Search squid archive

sslproxyflags DONT_VERIFY_PEER

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I have had my squid implementation for sslbump set up and working for some time now. I have had several people point out that my use of "sslproxyflags DONT_VERIFY_PEER" is dangerous from a security standpoint. When I was first trying to get sslbump working it would not work until I saw a suggestion somewhere that that sslproxyflag could be used. When I tried it, sslbump started working.

After several configurations adding the new peek+splice and peek+bump features, I still am not able to remove "sslproxyflags DONT_VERIFY_PEER". Whenever I try removing it, I get the error message that my browser is trying to connect to an unsecured site or "Untrusted connection" whenever it tries to connect to an https site.

Here is my squid.conf:
visible_hostname smoothwall

# Uncomment the following to send debug info to /var/log/squid/cache.log
#debug_options ALL,1 33,2 28,9

# ACCESS CONTROLS
# ----------------------------------------------------------------
acl localhostgreen src 10.40.40.1
acl localnetgreen src 10.40.40.0/24
acl SWE_subnets          src "/var/smoothwall/mods/proxy/acls/src_subnets.acl"

acl SSL_ports port 445 443 441 563
acl Safe_ports port 80     # http
acl Safe_ports port 81     # smoothwall http
acl Safe_ports port 21     # ftp 
acl Safe_ports port 445 443 441 563 # https, snews
acl Safe_ports port 70     # gopher
acl Safe_ports port 210       # wais  
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280       # http-mgmt
acl Safe_ports port 488       # gss-http 
acl Safe_ports port 591       # filemaker
acl Safe_ports port 777       # multiling http

acl CONNECT method CONNECT

# TAG: http_access
# ----------------------------------------------------------------

http_access allow SWE_subnets


http_access allow localhost
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access allow localnetgreen
http_access allow CONNECT localnetgreen

http_access allow localhostgreen
http_access allow CONNECT localhostgreen

# http_port and https_port
#----------------------------------------------------------------------------

# For forward-proxy port. Squid uses this port to serve error pages, ftp icons and communication with other proxies.
#----------------------------------------------------------------------------
http_port 3127

http_port 10.40.40.1:800 intercept
https_port 10.40.40.1:808 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/var/smoothwall/mods/proxy/ssl_cert/squidCA.pem sslflags=VERIFY_CRL_ALL options=NO_SSLv2,NO_SSLv3,No_Compression dhparams=/var/smoothwall/mods/proxy/ssl_cert/dhparam.pem


http_port 127.0.0.1:800 intercept

sslproxy_session_cache_size 4 MB

ssl_bump none localhostgreen

sslproxy_options NO_SSLv2,NO_SSLv3,No_Compression
sslproxy_cipher ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL:!eNULL

acl tls_s1_connect at_step SslBump1
acl tls_s2_client_hello at_step SslBump2
acl tls_s3_server_hello at_step SslBump3

acl tls_allowed_hsts ssl::server_name .akamaihd.net
acl tls_server_is_bank ssl::server_name .wellsfargo.com
acl tls_to_splice any-of tls_allowed_hsts tls_server_is_bank

ssl_bump peek tls_s1_connect all
ssl_bump splice tls_s2_client_hello tls_to_splice
ssl_bump stare tls_s2_client_hello all
ssl_bump bump tls_s3_server_hello all

sslproxy_cert_error deny all
sslproxy_flags DONT_VERIFY_PEER

sslcrtd_program /var/smoothwall/mods/proxy/libexec/ssl_crtd -s /var/smoothwall/mods/proxy/lib/ssl_db -M 4MB
sslcrtd_children 5

http_access deny all

cache_replacement_policy heap GDSF
memory_replacement_policy heap GDSF

# CACHE OPTIONS
# ----------------------------------------------------------------------------
cache_effective_user squid
cache_effective_group squid

cache_swap_high 92
cache_swap_low 90

cache_access_log stdio:/var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_mem 64 MB

cache_dir aufs /var/spool/squid/cache 1024 16 256

maximum_object_size 33 MB

minimum_object_size 0 KB


request_body_max_size 0 KB

# OTHER OPTIONS
# ----------------------------------------------------------------------------
#via off
forwarded_for off

pid_filename /var/run/squid.pid

shutdown_lifetime 10 seconds
#icp_port 3130

half_closed_clients off
icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_encode off
icap_client_username_header X-Authenticated-User
icap_preview_enable on
icap_preview_size 1024
icap_service service_avi_req reqmod_precache icap://localhost:1344/squidclamav bypass=off
adaptation_access service_avi_req allow all
icap_service service_avi_resp respmod_precache icap://localhost:1344/squidclamav bypass=on
adaptation_access service_avi_resp allow all

umask 022

logfile_rotate 0

strip_query_terms off


url_rewrite_program /var/smoothwall/mods/ufdbguard/bin/ufdbgclient –l /var/log/squid
url_rewrite_children 64 startup=16 idle=4 concurrency=0
url_rewrite_extras "%>a/%>A %un %>rm bump_mode=%ssl::bump_mode sni='%ssl::>sni' referer='%{Referer}>h'"

Does anyone have any suggestions how I can remove that proxy flag and still keep sslbump working?
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux