Search squid archive

Squid 3.5.13 unable to establish ssl-bump connection

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I have been trying to get this working for days without success.

Trying to setup Squid with https inspection as an explicit proxy.

On OpenBSD current (# uname -srv -> OpenBSD 5.9 GENERIC.MP#1783)

Running squid from packages (# pkg_info | grep squid -> squid-3.5.13)

# squid -v
Squid Cache: Version 3.5.13
Service Name: squid
configure options:  '--disable-strict-error-checking' '--disable-arch-native'
'--enable-shared' '--datadir=/usr/local/share/squid'
'--libexecdir=/usr/local/libexec/squid' '--disable-loadable-modules'
'--enable-arp-acl' '--enable-auth' '--enable-delay-pools'
'--enable-follow-x-forwarded-for' '--enable-forw-via-db'
'--enable-http-violations' '--enable-icap-client' '--enable-ipv6'
'--enable-referer-log' '--enable-removal-policies=lru heap' '--enable-ssl'
'--enable-ssl-crtd' '--with-openssl' '--enable-storeio=aufs ufs diskd'
'--with-default-user=_squid' '--with-filedescriptors=8192'
'--with-krb5-config=no' '--with-pidfile=/var/run/squid.pid' '--with-pthreads'
'--with-swapdir=/var/squid/cache' '--disable-pf-transparent'
'--enable-ipfw-transparent' '--enable-external-acl-helpers=LDAP_group
SQL_session file_userip time_quota  unix_group wbinfo_group  LDAP_group
eDirectory_userip' '--prefix=/usr/local' '--sysconfdir=/etc/squid'
'--mandir=/usr/local/man' '--infodir=/usr/local/info'
'--localstatedir=/var/squid' '--disable-silent-rules' '--disable-gtk-doc'
'CC=cc' 'CFLAGS=-O2 -pipe' 'LDFLAGS=-L/usr/local/lib'
'CPPFLAGS=-I/usr/local/include' 'CXX=c++' 'CXXFLAGS=-O2 -pipe'

(as above, compiled with enable-ssl and enable-ssl-crtd)

With a basic squid.conf file:

# cat /etc/squid/squid.conf
-----
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http

http_access deny !Safe_ports

http_access allow localnet

http_access deny all

http_port 3128 ssl-bump cert=/etc/squid/ssl_cert/myCA.pem
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
ssl_bump stare all
ssl_bump bump all
always_direct allow all

sslproxy_cafile /etc/ssl/cert.pem
sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /var/squid/ssl_db -M 8MB
sslcrtd_children 32 startup=5 idle=1

cache_dir ufs /var/squid/cache 50000 64 512

coredump_dir /var/squid/cache

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320
-----

Certificates made per the squid wiki at:
http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit

# cd /etc/squid/ssl_cert
# openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -keyout
myCA.pem  -out myCA.pem
# ls -lah /etc/squid
drwxr-xr-x   4 root    wheel    512B Jan 24 20:33 .
drwxr-xr-x  35 root    wheel    2.0K Jan 23 16:17 ..
-rw-r--r--   1 root    wheel    692B Jan 17 10:22 cachemgr.conf
-rw-r--r--   1 root    wheel    1.8K Jan 17 10:22 errorpage.css
-rw-r--r--   1 root    wheel   11.8K Jan 17 10:22 mime.conf
-rw-r--r--   1 root    wheel    1.1K Jan 24 21:36 squid.conf
drwx------   2 _squid  _squid   512B Jan 24 18:23 ssl_cert

# ls -lah /etc/squid/ssl_cert
drwx------  2 _squid  _squid   512B Jan 24 18:23 .
drwxr-xr-x  3 root    wheel    512B Jan 24 23:39 ..
-rw-------  1 _squid  _squid   2.9K Jan 24 17:07 myCA.pem

Made a .der verison:
# openssl x509 -in myCA.pem -outform DER -out myCA.der

And imported it into the "Authorities" section of Firefox certificate store,
giving it all "trust settings."

ssl_crtd is present and executable:

# ls -lah /usr/local/libexec/squid/ssl_crtd
-r-xr-xr-x  1 root  bin  97.7K Jan 15 16:31 /usr/local/libexec/squid/ssl_crtd

Created dynamic certificate directory structure:

# /usr/local/libexec/squid/ssl_crtd -c -s /var/squid/ssl_db
# chown -R _squid._squid /var/squid/ssl_db
# ls -lah /var/squid
drwxrwx--x   5 _squid  _squid   512B Jan 24 23:42 .
drwxr-xr-x  25 root    wheel    512B Jan 19 19:47 ..
drwxrwx--x  66 _squid  _squid   1.0K Jan 24 21:44 cache
drwxrwxr-x   2 _squid  _squid   512B Jan 24 03:00 logs
drwxr-xr-x   3 _squid  _squid   512B Jan 24 23:42 ssl_db

# ls -lah /var/squid/ssl_db
drwxr-xr-x  3 _squid  _squid   512B Jan 24 23:42 .
drwxrwx--x  5 _squid  _squid   512B Jan 24 23:42 ..
drwxr-xr-x  2 _squid  _squid   512B Jan 24 23:42 certs
-rw-r--r--  1 _squid  _squid     0B Jan 24 23:42 index.txt
-rw-r--r--  1 _squid  _squid     1B Jan 24 23:42 size

No, "serial" present, so it was added:

# echo "101" > /var/squid/ssl_db/serial
# chown _squid /var/squid/ssl_db/serial

squid starts without error:
# /usr/local/sbin/squid -d 1 -N

2016/01/24 23:45:53| Set Current Directory to /var/squid/cache
2016/01/24 23:45:53| Starting Squid Cache version 3.5.13 for
x86_64-unknown-openbsd5.9...
2016/01/24 23:45:53| Service Name: squid
2016/01/24 23:45:53| Process ID 763
2016/01/24 23:45:53| Process Roles: master worker
2016/01/24 23:45:53| With 128 file descriptors available
2016/01/24 23:45:53| Initializing IP Cache...
2016/01/24 23:45:53| DNS Socket created at [::], FD 10
2016/01/24 23:45:53| DNS Socket created at 0.0.0.0, FD 11
2016/01/24 23:45:53| Adding domain wynnychenko.com from /etc/resolv.conf
2016/01/24 23:45:53| Adding nameserver 10.0.28.128 from /etc/resolv.conf
2016/01/24 23:45:53| Adding nameserver 10.0.28.129 from /etc/resolv.conf
2016/01/24 23:45:53| helperOpenServers: Starting 5/32 'ssl_crtd' processes
2016/01/24 23:45:53| Logfile: opening log daemon:/var/squid/logs/access.log
2016/01/24 23:45:53| Logfile Daemon: opening log /var/squid/logs/access.log
2016/01/24 23:45:53| Unlinkd pipe opened on FD 28
2016/01/24 23:45:53| Store logging disabled
2016/01/24 23:45:53| Swap maxSize 51200000 + 262144 KB, estimated 3958626
objects
2016/01/24 23:45:53| Target number of buckets: 197931
2016/01/24 23:45:53| Using 262144 Store buckets
2016/01/24 23:45:53| Max Mem  size: 262144 KB
2016/01/24 23:45:53| Max Swap size: 51200000 KB
2016/01/24 23:45:53| Rebuilding storage in /var/squid/cache (clean log)
2016/01/24 23:45:53| Using Least Load store dir selection
2016/01/24 23:45:53| Set Current Directory to /var/squid/cache
2016/01/24 23:45:54| Finished loading MIME types and icons.
2016/01/24 23:45:54| HTCP Disabled.
2016/01/24 23:45:54| Adaptation support is off.
2016/01/24 23:45:54| Accepting SSL bumped HTTP Socket connections at
local=[::]:3128 remote=[::] FD 31 flags=9
2016/01/24 23:45:54| Accepting SSL bumped HTTP Socket connections at
local=0.0.0.0:3128 remote=[::] FD 32 flags=9
2016/01/24 23:45:54| Done reading /var/squid/cache swaplog (312 entries)
2016/01/24 23:45:54| Finished rebuilding storage from disk.
2016/01/24 23:45:54|       312 Entries scanned
2016/01/24 23:45:54|         0 Invalid entries.
2016/01/24 23:45:54|         0 With invalid flags.
2016/01/24 23:45:54|       312 Objects loaded.
2016/01/24 23:45:54|         0 Objects expired.
2016/01/24 23:45:54|         0 Objects cancelled.
2016/01/24 23:45:54|         0 Duplicate URLs purged.
2016/01/24 23:45:54|         0 Swapfile clashes avoided.
2016/01/24 23:45:54|   Took 0.06 seconds (4937.57 objects/sec).
2016/01/24 23:45:54| Beginning Validation Procedure
2016/01/24 23:45:54|   Completed Validation Procedure
2016/01/24 23:45:54|   Validated 312 Entries
2016/01/24 23:45:54|   store_swap_size = 4850.00 KB
2016/01/24 23:45:54| storeLateRelease: released 0 objects


running as expected:

# ps aux | grep squid
_squid   26037  0.0  0.1   844  4824 ??  Ss    11:46PM    0:00.03 (ssl_crtd) -s
/var/squid/ssl_db -M 8MB -b 2048 (ssl_crtd)
_squid    6398  0.0  0.1   840  4836 ??  Ss    11:46PM    0:00.03 (ssl_crtd) -s
/var/squid/ssl_db -M 8MB -b 2048 (ssl_crtd)
_squid   12848  0.0  0.1   840  4852 ??  Ss    11:46PM    0:00.05 (ssl_crtd) -s
/var/squid/ssl_db -M 8MB -b 2048 (ssl_crtd)
_squid    5788  0.0  0.1   840  4844 ??  Ss    11:46PM    0:00.03 (ssl_crtd) -s
/var/squid/ssl_db -M 8MB -b 2048 (ssl_crtd)
_squid   13372  0.0  0.1   844  4844 ??  Ss    11:46PM    0:00.06 (ssl_crtd) -s
/var/squid/ssl_db -M 8MB -b 2048 (ssl_crtd)
_squid   17491  0.0  0.0   444  1616 ??  Ss    11:46PM    0:00.04
(logfile-daemon) /var/squid/logs/access.log (log_file_daemon)
_squid   13973  0.0  0.0   320  1452 ??  Ss    11:46PM    0:00.07 (unlinkd)
(unlinkd)
_squid     896  0.3  0.2 18132 19132 p0  S+    11:46PM    0:00.43
/usr/local/sbin/squid -d 1 -N
root     19831  0.0  0.0   160   304 p1  R+    11:46PM    0:00.00 grep squid


Now, I point Firefox at the proxy, and the proxy works with http.
For example:
http://www.squid-cache.org/ is rendered in the browser, and
/var/squid/logs/access.log shows:

1453701132.838   2412 10.0.128.10 TCP_MISS_ABORTED/000 0 GET
http://www.squid-cache.org/ - HIER_DIRECT/209.169.10.131 -
1453701132.941     93 10.0.128.10 TCP_MISS/200 3533 GET
http://www.squid-cache.org/ - HIER_DIRECT/209.169.10.131 text/html
1453701133.013     44 10.0.128.10 TCP_MISS/200 1715 GET
http://www.squid-cache.org/default.css - HIER_DIRECT/209.169.10.131 text/css
1453701133.115    101 10.0.128.10 TCP_MISS/200 29148 GET
http://www.squid-cache.org/Images/img4.jpg - HIER_DIRECT/209.169.10.131
image/jpeg
1453701133.116     95 10.0.128.10 TCP_MISS/200 459 GET
http://www.squid-cache.org/Images/img2.gif - HIER_DIRECT/209.169.10.131
image/gif
1453701133.117     95 10.0.128.10 TCP_MISS/200 789 GET
http://www.squid-cache.org/Images/img3.gif - HIER_DIRECT/209.169.10.131
image/gif
1453701133.117     96 10.0.128.10 TCP_MISS/200 797 GET
http://www.squid-cache.org/Images/img1.gif - HIER_DIRECT/209.169.10.131
image/gif
1453701133.117     94 10.0.128.10 TCP_MISS/200 442 GET
http://www.squid-cache.org/Images/img5.gif - HIER_DIRECT/209.169.10.131
image/gif
1453701133.123     98 10.0.128.10 TCP_MISS/200 440 GET
http://www.squid-cache.org/Images/img7.gif - HIER_DIRECT/209.169.10.131
image/gif
1453701133.123     99 10.0.128.10 TCP_MISS/200 775 GET
http://www.squid-cache.org/Images/img8.gif - HIER_DIRECT/209.169.10.131
image/gif
1453701133.211     44 10.0.128.10 TCP_MISS/200 1763 GET
http://www.squid-cache.org/favicon.ico - HIER_DIRECT/209.169.10.131
image/vnd.microsoft.icon

and reloading http://www.squid-cache.org/ shows:

1453701223.042      0 10.0.128.10 TCP_HIT/200 3543 GET
http://www.squid-cache.org/ - HIER_NONE/- text/html
1453701223.198    130 10.0.128.10 TCP_REFRESH_MODIFIED/200 1715 GET
http://www.squid-cache.org/default.css - HIER_DIRECT/209.169.10.131 text/css
1453701223.248     48 10.0.128.10 TCP_REFRESH_UNMODIFIED/304 248 GET
http://www.squid-cache.org/Images/img4.jpg - HIER_DIRECT/209.169.10.131 -
1453701223.306    101 10.0.128.10 TCP_REFRESH_UNMODIFIED/304 246 GET
http://www.squid-cache.org/Images/img2.gif - HIER_DIRECT/209.169.10.131 -
1453701223.307    101 10.0.128.10 TCP_REFRESH_UNMODIFIED/304 247 GET
http://www.squid-cache.org/Images/img1.gif - HIER_DIRECT/209.169.10.131 -
1453701223.307     99 10.0.128.10 TCP_REFRESH_UNMODIFIED/304 247 GET
http://www.squid-cache.org/Images/img8.gif - HIER_DIRECT/209.169.10.131 -
1453701223.307     98 10.0.128.10 TCP_REFRESH_UNMODIFIED/304 246 GET
http://www.squid-cache.org/Images/img7.gif - HIER_DIRECT/209.169.10.131 -
1453701223.307    101 10.0.128.10 TCP_REFRESH_UNMODIFIED/304 247 GET
http://www.squid-cache.org/Images/img3.gif - HIER_DIRECT/209.169.10.131 -
1453701223.307    100 10.0.128.10 TCP_REFRESH_UNMODIFIED/304 246 GET
http://www.squid-cache.org/Images/img5.gif - HIER_DIRECT/209.169.10.131 -


But, if I try to connect to a https site like google:  https://google.com,
nothing happens, and the browser is just spinning with "Connecting..."
displayed.
The squid instance (running in the foreground) spits out a line:

2016/01/24 23:56:57| hold write on SSL connection on FD 26

If I try another https like yahoo:  https://yahoo.com, nothing happens in the
browser as well, just "Connecting..."
But, the squid instance spits out:

2016/01/24 23:59:04| Error negotiating SSL on FD 19: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (1/-1/0)
2016/01/24 23:59:04| Error negotiating SSL on FD 21: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (1/-1/0)


Now, if I remove the "ssl_bump stare all" line from squid.conf, and try:
https://yahoo.com

Firefox returns:
-----
This Connection is Untrusted

You have asked Firefox to connect securely to yahoo.com, but we can't confirm
that your connection is secure.

...

yahoo.com uses an invalid security certificate.

The certificate is only valid for ...

(Error code: ssl_error_bad_cert_domain)
-----

And trying:
https://google.com

Firefox returns:
-----
This Connection is Untrusted

You have asked Firefox to connect securely to www.google.com, but we can't
confirm that your connection is secure.

...

This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox
only connect to it securely. As a result, it is not possible to add an exception
for this certificate.

www.google.com uses an invalid security certificate.

The certificate is only valid for ...

(Error code: ssl_error_bad_cert_domain)
-----

In both instances, the certificate being presented to the Firefox client is the
"Squid CA" certificate created above.

And, checking:
# ls -lah /var/squid/ssl_db
drwxr-xr-x  3 _squid  _squid   512B Jan 24 23:44 .
drwxrwx--x  5 _squid  _squid   512B Jan 24 23:42 ..
drwxr-xr-x  2 _squid  _squid   512B Jan 24 23:42 certs
-rw-r--r--  1 _squid  _squid     0B Jan 24 23:42 index.txt
-rw-r--r--  1 _squid  _squid     4B Jan 24 23:44 serial
-rw-r--r--  1 _squid  _squid     1B Jan 24 23:42 size

# ls -lah /var/squid/ssl_db/certs
drwxr-xr-x  2 _squid  _squid   512B Jan 24 23:42 .
drwxr-xr-x  3 _squid  _squid   512B Jan 24 23:44 ..

Shows no changes.

It appears that this is a problem with dynamic certificate creation, but I have
no idea how to proceed.
I have been blindly playing with configuration changes and directives, but have
never had a "better" outcome that what is described above.

Any help would be greatly appreciated.

Thanks

<<attachment: smime.p7s>>

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux