SSLBUMP without MITM

bbassotti

what about peek & splice? no cert on client:

Always enable manual proxy

http_port 3128

Enable transparent proxy

http_port 3129 transparent

Enable SSL transparent proxy

https_port 3130 intercept ssl-bump generate-host-certificates=off cert=/etc/pki/tls/certs/squid.crt key=/etc/pki/tls/private/squid.key sslflags=NO_DEFAULT_CA options=NO_SSLv2,NO_SSLv3,No_Compression dynamic_cert_mem_cache_size=128KB
acl https_proto proto https
always_direct allow https_proto
ssl_bump none localhost
sslproxy_options NO_SSLv2,NO_SSLv3,No_Compression
sslproxy_cipher ALL:!SSLv2:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL:!eNULL

TLS/SSL bumping definitions

acl tls_s1_connect at_step SslBump1
acl tls_s2_client_hello at_step SslBump2
acl tls_s3_server_hello at_step SslBump3

TLS/SSL bumping steps

ssl_bump peek tls_s1_connect all
ssl_bump splice all

peek at TLS/SSL connect data

splice: no active bumping

Enable squidGuard

url_rewrite_program /usr/sbin/squidguard -l /var/squid/logs
url_rewrite_children 20 startup=5 idle=5 concurrency=0
url_rewrite_extras "%>a/%>A %un %>rm bump_mode=%ssl::bump_mode sni="%ssl::>sni" referer="%{Referer}>h""

chris4916

I'm confused  :-[

1 - Is there any question?
2 - I even don't understand title. To me SSLBump and Man In The Middle are synonyms here

doktornotor

Ditto. So why are you setting up transparent proxy in the first place if that's not what you want?

bbassotti

@chris4916:

I'm confused  :-[

1 - Is there any question?
2 - I even don't understand title. To me SSLBump and Man In The Middle are synonyms here
[/quote]

ok i'm not an english spokesman so sorry for my poor language, with the configuration abobe it is possible to "Transparent" Squid with filtering of HTTPS of resources without substitution of certificates. how to accomplishe this with pfsense?

best regards.

bbassotti

@bbassotti:

@chris4916:

I'm confused  :-[

1 - Is there any question?
2 - I even don't understand title. To me SSLBump and Man In The Middle are synonyms here
[/quote]

ok i'm not an english spokesman so sorry for my poor language, with the configuration abobe it is possible to "Transparent" Squid with filtering of HTTPS of resources without substitution of certificates. how to accomplishe this with pfsense?

best regards.

with the above config i'm able to transparently check the ssl without explict proxy config on the client.

best regards.

doktornotor

Yes, that's the whole point of transparent proxy. And you cannot do any SSL bump without faking the certs when transparent. Now that you have effectively made the SSL proxy no-op with splicing all, you could as well turn it off, no?

Splice: Become a TCP tunnel without decoding the connection. The client and the server exchange data as if there is no proxy in between.

bbassotti

@doktornotor:

Yes, that's the whole point of transparent proxy. And you cannot do any SSL bump without faking the certs when transparent. Now that you have effectively made the SSL proxy no-op with splicing all, you could as well turn it off, no?

Splice: Become a TCP tunnel without decoding the connection. The client and the server exchange data as if there is no proxy in between.

yes and no, with the above config, as i've previously explained, i can check the NAME of the ssl connection then with squidguard i can block/pass whitout install ANY certificate on the client so i can block the connection from any device (android/ios etc).

Best regards.

doktornotor

Well no - not in Squid alone at least, since you've spliced the whole thing, so you cannot block anything there. What you'e produced is just useful possibly for logging/monitoring.

(No idea about SquidGuard, since that thing is goddamn broken, unreadable, unmaintained mess. Just won't touch it.)

bbassotti

@doktornotor:

Well no - not in Squid alone at least, since you've spliced the whole thing, so you cannot block anything there. What you'e produced is just useful possibly for logging/monitoring.

(No idea about SquidGuard, since that thing is goddamn broken, unreadable, unmaintained mess. Just won't touch it.)

:o I'm using it on nethserver :) so Yes it is possible with squid 3.5.20.

best regards.

doktornotor

Yeah, wonderful. This is pfSense forum. So, the point of this thread is exactly what? You've made a TCP tunnel out of any SSL connection in Squid. Great. Proxy invisible, traffic through. So, now what? (Again, I'm not talking about Squidguard, and I'm definitely NOT talking about nethserver or what's that.)

bbassotti

@doktornotor:

Yeah, wonderful. This is pfSense forum. So, the point of this thread is exactly what? You've made a TCP tunnel out of any SSL connection in Squid. Great. Proxy invisible, traffic through. So, now what? (Again, I'm not talking about Squidguard, and I'm definitely NOT talking about nethserver or what's that.)

yes i know  :) I'm asking IF it possible to obtain the same with pfsense and NOT to compare this with what, or IF in future release and I'm not ask for the moon!

best regards.

doktornotor

If you want SSL bump to have any chance of working, you need this patch on top of latest Squid package on pfSense. Now, with that patch, whatever is whitelisted should get through (spliced), the rest will get bumped (and dealth with by stuff like Squidguard or whatever else, again, not tested, will not touch). Since, that's the approach that was there from the very beginning and that made sense for users. Making a transparent TCP tunnel is not exactly the goal people are trying to produce.

susamlicubuk

hi bbassotti

The following topic maybe helps you

https://forum.pfsense.org/index.php?topic=123874.0

tadaog

This peek and slice permits Squidguard and Squid to block https://pages according the rules set in SquidGuardian/Squid, without decoding the rest of the pages.

Usually it's just what everybody needs!

I've learned this in pratice and tried it with OpnSense (a fork of pfSense) and I've been hugely surprised how effective it is!

So I copied and pasted from their squid.conf the excerpt below in the Service/Squid Proxy Server/General/Show Advanced Options/Custom ACLS (Before Auth):

setup ssl bump acl's

acl bump_step1 at_step SslBump1
acl bump_step2 at_step SslBump2
acl bump_step3 at_step SslBump3
acl bump_nobumpsites ssl::server_name "/usr/local/etc/squid/nobumpsites.acl"

configure bump

ssl_bump peek bump_step1 all
ssl_bump splice all
ssl_bump peek bump_step2 all
ssl_bump splice bump_step3 all

ssl_bump bump

sslproxy_cert_error deny all

tadaog

This procedure (after activating SSL Filtering in the SSL Man in the Middle Filtering) does this job wonderfully, and WITHOUT the need of Man In the Middle Filtering, without any need of certs added to the clients.

Only the URL is decoded and blocked (or permitted) as configured in Squidguard/Squid.

I use pfBlockerNG too for the others critical blockings that need to be done on the battlefield that the Internet has become today!

tadaog

Sorry, I forgot to say that I'm using this without Transparent Proxy.

I'm using proxy.pac (and symlinks to it: wpad.dat and wpad.da) in the following way:

1. Installed Shellcmd, Cron, Squidguard and Squid packages.

2. in Services/Shellcmd, click Add
       Add Command:
           /usr/local/etc/rc.d/nginx onestart
       Shellcmd Type:
           shellcmd
       Description:
           2nd. instance nginx for wpad
       and click Save.

3. In Services/Cron, click Add
       Fill Minute with */3, User root and Command
           [ -f /var/run/nginx.pid ] && true || /usr/local/etc/rc.d/nginx onestart

4. My pfSense firewall has LAN IP 192.168.192.1, so you change the IP to YOUR pfSense IP in the proxy.pac I pasted right after this post and use Diagnostics/Edit File to copy, paste and save in /usr/local/www/nginx/proxy.pac

5. Create symlinks wpad.dat and wpad.da of proxy.pac in the same directory.

6. Create rules to force proxy use. The clients that use Detect Automatically in the browser usually gets thru the proxy, but follow the instructions that you'll find in this forum about wpad.dat configuration in Squid.

7. Client browsers may be configured to use proxy by manual configuration of course.

tadaog

The proxy.pac I use follows:

function FindProxyForURL(url, host) {

var wpad = "DIRECT";
  // Return wpad;  // by-pass when you wish to put Squid Proxy offline without removing proxy.pac

host = host.toLowerCase();

var hostIP;
  var isIpV4Addr = /^(\d+.){3}\d+$/;

if (isIpV4Addr.test(host))
    hostIP=host;
  else
    hostIP=dnsResolve(host);
  if (hostIP != 0) {
    if (isPlainHostName(host) ||
        shExpMatch(host, ".local") ||
        shExpMatch(host, ".localdomain.local") ||
        shExpMatch(hostIP, "10.") ||
        shExpMatch(hostIP, "192.168.") ||
        shExpMatch(hostIP, "127.") ||
        isInNet(hostIP, "172.16.0.0", "255.240.0.0") ||
        shExpMatch(host, "fe80::"))
      return wpad;
// Main LAN
    var myIP = myIpAddress();
    if (shExpMatch(myIP, "169.254.*") ||
        isInNet(myIP, "192.168.192.0", "255.255.252.0"))
      wpad = "PROXY 192.168.192.1:3128; DIRECT";
// For additional LAN subnets (example)
    else if (isInNet(myIP, "192.168.198.0", "255.255.252.0"))
      wpad = "PROXY 192.168.198.1:3128; DIRECT";
  }
  return wpad;
}

bbassotti

@tadaog:

This peek and slice permits Squidguard and Squid to block https://pages according the rules set in SquidGuardian/Squid, without decoding the rest of the pages.

Usually it's just what everybody needs!

I've learned this in pratice and tried it with OpnSense (a fork of pfSense) and I've been hugely surprised how effective it is!

So I copied and pasted from their squid.conf the excerpt below in the Service/Squid Proxy Server/General/Show Advanced Options/Custom ACLS (Before Auth):

setup ssl bump acl's

acl bump_step1 at_step SslBump1
acl bump_step2 at_step SslBump2
acl bump_step3 at_step SslBump3
acl bump_nobumpsites ssl::server_name "/usr/local/etc/squid/nobumpsites.acl"

configure bump

ssl_bump peek bump_step1 all
ssl_bump splice all
ssl_bump peek bump_step2 all
ssl_bump splice bump_step3 all

ssl_bump bump

sslproxy_cert_error deny all

Thank you ! This work also with transparent proxy  :)

fabiomello

i am the person who did this change to opnsense, if you want and the maintaner of package accepts, i could do a pull request with this change.
note: it works only with domain and not with complete urls, because dont do the intercept

doktornotor

@fabiomello:

i am the person who did this change to opnsense, if you want and the maintaner of package accepts, i could do a pull request with this change.

So, this could be pretty much rewritten to:

setup ssl bump acl's

acl bump_step1 at_step SslBump1
acl bump_step2 at_step SslBump2
acl bump_step3 at_step SslBump3
acl bump_nobumpsites ssl::server_name "/usr/local/etc/squid/nobumpsites.acl"

configure bump

ssl_bump peek bump_step1 all
ssl_bump splice all
ssl_bump peek bump_step2 all
ssl_bump splice bump_step3 all
ssl_bump bump

sslproxy_cert_error deny all

@fabiomello:

note: it works only with domain and not with complete urls, because dont do the intercept

Yes, that is the problem. It does not intercept. Most of the code does nothing, as indicated above. It splices everything, you are finished with the stuff after the red line marked above [1].

What the code in pfSense Squid attempts to do is: do NOT intercept 'Whitelist' ACL (that's what your no-op bump_nobumpsites ACL attempts to do but the code is just not used anywhere) and intercept the rest [2]

[1] https://github.com/pfsense/FreeBSD-ports/blob/devel/www/pfSense-pkg-squid/files/usr/local/pkg/squid.inc#L1539
[2]
https://github.com/pfsense/FreeBSD-ports/blob/devel/www/pfSense-pkg-squid/files/usr/local/pkg/squid.inc#L1826
https://github.com/pfsense/FreeBSD-ports/blob/devel/www/pfSense-pkg-squid/files/usr/local/pkg/squid.inc#L1887

I must be missing something here.