Using parent proxy with SSL Bump enabled Squid 3.2

Posted by:

For a while we were waiting for Squid 3.2.x to be release as a stable version of Squid. Finally, it did. But, a small portion of community (including us) were expecting that bug related to using parent proxy with ssl bumping would be resolved. But, it didn’t ( http://www.squid-cache.org/Versions/v3/3.2/RELEASENOTES.html#ss1.1 ) and it will not be till Squid 3.3.

Let me give a brief history about this bug:

  • First, the bug was introduced. People using SSL Bumping were not be able to use parent proxies.
  • This bug is fixed. People had started to be able to use SSL Bumping with parent proxies.
  • Bug, this had introduced a new bug. Squid was sending request to parent proxy as a clear text proxy request. Terminates SSL connection with client and send data to parent proxy unsecured. In fact, Squid was not able to re-encapsulate request into CONNECT method.
  • This was a serious security problem if your network between your Squid and parent proxy is not secured. So, Squid team decided to disable SSL Bumping with parent proxies problematically.
  • ..and we have came to today.

PS: As far as I know, this is summary of this bug’s history. If I have a mistake, please let me know.

But, our users expecting some solution from us. And we decided that we should go one step backwards, return to state that SSL Bumping and parent proxies are working, but in a unsecured way. We have decided to warn system administrators to secure the line between parent proxy and our new Squid release (Only if they are using parent proxy for HTTPS of course). We commented out the restriction lines for this case (https://github.com/hkerem/squid3-ssl/blob/master/debian/patches/60-peer-sslbump-accept.dpatch)

Checkout our latest Squid SSL package from our repositories (http://www.mydlp.com/now-squid3-ssl-packages-in-mydlp-repository/).

After this point, please comment out this line:
#always_direct allow all

And add these lines to /etc/squid3/squid.conf:
cache_peer your.parent.proxy parent 8080 0 no-query no-digest
never_direct allow all

After reloading Squid, it will start to use this parent proxy for all protocols including HTTPS.

CAUTION: If you are using parent proxies when SSL Bumping is enabled, you should secure your communication line between your parent proxy and Squid. Otherwise, your system will impose a serious security risk.

1


About the Author:

Discussion

  1. Mattias  August 6, 2013

    Hi,

    One of our partners host a remote proxy (across vpn, though) that only accepts CONNECT. To avoid our users to have to configure it manually (and leaving the setting always on) I’m trying to intercept all traffic towards the specific domain and further connect to the partners proxy.

    They expect us to send a request to 192.168.0.10 port 8080 (plain http) with a CONNECT with SSL:
    CONNECT https://application.partner.domain

    Using your solution and the ubuntu package you share, I’m still seeing the clients (transparently proxied) requests as GET towards the parent proxy.

    As I understand it, I would need to: 1) intercept tcp connection. 2) terminate ssl. 3) CONNECT to parent proxy (NOT GET).

    acl localnet src 10.0.0.0/24
    acl CONNECT method CONNECT
    acl SSL method CONNECT
    acl partner dstdomain .partner.domain

    http_access allow localnet
    http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB key=/etc/mydlp/ssl/private.pem cert=/etc/mydlp/ssl/public.pem

    sslproxy_cert_error allow all
    sslproxy_flags DONT_VERIFY_PEER
    sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/lib/ssl_db -M 4MB
    sslcrtd_children 5

    cache_peer 192.168.0.10 parent 8080 0 no-query no-digest
    cache_peer_access 192.168.0.10 allow all
    ssl_bump allow all
    never_direct allow all

    Here’s the result of a simple GET:
    curl -vk https://10.0.0.22:3128 -H “Host: application.partner.domain”

    Which gives https error:
    curl: curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
    access.log: 1375785724.604 0 10.0.0.163 NONE/400 4031 NONE error:invalid-request – HIER_NONE/- text/html

    And http:
    Curl output: Your cache administrator is webmaster.
    access.log: 1375785874.326 0 10.0.0.163 NONE/400 3505 GET / – HIER_NONE/- text/html

    What am I doing wrong?

    (reply)

Add a Comment