Search squid archive

Ssl-bump deep dive (sni and access control) some success

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Config first:

####################################################
acl localnet src 192.168.1.0/24

acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 443

acl CONNECT method CONNECT

acl step1 at_step SslBump1
acl step2 at_step SslBump2

ssl_bump peek step1 all
#https_server_names.txt has \.google\.com, \.yahoo\.com, \.msn\.com
acl allowed_https_sites ssl::server_name_regex "/opt/etc/squid/https_server_names.txt"

http_access allow all

ssl_bump bump allowed_https_sites
ssl_bump terminate !allowed_https_sites

sslproxy_cert_error allow all
sslproxy_capath /etc/ssl/certs
sslproxy_flags DONT_VERIFY_PEER
sslproxy_options ALL

sslcrtd_program /opt/libexec/ssl_crtd -s /opt/var/ssl_db -M 4MB
sslcrtd_children 5

http_port 3128 intercept
https_port 3129 intercept ssl-bump cert=/opt/etc/squid/certs/sslsplit_ca_cert.pem cafile=/opt/etc/squid/certs/sslsplit_ca_cert.pem key=/opt/etc/squid/certs/sslsplit_ca_key.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB sslflags=NO_SESSION_REUSE

logformat mine %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %ssl::>sni %>Hs %<st %Ss:%Sh %ssl::bump_mode

access_log syslog:daemon.info mine

refresh_pattern -i (cgi-bin|\?) 0 0% 0
refresh_pattern . 0 20% 4320

coredump_dir /opt/var
####################################################


so the above works to bump and filter out (the order of these lines absolutely seemed to matter) if the site you go to isn't in the allowed_https_sites acl.  The sticking point is the http_access....the above will filter https based on the allowed_https_server_names.txt, but completely allows ALL http, so this isn't complete yet.  Below is going to a site in the allowed_https_sites acl:

[08:59:44 jlay@powerbook:~/test$ wget --ca-certificate=/etc/ssl/certs/sslsplit_ca_cert.pem -d https://www.msn.com
DEBUG output created by Wget 1.16 on linux-gnu.

URI encoding = ‘UTF-8’
--2015-05-30 08:59:57--  https://www.msn.com/
Certificates loaded: 173
Resolving www.msn.com (www.msn.com)... 204.79.197.203
Caching www.msn.com => 204.79.197.203
Connecting to www.msn.com (www.msn.com)|204.79.197.203|:443... connected.
Created socket 4.
Releasing 0x10503f98 (new refcount 1).

---request begin---
GET / HTTP/1.1
User-Agent: Wget/1.16 (linux-gnu)
Accept: */*
Host: www.msn.com
Connection: Keep-Alive

---request end---
HTTP request sent, awaiting response...
---response begin---
HTTP/1.1 200 OK
<snip>

May 30 08:59:57 analysis squid: 192.168.1.73 - - [30/May/2015:08:59:57 -0600] "CONNECT 204.79.197.203:443 HTTP/1.1" www.msn.com 200 0 TAG_NONE:ORIGINAL_DST peek
May 30 08:59:58 analysis squid: 192.168.1.73 - - [30/May/2015:08:59:58 -0600] "GET https://www.msn.com/ HTTP/1.1" www.msn.com 200 38288 TCP_MISS:ORIGINAL_DST bump

Going to a site not in the allowed_https_sites acl:

[09:02:12 jlay@powerbook:~/test$ wget --ca-certificate=/etc/ssl/certs/sslsplit_ca_cert.pem -d https://www.weather.com
DEBUG output created by Wget 1.16 on linux-gnu.

URI encoding = ‘UTF-8’
--2015-05-30 09:04:57--  https://www.weather.com/
Certificates loaded: 173
Resolving www.weather.com (www.weather.com)... 96.17.8.161, 96.17.8.138, 96.17.8.178, ...
Caching www.weather.com => 96.17.8.161 96.17.8.138 96.17.8.178 96.17.8.171
Connecting to www.weather.com (www.weather.com)|96.17.8.161|:443... connected.
Created socket 4.
Releasing 0x1098c108 (new refcount 1).
GnuTLS: The TLS connection was non-properly terminated.
Closed fd 4
Unable to establish SSL connection.

May 30 09:04:57 analysis squid: 192.168.1.73 - - [30/May/2015:09:04:57 -0600] "CONNECT 96.17.8.161:443 HTTP/1.1" www.weather.com 200 0 TAG_NONE:HIER_NONE peek

However, changing http_access to http_access allow allowed_https_sites I get:

[08:59:58 jlay@powerbook:~/test$ wget --ca-certificate=/etc/ssl/certs/sslsplit_ca_cert.pem -d https://www.msn.com
DEBUG output created by Wget 1.16 on linux-gnu.

URI encoding = ‘UTF-8’
--2015-05-30 09:02:12--  https://www.msn.com/
Certificates loaded: 173
Resolving www.msn.com (www.msn.com)... 204.79.197.203
Caching www.msn.com => 204.79.197.203
Connecting to www.msn.com (www.msn.com)|204.79.197.203|:443... connected.
Created socket 4.
Releasing 0x10515f98 (new refcount 1).
The certificate's owner does not match hostname ‘www.msn.com

May 30 09:02:12 analysis squid: 192.168.1.73 - - [30/May/2015:09:02:12 -0600] "CONNECT 204.79.197.203:443 HTTP/1.1" - 200 0 TCP_DENIED:HIER_NONE peek

Notice that peek did not get the SNI name per my %ssl::>sni in my logging statement.  So as of now I have been unable to figure out how to use access control with both http and https.  I can do one or the other, but not both so far.  Of interest, redirects from http to https do not appear to work

[08:37:39 jlay@powerbook:~/test$ wget www.yahoo.com
--2015-05-30 08:37:44--  http://www.yahoo.com/
Resolving www.yahoo.com (www.yahoo.com)... 206.190.36.45, 206.190.36.105, 2001:4998:c:a06::2:4008
Connecting to www.yahoo.com (www.yahoo.com)|206.190.36.45|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://www.yahoo.com/ [following]
--2015-05-30 08:37:44--  https://www.yahoo.com/
Connecting to www.yahoo.com (www.yahoo.com)|206.190.36.45|:443... connected.
ERROR: The certificate of ‘www.yahoo.com’ is not trusted.
ERROR: The certificate of ‘www.yahoo.com’ hasn't got a known issuer.

May 30 08:37:44 analysis squid: 192.168.1.73 - - [30/May/2015:08:37:44 -0600] "GET http://www.yahoo.com/ HTTP/1.1" - 301 1812 TCP_MISS:ORIGINAL_DST -
May 30 08:37:45 analysis squid: 192.168.1.73 - - [30/May/2015:08:37:45 -0600] "CONNECT 206.190.36.45:443 HTTP/1.1" www.yahoo.com 200 0 TAG_NONE:ORIGINAL_DST peek

Whereas direct does:

[08:37:45 jlay@powerbook:~/test$ wget --ca-certificate=/etc/ssl/certs/sslsplit_ca_cert.pem -d https://www.yahoo.com
DEBUG output created by Wget 1.16 on linux-gnu.

URI encoding = ‘UTF-8’
--2015-05-30 08:38:27--  https://www.yahoo.com/
Certificates loaded: 173
Resolving www.yahoo.com (www.yahoo.com)... 206.190.36.105, 206.190.36.45, 2001:4998:c:a06::2:4008
Caching www.yahoo.com => 206.190.36.105 206.190.36.45 2001:4998:c:a06::2:4008
Connecting to www.yahoo.com (www.yahoo.com)|206.190.36.105|:443... connected.
Created socket 4.
Releasing 0x107800d8 (new refcount 1).

---request begin---
GET / HTTP/1.1
User-Agent: Wget/1.16 (linux-gnu)
Accept: */*
Host: www.yahoo.com
Connection: Keep-Alive

<snip>

---response end---
200 OK
cdm: 1cdm: 1cdm: 1Registered socket 4 for persistent reuse.
URI content encoding = ‘utf-8’
Length: unspecified [text/html]
Saving to: ‘index.html’

May 30 08:38:27 analysis squid: 192.168.1.73 - - [30/May/2015:08:38:27 -0600] "CONNECT 206.190.36.105:443 HTTP/1.1" www.yahoo.com 200 0 TAG_NONE:ORIGINAL_DST peek
May 30 08:38:28 analysis squid: 192.168.1.73 - - [30/May/2015:08:38:28 -0600] "GET https://www.yahoo.com/ HTTP/1.1" www.yahoo.com 200 325776 TCP_MISS:ORIGINAL_DST bump

I'm getting close...Amos if you're out there maybe you can shed some light on the above.  Been at this for 5 hours now..happy Saturday!

James
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux