Search squid archive

Re: Using dont_verify_peer

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello Bruce,

 

According to https://www.ssllabs.com/ssltest/analyze.html?d=agentimediaservices.com the server does not send the whole chain of certificates and imho squid cannot automatically download the intermediate certificates like browsers do.

 

You need to manually add them to the store. Currently we do it like http://docs.diladele.com/faq/squid/fix_unable_to_get_issuer_cert_locally.html

 

I hope Yuri knows everything about adding certificates to the store and will reply shortly :)

 

If you were using explicit proxy usually making agentimediaservices.com non bumpable would be enough as squid would simply pump bytes from browser to site after allowed CONNECT; but as you have intercepting squid – I suspect it needs to establish a new connection to the remote site and thus openssl code that is used when establishing connections gets a change to fail the connection to a site with incomplete certificate chain. IMHO :)

 

I am also interested how to bypass it in intercepted scenario.

 

Best regards,

Rafael Akchurin

Diladele B.V.

 

From: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Markey, Bruce
Sent: Thursday, April 28, 2016 10:33 PM
To: squid-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Using dont_verify_peer

 

I didn’t really get an answer previously so I did some research and now I’m not quite sure what to do.

 

Problem is I’m getting a lot of these:

 

The following error was encountered while trying to retrieve the URL: https://*.agentimediaservices.com/*

Failed to establish a secure connection to 63.240.52.151

The system returned:

(71) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)

SSL Certficate error: certificate issuer (CA) not known: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Organization Validation Secure Server CA

This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials.

Your cache administrator is webmaster.

 

 

As I had stated some are “fixable” by adding the url to my broken acl and then not peeking at it. That sometimes works, most of the time not and then I have to add the ip listed to an acl of allowed ips.   This usually works but not in all cases.

 

That leaves me sort of stuck. I’ve been having to actually remove folks from the proxy so they could work.  I work for a newspaper and most of the issues lie with the myriad of SEO/Marketing sites/tools these people use. They’re horrible.

 

That leads me to my question of will using that flag make this issue go away?   Granted Im aware it’s not the safest I can’t deny users access to the sites they need.

 

 

 

I’m running 3.5.16 compiled from source on debian Jessie.  Fully updated.  I’m also confused as to why this is happening.  My ca store is up to date.   I’m confused as to why this is happening.  If I can access all these sites fine without the proxy I’d have to think it’s not the cert itself. So it’s either debians cert store or something else.  I’m sort of at the end of my knowledge here as to what to troubleshoot.

 

The other option, though it would be last resort would be to just stop doing anything with https, though all I really wanted was to keep stats on sites visited.

 

Here is some openssl info.  This leads me to believe its not a squid issue persay, its an openssl issue and or debian issue with certs. But I’m not 100% on that.

 

bruce@LNP-Proxy:/etc/squid3$ sudo openssl s_client -connect www.agentimediaservices.com:443 -showcerts

CONNECTED(00000003)

depth=0 C = US, postalCode = 10007, ST = NY, L = New York, street = 195 Broadway, O = OMD USA LLC, OU = IT, OU = Hosted by OMD USA INC, OU = PlatinumSSL Wildcard, CN = *.agentimediaservices.com

verify error:num=20:unable to get local issuer certificate

verify return:1

depth=0 C = US, postalCode = 10007, ST = NY, L = New York, street = 195 Broadway, O = OMD USA LLC, OU = IT, OU = Hosted by OMD USA INC, OU = PlatinumSSL Wildcard, CN = *.agentimediaservices.com

verify error:num=27:certificate not trusted

verify return:1

depth=0 C = US, postalCode = 10007, ST = NY, L = New York, street = 195 Broadway, O = OMD USA LLC, OU = IT, OU = Hosted by OMD USA INC, OU = PlatinumSSL Wildcard, CN = *.agentimediaservices.com

verify error:num=21:unable to verify the first certificate

verify return:1

---

Certificate chain

0 s:/C=US/postalCode=10007/ST=NY/L=New York/street=195 Broadway/O=OMD USA LLC/OU=IT/OU=Hosted by OMD USA INC/OU=PlatinumSSL Wildcard/CN=*.agentimediaservices.com

   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Organization Validation Secure Server CA

-----BEGIN CERTIFICATE-----

MIIF+zCCBOOgAwIBAgIRAMmCjqA+AnLRGj9AxsuZpfMwDQYJKoZIhvcNAQELBQAw

gZYxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO

BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTwwOgYD

VQQDEzNDT01PRE8gUlNBIE9yZ2FuaXphdGlvbiBWYWxpZGF0aW9uIFNlY3VyZSBT

ZXJ2ZXIgQ0EwHhcNMTUwMTE2MDAwMDAwWhcNMTgwMTE1MjM1OTU5WjCB2jELMAkG

A1UEBhMCVVMxDjAMBgNVBBETBTEwMDA3MQswCQYDVQQIEwJOWTERMA8GA1UEBxMI

TmV3IFlvcmsxFTATBgNVBAkTDDE5NSBCcm9hZHdheTEUMBIGA1UEChMLT01EIFVT

QSBMTEMxCzAJBgNVBAsTAklUMR4wHAYDVQQLExVIb3N0ZWQgYnkgT01EIFVTQSBJ

TkMxHTAbBgNVBAsTFFBsYXRpbnVtU1NMIFdpbGRjYXJkMSIwIAYDVQQDFBkqLmFn

ZW50aW1lZGlhc2VydmljZXMuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB

CgKCAQEA26hgIL5HPDSLX6fySB8fUzbWFHFwEFzPIqt47wdqyNR2moDHrtEJ+ybZ

v+byrRm4b34Zjfvt7n6caV6pcogiazE1ByIEWdEPN7M6jTU4ZiwMfaIfs0T4uNlc

9I8PKws8u093JRP5DV1AEm2t8JI69msPaK14x4pE6sDRqRuNaXVtLiMBR5B/jurK

xOpv365wb3ckoebFNbOo/AHC8abi3PCaVTVFMu1b1QFI9SVrmHVYAsqVwPiyi2YJ

zkdaHyu51uOmk6kXuVyZT2sfrNyTt9e7UuwqmgqvolncoMyV5MEzR5LZvephPIpM

bV9HNPcDY0KXOKfeDWPpfeFJxosVzQIDAQABo4IB/DCCAfgwHwYDVR0jBBgwFoAU

mvMr2s+tT7YvuypISCoStxtCwSQwHQYDVR0OBBYEFIu+BPXh1FoDihdd/D/iMDMv

bNRhMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsG

AQUFBwMBBggrBgEFBQcDAjBQBgNVHSAESTBHMDsGDCsGAQQBsjEBAgEDBDArMCkG

CCsGAQUFBwIBFh1odHRwczovL3NlY3VyZS5jb21vZG8uY29tL0NQUzAIBgZngQwB

AgIwWgYDVR0fBFMwUTBPoE2gS4ZJaHR0cDovL2NybC5jb21vZG9jYS5jb20vQ09N

T0RPUlNBT3JnYW5pemF0aW9uVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNybDCB

iwYIKwYBBQUHAQEEfzB9MFUGCCsGAQUFBzAChklodHRwOi8vY3J0LmNvbW9kb2Nh

LmNvbS9DT01PRE9SU0FPcmdhbml6YXRpb25WYWxpZGF0aW9uU2VjdXJlU2VydmVy

Q0EuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20wPQYD

VR0RBDYwNIIZKi5hZ2VudGltZWRpYXNlcnZpY2VzLmNvbYIXYWdlbnRpbWVkaWFz

ZXJ2aWNlcy5jb20wDQYJKoZIhvcNAQELBQADggEBACDzmWMa2LpUbcDEh1Quz+ak

4irQoi97D3iD7HHtZRuLSzR5AT11le56GJR9e/0IlFFlxiA+dwn60OmAAi6EX0zb

7qAJ5Lemm8PtLcdqAydreaK9uYxhF3J1O4/bJHmCJ6P/n6U5MDTNRHYKx4Vo0Dfy

CepRebqV79BCzRDEBTTL2MOnoFJB5NZciYRcypm4JuKHCDO0XCjkONHIlLLDquKV

cNDI7Q00Ctlw8MriPpT8MPY1pdfIYkEVNp2AXOPQ/gXMHJ7EwFPGk3pnct3a9Nk1

XsLTUSSRN5ggOIVk+qDU+PhgKA5U1V6TJEfEt7WA47DY5DtJqVpV/qMoNaGlU8Y=

-----END CERTIFICATE-----

---

Server certificate

subject=/C=US/postalCode=10007/ST=NY/L=New York/street=195 Broadway/O=OMD USA LLC/OU=IT/OU=Hosted by OMD USA INC/OU=PlatinumSSL Wildcard/CN=*.agentimediaservices.com

issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Organization Validation Secure Server CA

---

No client certificate CA names sent

---

SSL handshake has read 1678 bytes and written 599 bytes

---

New, TLSv1/SSLv3, Cipher is RC4-MD5

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

SSL-Session:

    Protocol  : TLSv1.2

    Cipher    : RC4-MD5

    Session-ID: 4F9EE34EFA2F6305BBD46D6F367BFDC9F95580A7889D9E1FE91F0F79BA86701F

    Session-ID-ctx:

    Master-Key: F741F597EFC3C837CE52546CC455FFFEBC0F18CCBC74CFB4BE7F1AE3C85EEB9065C39AE50CC525A33C5BD6CCF3D2483A

    Key-Arg   : None

    PSK identity: None

   PSK identity hint: None

    SRP username: None

    Start Time: 1461875411

    Timeout   : 300 (sec)

    Verify return code: 21 (unable to verify the first certificate)

---

 

Squid.conf:

 

#Access Lists

acl internal src 192.168.200.0/21

acl wireless src 192.168.100.0/23

 

#Ports allowed through Squid

acl Safe_ports port 80

acl Safe_ports port 443

acl SSL_ports port 443

acl CONNECT method CONNECT

 

#acls from blacklist

acl allowed dstdomain -i "/etc/squid3/acls/http_allowed.acl"

acl prime dstdomain -i "/etc/squid3/acls/squid-prime.acl"

acl china dst -n "/etc/squid3/acls/ccd-china.acl"

acl india dst -n "/etc/squid3/acls/ccd-india.acl"

acl iran dst -n "/etc/squid3/acls/ccd-iran.acl"

acl nigeria dst -n "/etc/squid3/acls/ccd-nigeria.acl"

acl pakistan dst -n "/etc/squid3/acls/ccd-nigeria.acl"

acl romania dst -n "/etc/squid3/acls/ccd-romania.acl"

acl russia dst -n "/etc/squid3/acls/ccd-russia.acl"

acl syria dst -n "/etc/squid3/acls/ccd-syria.acl"

acl ukraine dst -n "/etc/squid3/acls/ccd-ukraine.acl"

acl uzbekistan dst -n "/etc/squid3/acls/ccd-uzbekistan.acl"

acl ips dst -n "/etc/squid3/acls/broken_ips.acl"

acl blocked dstdomain -i "/etc/squid3/acls/http_blocked.acl"

 

#allow/deny

http_access allow allowed

http_access allow ips

http_access deny blocked

http_access deny prime

http_access deny china

http_access deny india

http_access deny iran

http_access deny nigeria

http_access deny pakistan

http_access deny romania

http_access deny russia

http_access deny syria

http_access deny ukraine

http_access deny uzbekistan

 

http_access allow internal

http_access allow wireless

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access deny all

 

#Bumping

acl step1 at_step SslBump1

acl step2 at_step SslBump2

acl step3 at_step SslBump3

 

acl broken_sites ssl::server_name_regex "/etc/squid3/acls/http_broken.txt"

 

#ssl_bump peek all

ssl_bump peek !broken_sites

ssl_bump splice all

#ssl_bump splice !broken_sites

 

sslproxy_capath /etc/ssl/certs

 

sslcrtd_program /lib/squid3/ssl_crtd -s /etc/squid3/ssl_db -M 4MB

sslcrtd_children 32 startup=5 idle=1

 

 

#logformat mine %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %ssl::>sni %ssl::>cert_subject %>Hs %<st %Ss:%Sh

 

#access_log syslog:daemon.info mine

#access_log daemon:/var/log/squid3/test.log mine

 

#intercept

http_port 3128 intercept

https_port 3129 intercept ssl-bump cert=/etc/squid3/certs/squid.pem cafile=/etc/squid3/certs/squid.pem key=/etc/squid3/certs/squid.pem  generate-host-certificates=on dynamic_cert_mem_cache_size=4MB sslflags=NO_SESSION_REUSE

 

#nameservers

dns_nameservers 192.168.201.1 8.8.8.8

 

#WCCPv2 items

wccp_version 2

wccp2_router 192.168.200.73

wccp2_forwarding_method gre

wccp2_return_method gre

wccp2_service standard 0 password=LNP1

wccp2_service dynamic 70 password=LNP1

wccp2_service_info 70 protocol=tcp flags=dst_ip_hash priority=240 ports=443

 

Bruce Markey | Network Security Analyst

STEINMAN COMMUNICATIONS

717.291.8758 (o) bmarkey@xxxxxxxxxxxxxxxxxxxxxxxxxx

8 West King St | PO Box 1328, Lancaster, PA 17608-1328

 

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux