[PATCH][TESTREQ] Squid package 0.4.29 SSL/MITM proxy fixes
-
Anyone using the SSL/MITM "feature" with Squid and either 2.3.3 or 2.4 snapshots:
0/ Make a configuration backup!!!
1/ Make sure you have upgraded Squid to the latest version (0.4.29 ATM)
2/ Install System Patches package if not installed yet
3/ Add a new patch in System - Patches:
Description: whatever
Patch Contents:--- a/usr/local/pkg/squid.inc 2016-12-28 11:01:34.520896000 +0100 +++ b/usr/local/pkg/squid.inc 2016-12-28 11:00:43.933881000 +0100 @@ -1138,7 +1138,7 @@ $conf = "# This file is automatically generated by pfSense\n"; $conf .= "# Do not edit manually !\n\n"; // Check ssl interception - if (($settings['ssl_proxy'] == 'on')) { + if ($settings['ssl_proxy'] == 'on') { squid_check_ca_hashes(); $srv_cert = lookup_ca($settings["dca"]); if ($srv_cert != false) { @@ -1539,15 +1539,11 @@ $conf = <<< EOD # Setup some default acls -# From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in. -# acl localhost src 127.0.0.1/32 +# ACLs all, manager, localhost, and to_localhost are predefined. acl allsrc src all acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 {$webgui_port} {$port} {$ssl_port} 1025-65535 {$addtl_ports} acl sslports port 443 563 {$webgui_port} {$addtl_sslports} -# From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in. -#acl manager proto cache_object - acl purge method PURGE acl connect method CONNECT @@ -1557,6 +1553,28 @@ EOD; + if ($squidsettings['ssl_proxy'] == 'on') { + $conf .= <<< EOD + +# SslBump Peek and Splice +# http://wiki.squid-cache.org/Features/SslPeekAndSplice +# http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit +# Match against the current step during ssl_bump evaluation [fast] +# Never matches and should not be used outside the ssl_bump context. +# +# At each SslBump step, Squid evaluates ssl_bump directives to find +# the next bumping action (e.g., peek or splice). Valid SslBump step +# values and the corresponding ssl_bump evaluation moments are: +# SslBump1: After getting TCP-level and HTTP CONNECT info. +# SslBump2: After getting SSL Client Hello info. +# SslBump3: After getting SSL Server Hello info. +acl step1 at_step SslBump1 +acl step2 at_step SslBump2 +acl step3 at_step SslBump3 + +EOD; + } + $allowed_subnets = preg_replace("/\s+/"," ", sq_text_area_decode($settings['allowed_subnets'])); if (!empty($allowed_subnets)) { $conf .= "acl allowed_subnets src $allowed_subnets\n"; @@ -1609,9 +1627,7 @@ http_access deny CONNECT !sslports # Always allow localhost connections -# From 3.2 further configuration cleanups have been done to make things easier and safer. -# The manager, localhost, and to_localhost ACL definitions are now built-in. -# http_access allow localhost +http_access allow localhost EOD; @@ -1743,12 +1759,6 @@ $conf = ''; - // SSL interception acl options part 1 - if ($settingsconfig['ssl_proxy'] == "on" && ! empty($settingsnac['whitelist'])) { - $conf .= "always_direct allow whitelist\n"; - $conf .= "ssl_bump none whitelist\n"; - } - // Package integration if (!empty($settingsconfig['custom_options'])) { $co_preg[0] = '/;/'; @@ -1840,10 +1850,13 @@ } } if ($auth_method == 'none') { - // SSL interception acl options part 2 without authentication + // SSL interception ACL options without authentication if ($settingsconfig['ssl_proxy'] == "on") { - $conf .= "always_direct allow all\n"; - $conf .= "ssl_bump server-first all\n"; + $conf .= "ssl_bump peek step1\n"; + if (!empty($settingsnac['whitelist'])) { + $conf .= "ssl_bump splice whitelist\n"; + } + $conf .= "ssl_bump bump all\n"; } $conf .= "# Setup allowed ACLs\n"; $allowed = array('allowed_subnets'); @@ -1897,10 +1910,13 @@ // Custom User Options after authentication definition $conf .= "# Custom options after auth\n" . sq_text_area_decode($settingsconfig['custom_options2_squid3']) . "\n\n"; - // SSL interception acl options part 2 + // SSL interception ACL options with authentication if ($settingsconfig['ssl_proxy'] == "on") { - $conf .= "always_direct allow all\n"; - $conf .= "ssl_bump server-first all\n"; + $conf .= "ssl_bump peek step1\n"; + if (!empty($settingsnac['whitelist'])) { + $conf .= "ssl_bump splice whitelist\n"; + } + $conf .= "ssl_bump bump all\n"; } // Onto the ACLs $password = array('localnet', 'allowed_subnets');
Path Strip Count: 1
Save, Test, Apply.
4/ IMPORTANT: Save Squid configuration. (Services - Squid Proxy Server - click Save on the General tab.)
5/ Test and report back any regressions. (Regression: Something was working before this patch and is not working any more after applying it. If something was not working before this patch and it's still not working, than there's no regression anywhere.)
References:
- https://github.com/pfsense/FreeBSD-ports/pull/242
- https://redmine.pfsense.org/issues/6527
–----------------------------
NOTE #1: If your configuration was NOT working before this patch, this thread is NOT the place to moan about it.
NOTE #2: I have no idea whether this patch applies to and works with 2.3.2-p1 and the Squid version available there. This thread is NOT the place to request backporting if that does not work. -
Anyone using the SSL/MITM "feature" with Squid and either 2.3.3 or 2.4 snapshots:
0/ Make a configuration backup!!!
1/ Make sure you have upgraded Squid to the latest version (0.4.29 ATM)
2/ Install System Patches package if not installed yet
3/ Add a new patch in System - Patches:
Description: whatever
Patch Contents:--- a/usr/local/pkg/squid.inc 2016-12-28 11:01:34.520896000 +0100 +++ b/usr/local/pkg/squid.inc 2016-12-28 11:00:43.933881000 +0100 @@ -1138,7 +1138,7 @@ $conf = "# This file is automatically generated by pfSense\n"; $conf .= "# Do not edit manually !\n\n"; // Check ssl interception - if (($settings['ssl_proxy'] == 'on')) { + if ($settings['ssl_proxy'] == 'on') { squid_check_ca_hashes(); $srv_cert = lookup_ca($settings["dca"]); if ($srv_cert != false) { @@ -1539,15 +1539,11 @@ $conf = <<< EOD # Setup some default acls -# From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in. -# acl localhost src 127.0.0.1/32 +# ACLs all, manager, localhost, and to_localhost are predefined. acl allsrc src all acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 {$webgui_port} {$port} {$ssl_port} 1025-65535 {$addtl_ports} acl sslports port 443 563 {$webgui_port} {$addtl_sslports} -# From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in. -#acl manager proto cache_object - acl purge method PURGE acl connect method CONNECT @@ -1557,6 +1553,28 @@ EOD; + if ($squidsettings['ssl_proxy'] == 'on') { + $conf .= <<< EOD + +# SslBump Peek and Splice +# http://wiki.squid-cache.org/Features/SslPeekAndSplice +# http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit +# Match against the current step during ssl_bump evaluation [fast] +# Never matches and should not be used outside the ssl_bump context. +# +# At each SslBump step, Squid evaluates ssl_bump directives to find +# the next bumping action (e.g., peek or splice). Valid SslBump step +# values and the corresponding ssl_bump evaluation moments are: +# SslBump1: After getting TCP-level and HTTP CONNECT info. +# SslBump2: After getting SSL Client Hello info. +# SslBump3: After getting SSL Server Hello info. +acl step1 at_step SslBump1 +acl step2 at_step SslBump2 +acl step3 at_step SslBump3 + +EOD; + } + $allowed_subnets = preg_replace("/\s+/"," ", sq_text_area_decode($settings['allowed_subnets'])); if (!empty($allowed_subnets)) { $conf .= "acl allowed_subnets src $allowed_subnets\n"; @@ -1609,9 +1627,7 @@ http_access deny CONNECT !sslports # Always allow localhost connections -# From 3.2 further configuration cleanups have been done to make things easier and safer. -# The manager, localhost, and to_localhost ACL definitions are now built-in. -# http_access allow localhost +http_access allow localhost EOD; @@ -1743,12 +1759,6 @@ $conf = ''; - // SSL interception acl options part 1 - if ($settingsconfig['ssl_proxy'] == "on" && ! empty($settingsnac['whitelist'])) { - $conf .= "always_direct allow whitelist\n"; - $conf .= "ssl_bump none whitelist\n"; - } - // Package integration if (!empty($settingsconfig['custom_options'])) { $co_preg[0] = '/;/'; @@ -1840,10 +1850,13 @@ } } if ($auth_method == 'none') { - // SSL interception acl options part 2 without authentication + // SSL interception ACL options without authentication if ($settingsconfig['ssl_proxy'] == "on") { - $conf .= "always_direct allow all\n"; - $conf .= "ssl_bump server-first all\n"; + $conf .= "ssl_bump peek step1\n"; + if (!empty($settingsnac['whitelist'])) { + $conf .= "ssl_bump splice whitelist\n"; + } + $conf .= "ssl_bump bump all\n"; } $conf .= "# Setup allowed ACLs\n"; $allowed = array('allowed_subnets'); @@ -1897,10 +1910,13 @@ // Custom User Options after authentication definition $conf .= "# Custom options after auth\n" . sq_text_area_decode($settingsconfig['custom_options2_squid3']) . "\n\n"; - // SSL interception acl options part 2 + // SSL interception ACL options with authentication if ($settingsconfig['ssl_proxy'] == "on") { - $conf .= "always_direct allow all\n"; - $conf .= "ssl_bump server-first all\n"; + $conf .= "ssl_bump peek step1\n"; + if (!empty($settingsnac['whitelist'])) { + $conf .= "ssl_bump splice whitelist\n"; + } + $conf .= "ssl_bump bump all\n"; } // Onto the ACLs $password = array('localnet', 'allowed_subnets');
Path Strip Count: 1
Save, Test, Apply.
4/ IMPORTANT: Save Squid configuration. (Services - Squid Proxy Server - click Save on the General tab.)
5/ Test and report back any regressions. (Regression: Something was working before this patch and is not working any more after applying it. If something was not working before this patch and it's still not working, than there's no regression anywhere.)
References:
- https://github.com/pfsense/FreeBSD-ports/pull/242
- https://redmine.pfsense.org/issues/6527
–----------------------------
NOTE #1: If your configuration was NOT working before this patch, this thread is NOT the place to moan about it.
NOTE #2: I have no idea whether this patch applies to and works with 2.3.2-p1 and the Squid version available there. This thread is NOT the place to request backporting if that does not work.I tried the patch and weirdly enough, after sometime it broke squid. I had a few ICMP errors with HTTPS sites and then couldn't browse at all. Removing the patch and reinstalling Squid fixed it. Anyone else tried the patch? Seems I'm the only one, maybe this issue is specific to me as I am tinkering with a lot.
-
Well, this either works or does not. It does not produce anything like "after sometime it broke".
Anyone else tried the patch?
Apparently not.
-
Merged in 0.4.30 to 2.3.3/2.4, closing.