Re: [squid-users] SSL bump working on most site...cert pinning issue?

From: Dan Charlesworth <dan_at_getbusi.com>
Date: Mon, 30 Jun 2014 23:13:57 +1000

No worries.

Sounds like this is the feature you should be waiting with baited breath for: http://wiki.squid-cache.org/Features/SslPeekAndSplice

I’m not a developer so I have no idea how far along that is right now.

On 30 Jun 2014, at 11:05 pm, James Lay <jlay_at_slave-tothe-box.net> wrote:

> On Mon, 2014-06-30 at 22:56 +1000, Dan Charlesworth wrote:
>> Yeah, pinned SSL ‘aint gonna be bumped. The Twitter apps are another popular one that use pinning.
>>
>> As far as your broken_sites ACL goes, you can’t use `dstdomain` because the only thing Squid can see of the destination before bumping an intercepted connection is the IP address. So for `ssl_bump none` you’ll need to be use `dst` ACLs instead.
>>
>> ProTip: Here are the Apple and Akamai public IP blocks (to use in a dst equivalent of your broken_sites), respectively: 17.0.0.0/8, 23.0.0.0/12.
>>
>> Good luck
>>
>> On 30 Jun 2014, at 10:38 pm, James Lay <jlay_at_slave-tothe-box.net> wrote:
>>
>>> Topic pretty much says it...most sites work fine using my below set up,
>>> but some (Apple's app store) do not. I'm wondering if cert pinning is
>>> the issue? Since this set up is basically two separate sessions, I
>>> packet captured both. The side the I have control over gives me a TLS
>>> Record Layer Alert Close Notify. I am unable to decrypt the other side
>>> as the device in question is an iDevice and I can't capture the master
>>> secret.
>>>
>>> I've even tried to ACL certain sites to not bump, but they don't go
>>> through. Below is my complete setup. This is running the below:
>>>
>>> Squid Cache: Version 3.4.6
>>> configure options: '--prefix=/opt' '--enable-icap-client'
>>> '--enable-ssl' '--enable-linux-netfilter'
>>> '--enable-follow-x-forwarded-for' '--with-large-files'
>>> '--sysconfdir=/opt/etc/squid'
>>>
>>>
>>> Any assistance with troubleshooting would be wonderful...thank you.
>>>
>>> James
>>>
>>>
>>>
>>> $IPTABLES -t nat -A PREROUTING -i eth0 -s 192.168.1.96/28 -p tcp --dport
>>> 80 -j REDIRECT --to-port 3128
>>> $IPTABLES -t nat -A PREROUTING -i eth0 -s 192.168.1.96/28 -p tcp --dport
>>> 443 -j REDIRECT --to-port 3129
>>>
>>>
>>> acl localnet src 192.168.1.0/24
>>>
>>> acl SSL_ports port 443
>>> acl Safe_ports port 80 # http
>>> acl Safe_ports port 21 # ftp
>>> acl Safe_ports port 443 # https
>>> acl Safe_ports port 70 # gopher
>>> acl Safe_ports port 210 # wais
>>> acl Safe_ports port 1025-65535 # unregistered ports
>>> acl Safe_ports port 280 # http-mgmt
>>> acl Safe_ports port 488 # gss-http
>>> acl Safe_ports port 591 # filemaker
>>> acl Safe_ports port 777 # multiling http
>>>
>>> acl CONNECT method CONNECT
>>> acl broken_sites dstdomain textnow.me
>>> acl broken_sites dstdomain akamaiedge.net
>>> acl broken_sites dstdomain akamaihd.net
>>> acl broken_sites dstdomain apple.com
>>> acl allowed_sites url_regex "/opt/etc/squid/url.txt"
>>> acl all_others dst all
>>> acl SSL method CONNECT
>>>
>>>
>>> http_access deny !Safe_ports
>>> http_access deny CONNECT !SSL_ports
>>>
>>> http_access allow manager localhost
>>> http_access deny manager
>>>
>>> http_access allow allowed_sites
>>> http_access deny all_others
>>> http_access allow localnet
>>> http_access allow localhost
>>>
>>> http_access deny all
>>> icp_access deny all
>>>
>>> sslproxy_cert_error allow broken_sites
>>> sslproxy_cert_error deny all
>>>
>>> sslproxy_options ALL
>>> ssl_bump none broken_sites
>>> ssl_bump server-first all
>>>
>>> http_port 192.168.1.253:3128 intercept
>>> https_port 192.168.1.253:3129 intercept ssl-bump
>>> generate-host-certificates=on cert=/opt/sslsplit/sslsplit.crt
>>> key=/opt/sslsplit/sslsplitca.key options=ALL sslflags=NO_SESSION_REUSE
>>>
>>> always_direct allow all
>>>
>>>
>>> hierarchy_stoplist cgi-bin ?
>>>
>>> access_log syslog:daemon.info common
>>>
>>> refresh_pattern ^ftp: 1440 20% 10080
>>> refresh_pattern ^gopher: 1440 0% 1440
>>> refresh_pattern -i (cgi-bin|\?) 0 0% 0
>>> refresh_pattern . 0 20% 4320
>>>
>>> icp_port 3130
>>>
>>> coredump_dir /opt/var
>>>
>>>
>
> Ah good catch thank you. I've seen expensive proxy appliances just
> tunnel the traffic through, but they get the host and domain name to all
> control...which is really all I'm wanting to do is control what sites
> are allowed. I'll give your suggestions a go...thank you.
>
> James
>
Received on Mon Jun 30 2014 - 13:14:09 MDT

This archive was generated by hypermail 2.2.0 : Mon Jun 30 2014 - 12:00:05 MDT