Re: [squid-users] Issues with ssl-bump in 3.HEAD

From: Mike <mcsnv96_at_afo.net>
Date: Thu, 12 Jun 2014 14:25:06 -0500

On 6/12/2014 2:06 PM, Guy Helmer wrote:
> On Jun 12, 2014, at 1:01 PM, Mike <mcsnv96_at_afo.net> wrote:
>
>> I have been racking my brain trying to get this working and each time,it refuses to connect to secure sites. In the end we need a working squid proxy for SSL connections within the company network which will serve over 1000 users (thus the larger 8MB cert cache size). We already have theinsecure HTTP proxy working fine (thus the use of port 3129 below).
>> Since it will be SSL based, I know it needs https_port (not http_port), ssl-bump, and intercept (required by ssl-bump). The https_port and ssl-bump documentation also mentioned the preference for sslflags (which may or may not be working in 3.HEAD) and cipher.
>>
>> OS is Scientific Linux 6.5 (based on CentOS) fully up to date with yum. Server is quad core 3.4GHz, 8GB DDR3 with no other uses (like web server, etc).
>> SELinux has been set to permissive mode so it only reports, doesn't block the needed connections (although I also tested with it disabled and made no difference).
>> [root_at_localhost ~]# sestatus
>> SELinux status: enabled
>> SELinuxfs mount: /selinux
>> Current mode: permissive
>> Mode from config file: permissive
>> Policy version: 24
>> Policy from config file: targeted
>>
>> Essential squid.conf lines (I have tested it with and without the "sslflags", does not impact it working or not working):
>>
>> https_port 3129 intercept ssl-bump connection-auth=off generate-host-certificates=on dynamic_cert_mem_cache_size=8MB cert=/etc/squid/ssl/squid.pem key=/etc/squid/ssl/squid.key sslflags=DELAYED_AUTH cipher=ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:AES128-SHA:RC4-SHA:HIGH:!aNULL:!MD5:!ADH
>> sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid_ssl_db -M 8MB
>> sslcrtd_children 50 startup=5 idle=1
>> ssl_bump server-first all
>> ssl_bump none localhost
>>
>> Local certs have been created and self signed, and the .der cert has been imported into the test browser (Firefox 30.0).
>>
>> Squid info (includes the needed '--enable-ssl' '--enable-ssl-crtd' '--with-openssl'):
>>
>> [root_at_localhost ~]# squid -v
>> Squid Cache: Version 3.HEAD-20140127-r13248
>> Service Name: squid
>> configure options: '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=$(localstatedir)/log/squid' '--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking' '--enable-eui' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-auth-basic=DB,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,getpwnam' '--enable-auth-ntlm=smb_lm,fake' '--enable-auth-digest=file,LDAP,eDirectory' '--enable-auth-negotiate=kerberos,wrapper' '--enable-external-acl-helpers=wbinfo_group,kerber!
 os_ldap_
group,AD_group' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-icap-client' '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl' '--enable-ssl-crtd' '--enable-storeio=aufs,diskd,ufs,rock' '--enable-wccpv2' '--enable-esi' '--with-aio' '--with-default-user=squid' '--with-filedescriptors=16384' '--with-dl' '--with-openssl' '--with-pthreads' '--disable-arch-native' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fPIC' 'PKG_CONFIG_PATH=/usr/lib64/pkgconfig:/usr/share/pkgconfig'
>>
>>
>> In the end testing with only the SSL proxy set to this server via port3129, it tries loading the secure website for 2-3 minutes and then timesout. Checking "top", it shows squid running at 12.1g VIRT, 2.0g RES, 54.5% of MEM (server has 8GB) and using 100% of CPU2. The ../squid/access.log and cache_access.log shows no new entries at all. We had to disable thecache.log (cache_log /dev/null) as it continuously recorded everything and quickly took up all the space on the 80GB hard drive.
>>
>> So the question is what is going wrong that it is refusing to let ANY secure site load and how can we get this resolved?
>> We greatly appreciate any help on this.
>>
>> Mike
> If I understand correctly, you are attempting to use port 3129 as a forward proxy. If so, you shouldn’t need the “intercept” option on 3129, and you should change it to http_port since squid will be directly receiving HTTP “CONNECT” requests, not SSL connections.
>
> Regards,
> Guy
>
Guy,
According to
http://www.squid-cache.org/Versions/v3/3.HEAD/cfgman/https_port.html it
says:

https_port: The socket address where Squid will listen for client
requests made over TLS or SSL connections.

ssl-bump - blah blah "Requires tproxy or intercept."

I have tried it all 3 ways, both with and without those 2 modes, and at
least with "intercept", it seems that squid is doing something by the
i/o and squid activity, although the logs remain empty.
Also according to the same documentation, since this will be SSL proxy
(not standard insecure HTTP proxy), "https_port" is required. Initially
I did try it with "http_port" but it tries to treat CONNECT requests
like a normal insecure http request causing sslcrtd to constantly crash,
taking squid down with it. At least with "https_port 3129 intercept
ssl-bump..." it doesn't crash and is the only time it shows i/o and
squid activity, thus my request to the squid-users group.

Thank you,

Mike
Received on Thu Jun 12 2014 - 19:25:10 MDT

This archive was generated by hypermail 2.2.0 : Fri Jun 13 2014 - 12:00:06 MDT