www.msn.com (www.msn.com)... 204.79.197.203

Caching www.msn.com => 204.79.197.203

Connecting to www.msn.com (www.msn.com)|204.79.197.203|:443... connected.

Created socket 4.

Releasing 0x10503f98 (new refcount 1).

---request begin---

GET / HTTP/1.1

User-Agent: Wget/1.16 (linux-gnu)

Accept: */*

Host: www.msn.com

Connection: Keep-Alive

---request end---

HTTP request sent, awaiting response... 

---response begin---

HTTP/1.1 200 OK

<snip>

May 30 08:59:57 analysis squid: 192.168.1.73 - - [30/May/2015:08:59:57 -0600] "CONNECT 204.79.197.203:443 HTTP/1.1" www.msn.com 200 0 TAG_NONE:ORIGINAL_DST peek

May 30 08:59:58 analysis squid: 192.168.1.73 - - [30/May/2015:08:59:58 -0600] "GET https://www.msn.com/ HTTP/1.1" www.msn.com 200 38288 TCP_MISS:ORIGINAL_DST bump

Going to a site not in the allowed_https_sites acl:

[09:02:12 jlay@powerbook:~/test$ wget --ca-certificate=/etc/ssl/certs/sslsplit_ca_cert.pem -d https://www.weather.com

DEBUG output created by Wget 1.16 on linux-gnu.

URI encoding = ‘UTF-8’

--2015-05-30 09:04:57--  https://www.weather.com/

Certificates loaded: 173

Resolving www.weather.com (www.weather.com)... 96.17.8.161, 96.17.8.138, 96.17.8.178, ...

Caching www.weather.com => 96.17.8.161 96.17.8.138 96.17.8.178 96.17.8.171

Connecting to www.weather.com (www.weather.com)|96.17.8.161|:443... connected.

Created socket 4.

Releasing 0x1098c108 (new refcount 1).

GnuTLS: The TLS connection was non-properly terminated.

Closed fd 4

Unable to establish SSL connection.

May 30 09:04:57 analysis squid: 192.168.1.73 - - [30/May/2015:09:04:57 -0600] "CONNECT 96.17.8.161:443 HTTP/1.1" www.weather.com 200 0 TAG_NONE:HIER_NONE peek

However, changing http_access to http_access allow allowed_https_sites I get:

[08:59:58 jlay@powerbook:~/test$ wget --ca-certificate=/etc/ssl/certs/sslsplit_ca_cert.pem -d https://www.msn.com

DEBUG output created by Wget 1.16 on linux-gnu.

URI encoding = ‘UTF-8’

--2015-05-30 09:02:12--  https://www.msn.com/

Certificates loaded: 173

Resolving www.msn.com (www.msn.com)... 204.79.197.203

Caching www.msn.com => 204.79.197.203

Connecting to www.msn.com (www.msn.com)|204.79.197.203|:443... connected.

Created socket 4.

Releasing 0x10515f98 (new refcount 1).

The certificate's owner does not match hostname ‘www.msn.com’

May 30 09:02:12 analysis squid: 192.168.1.73 - - [30/May/2015:09:02:12 -0600] "CONNECT 204.79.197.203:443 HTTP/1.1" - 200 0 TCP_DENIED:HIER_NONE peek

Notice that peek did not get the SNI name per my %ssl::>sni in my logging statement.  So as of now I have been unable to figure out how to use access control with both http and https.  I can do one or the other, but not both so far.  Of interest, redirects from http to https do not appear to work

[08:37:39 jlay@powerbook:~/test$ wget www.yahoo.com

--2015-05-30 08:37:44--  http://www.yahoo.com/

Resolving www.yahoo.com (www.yahoo.com)... 206.190.36.45, 206.190.36.105, 2001:4998:c:a06::2:4008

Connecting to www.yahoo.com (www.yahoo.com)|206.190.36.45|:80... connected.

HTTP request sent, awaiting response... 301 Moved Permanently

Location: https://www.yahoo.com/ [following]

--2015-05-30 08:37:44--  https://www.yahoo.com/

Connecting to www.yahoo.com (www.yahoo.com)|206.190.36.45|:443... connected.

ERROR: The certificate of ‘www.yahoo.com’ is not trusted.

ERROR: The certificate of ‘www.yahoo.com’ hasn't got a known issuer.

May 30 08:37:44 analysis squid: 192.168.1.73 - - [30/May/2015:08:37:44 -0600] "GET http://www.yahoo.com/ HTTP/1.1" - 301 1812 TCP_MISS:ORIGINAL_DST -

May 30 08:37:45 analysis squid: 192.168.1.73 - - [30/May/2015:08:37:45 -0600] "CONNECT 206.190.36.45:443 HTTP/1.1" www.yahoo.com 200 0 TAG_NONE:ORIGINAL_DST peek

Whereas direct does:

[08:37:45 jlay@powerbook:~/test$ wget --ca-certificate=/etc/ssl/certs/sslsplit_ca_cert.pem -d https://www.yahoo.com

DEBUG output created by Wget 1.16 on linux-gnu.

URI encoding = ‘UTF-8’

--2015-05-30 08:38:27--  https://www.yahoo.com/

Certificates loaded: 173

Resolving www.yahoo.com (www.yahoo.com)... 206.190.36.105, 206.190.36.45, 2001:4998:c:a06::2:4008

Caching www.yahoo.com => 206.190.36.105 206.190.36.45 2001:4998:c:a06::2:4008

Connecting to www.yahoo.com (www.yahoo.com)|206.190.36.105|:443... connected.

Created socket 4.

Releasing 0x107800d8 (new refcount 1).

---request begin---

GET / HTTP/1.1

User-Agent: Wget/1.16 (linux-gnu)

Accept: */*

Host: www.yahoo.com

Connection: Keep-Alive

<snip>

---response end---

200 OK

cdm: 1cdm: 1cdm: 1Registered socket 4 for persistent reuse.

URI content encoding = ‘utf-8’

Length: unspecified [text/html]

Saving to: ‘index.html’

May 30 08:38:27 analysis squid: 192.168.1.73 - - [30/May/2015:08:38:27 -0600] "CONNECT 206.190.36.105:443 HTTP/1.1" www.yahoo.com 200 0 TAG_NONE:ORIGINAL_DST peek

May 30 08:38:28 analysis squid: 192.168.1.73 - - [30/May/2015:08:38:28 -0600] "GET https://www.yahoo.com/ HTTP/1.1" www.yahoo.com 200 325776 TCP_MISS:ORIGINAL_DST bump

I'm getting close...Amos if you're out there maybe you can shed some light on the above.  Been at this for 5 hours now..happy Saturday!

James

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users