[squid-users] stopping sslbump to domains with invalid or unsigned certs

From: Sean Boran <sean_at_boran.com>
Date: Tue, 20 Dec 2011 15:34:27 +0100

Hi,

sslbump allows me to interrupts ssl connections and run an AV check on them.
It generates a certs for the target domain (via sslcrtd), so that the
users browser sees a server cert signed by the proxy.

If the target domain has a certificate that is expired, or it not
signed by a recognised CA, its important that the lack of trust is
communicated to the end user.

Example, on connecting direct (not via a proxy) to
https://wiki.squid-cache.org the certificated presented is expired 2
years ago and not signed by known CA .
Noext on connecting via a sslbump proxy (v3.2.0.14), the proxy creates
a valid cert for wiki.squid-cache.org and in the user's browsers it
looks like wiki.squid-cache.org has a valid cert signed by the proxy.

So my question is:
What ssl_bump settings would allow the proxy to handle such
destinations with expired or non trusted sites by, for example:
a) Not bumping the connection but piping it through to the user
unchanged, so the user browser notices the invalid certs?
b) Refuses the connection with a message to the user, if the
destination is not on an allowed ACL of exceptions.

Looking at squid.conf, there is sslproxy_flags, sslproxy_cert_error
# TAG: sslproxy_flags
# DONT_VERIFY_PEER Accept certificates that fail verification.
# NO_DEFAULT_CA Don't use the default CA list built in
 to OpenSSL.
# TAG: sslproxy_cert_error
# Use this ACL to bypass server certificate validation errors.

So, the following config would then implement scenario b) above?

# Verify destinations: yes, but allow exceptions
sslproxy_flags DONT_VERIFY_PEER
#sslproxy_flags none
# ignore Certs with certain cites
acl TrustedName url_regex ^https://badcerts.example.com/
sslproxy_cert_error allow TrustedName
sslproxy_cert_error deny all

==> But then, why does it not throw an error when connecting to
https://wiki.squid-cache.org ?

Next I though it might be an idea to delete any cached certs and try again.
Looking in /var/lib/squid_ssl_db/index.txt, there is an extra for the
destination:
V 121107103058Z 0757348E unknown /CN=www.squid-cache.org
So, then I deleted 0757348E.pem to force a new cert to be generated,
and restarted squid.

Connecting to https://wiki.squid-cache.org/ resulted in a new cert
being silently generated, stored in 075734AD.pem and the https
connection signed.

What am I going wrong?

Finally had a look at the sources:
sslproxy_flags led to Config.ssl_client.flags in cf_parser.cci which
led to ssl_client.sslContext in cache_cf.cc to initiateSSL() in
forward.cc and finally ssl_verify_cb in ssl/support.cc.

There one finds nice debugs prefixed with "83", so, enabled high
debugging for 83:
   debug_options ALL,1 83,20 23,2 26,10 33,4 84,3
Restarted squid, and watched with
   tail -f cache.log|egrep -i "SSL|certificate"
but dont see certificate errors.

Any suggestions?

Thanks,
Sean
Received on Tue Dec 20 2011 - 14:34:34 MST

This archive was generated by hypermail 2.2.0 : Wed Dec 21 2011 - 12:00:03 MST