Search squid archive

Re: HTTPS chrome - SHA1 this page is insecure

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello everyone,

 

It also may be you are using old Squid that does not support signing faked certificate with algorithm other than SHA-1 (because it was hardcoded at that time). This is the case of Squid 3.3.8 usually present in stable Ubuntu 14 LTS and CentOS 7.

 

In order to fix it you either need to go to most recent Squid (preferred) or recompile your Squid after applying a small patch like the following:

 

--- gadgets.cc  2013-07-13 15:25:14.000000000 +0200

+++ gadgets.cc.new      2015-11-09 23:00:47.591124352 +0100

@@ -389,9 +389,9 @@

 

     /*Now sign the request */

     if (properties.signAlgorithm != Ssl::algSignSelf && properties.signWithPkey.get())

-        ret = X509_sign(cert.get(), properties.signWithPkey.get(), EVP_sha1());

+        ret = X509_sign(cert.get(), properties.signWithPkey.get(), EVP_sha256());

     else //else sign with self key (self signed request)

-        ret = X509_sign(cert.get(), pkey.get(), EVP_sha1());

+        ret = X509_sign(cert.get(), pkey.get(), EVP_sha256());

 

     if (!ret)

         return false;

 

There is doc article and repo that has it all explained:

http://docs.diladele.com/administrator_guide_4_4/install/ubuntu14/squid.html

https://github.com/ra-at-diladele-com/qlproxy_external/tree/master/src/va/scripts.ubuntu14

 

But please take it with a huge grain of salt if you can.

 

Best regards,

Rafael Akchurin

Diladele B.V.

http://www.quintolabs.com

http://www.diladele.com

 

--

Please take a look at Web Safety - our ICAP based web filter server for Squid proxy.

 

 

 

 

From: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Diogenes S. Jesus
Sent: Thursday, September 1, 2016 11:37 AM
To: Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx>
Cc: squid-users@xxxxxxxxxxxxxxxxxxxxx; erdosain9 <erdosain9@xxxxxxxxx>
Subject: Re: [squid-users] HTTPS chrome - SHA1 this page is insecure

 

The answer why you only see it on Chrome is because since Chrome >= 41: 

 

"Sites with end-entity certificates that expire on or after 1 January 2017, and which include a SHA-1-based signature as part of the certificate chain, will be treated as “affirmatively insecure”. Subresources from such domain will be treated as “active mixed content”."

 

Best regards

 

On Wed, Aug 31, 2016 at 5:24 PM, Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> wrote:

On 08/31/2016 09:15 AM, Amos Jeffries wrote:
> On 1/09/2016 2:26 a.m., erdosain9 wrote:
>> Hi.
>> Im using ssl-bump.. all ir working fine, but i want to know if it is
>> possible that which is not seen crossed out and red "https".
>> This happen just in Chrome
>> This page is insecure (broken HTTPS)
>> SHA-1 Certificate
>> The certificate for this site expires in 2017 or later, and the certificate
>> chain contains a certificate signed using SHA-1.

Sounds like you are running an old Squid version.


> This requires changes to the certificate generator used by SSL-Bump.
> IIRC there were some patches, but I can't find them right now in the
> changesets. If the issue exists in current releases then please ask on
> squid-dev.

See http://www.squid-cache.org/Doc/config/sslproxy_cert_sign_hash/


> Of course, its possible the site realy does have a SHA1 certificate and
> Squid is just passing on the real details. The mimic feature is designed
> to ensure TLS is actually transparent as best we can manage.

I have not checked, but I doubt we mimic the signing algorithm (because
it would make client-Squid communication less secure?). If we do, we
should update the wiki page that lists what is being mimicked.


HTH,

Alex.


_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users



 

--


--------

Diogenes S. de Jesus

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux