Squid fatal error with SSL interception



  • The transparent SSL proxy was working and I'm not sure when it stopped exactly but I cannot get it to work again. When I start the Squid service it stops immediately.  If I disable SSL filtering Squid works just fine. To figure out what might be going on I ran "squid -k parse" to test the config and I get:

    2017/08/19 07:53:43| Processing: adaptation_access service_avi_resp allow all
    2017/08/19 07:53:43| Initializing https proxy context
    2017/08/19 07:53:43| Initializing http_port 192.168.200.1:3128 SSL context
    2017/08/19 07:53:43| Using certificate in /usr/local/etc/squid/serverkey.pem
    2017/08/19 07:53:43| WARNING: X509_check_private_key() failed to verify signing cert
    FATAL: No valid signing SSL certificate configured for HTTP_port 192.168.200.1:3128
    Squid Cache (Version 3.5.26): Terminated abnormally.

    I don't understand why it's trying to configure an SSL certificate for the HTTP port, shouldn't that only be needed for the HTTPS port? The configuration generated after enabling SSL interception is:

    _# This file is automatically generated by pfSense

    Do not edit manually !

    http_port 192.168.200.1:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/local/etc/squid/serverkey.pem capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv2,NO_SSLv3,NO_TLSv1,SINGLE_DH_USE,SINGLE_ECDH_USE

    http_port 127.0.0.1:3128 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/local/etc/squid/serverkey.pem capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv2,NO_SSLv3,NO_TLSv1,SINGLE_DH_USE,SINGLE_ECDH_USE

    https_port 127.0.0.1:3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/local/etc/squid/serverkey.pem capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv2,NO_SSLv3,NO_TLSv1,SINGLE_DH_USE,SINGLE_ECDH_USE

    icp_port 0
    digest_generation off
    dns_v4_first off
    pid_filename /var/run/squid/squid.pid
    cache_effective_user squid
    cache_effective_group proxy
    error_default_language en
    icon_directory /usr/local/etc/squid/icons
    visible_hostname localhost
    cache_mgr admin@localhost
    access_log /var/squid/logs/access.log
    cache_log /var/squid/logs/cache.log
    cache_store_log none
    netdb_filename /var/squid/logs/netdb.state
    pinger_enable on
    pinger_program /usr/local/libexec/squid/pinger
    sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /var/squid/lib/ssl_db -M 4MB -b 2048
    sslcrtd_children 5
    sslproxy_capath /usr/local/share/certs/
    sslproxy_options NO_SSLv2,NO_SSLv3,NO_TLSv1,SINGLE_DH_USE,SINGLE_ECDH_USE
    sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS

    logfile_rotate 0
    debug_options rotate=0
    shutdown_lifetime 3 seconds

    Allow local network(s) on interface(s)

    acl localnet src  192.168.200.0/24
    forwarded_for truncate
    httpd_suppress_version_string on
    uri_whitespace strip

    acl dynamic urlpath_regex cgi-bin ?
    cache deny dynamic

    cache_mem 64 MB
    maximum_object_size_in_memory 256 KB
    memory_replacement_policy heap GDSF
    cache_replacement_policy heap LFUDA
    minimum_object_size 0 KB
    maximum_object_size 4 MB
    cache_dir ufs /var/squid/cache 100 16 256
    offline_mode off
    cache_swap_low 90
    cache_swap_high 95
    cache allow all

    Add any of your own refresh_pattern entries above these.

    refresh_pattern ^ftp:    1440  20%  10080
    refresh_pattern ^gopher:  1440  0%  1440
    refresh_pattern -i (/cgi-bin/|?) 0  0%  0
    refresh_pattern .    0  20%  4320

    #Remote proxies

    Setup some default acls

    ACLs all, manager, localhost, and to_localhost are predefined.

    acl allsrc src all
    acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901  3128 3129 1025-65535
    acl sslports port 443 563

    acl purge method PURGE
    acl connect method CONNECT

    Define protocols used for redirects

    acl HTTP proto HTTP
    acl HTTPS proto HTTPS

    SslBump Peek and Splice

    http://wiki.squid-cache.org/Features/SslPeekAndSplice

    http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit

    Match against the current step during ssl_bump evaluation [fast]

    Never matches and should not be used outside the ssl_bump context.

    At each SslBump step, Squid evaluates ssl_bump directives to find

    the next bumping action (e.g., peek or splice). Valid SslBump step

    values and the corresponding ssl_bump evaluation moments are:

    #  SslBump1: After getting TCP-level and HTTP CONNECT info.
    #  SslBump2: After getting TLS Client Hello info.
    #  SslBump3: After getting TLS Server Hello info.

    These ACLs exist even when 'SSL/MITM Mode' is set to 'Custom' so that

    they can be used there for custom configuration.

    acl step1 at_step SslBump1
    acl step2 at_step SslBump2
    acl step3 at_step SslBump3
    acl allowed_subnets src 192.168.1.0/24
    acl whitelist dstdom_regex -i "/var/squid/acl/whitelist.acl"
    http_access allow manager localhost

    http_access deny manager
    http_access allow purge localhost
    http_access deny purge
    http_access deny !safeports
    http_access deny CONNECT !sslports

    Always allow localhost connections

    http_access allow localhost

    request_body_max_size 0 KB
    delay_pools 1
    delay_class 1 2
    delay_parameters 1 -1/-1 -1/-1
    delay_initial_bucket_level 100
    delay_access 1 allow allsrc

    Reverse Proxy settings

    Package Integration

    url_rewrite_program /usr/local/bin/squidGuard -c /usr/local/etc/squidGuard/squidGuard.conf
    url_rewrite_bypass off
    url_rewrite_children 16 startup=8 idle=4 concurrency=0

    Custom options before auth

    access_log syslog:local8.info;

    Always allow access to whitelist domains

    http_access allow whitelist
    acl sglog url_regex -i sgr=ACCESSDENIED
    http_access deny sglog
    ssl_bump peek step1
    ssl_bump splice whitelist
    ssl_bump bump all

    Setup allowed ACLs

    Allow local network(s) on interface(s)

    http_access allow allowed_subnets
    http_access allow localnet

    Default block all to be sure

    http_access deny allsrc

    icap_enable on
    icap_send_client_ip on
    icap_send_client_username on
    icap_client_username_encode off
    icap_client_username_header X-Authenticated-User
    icap_preview_enable on
    icap_preview_size 1024

    icap_service service_avi_req reqmod_precache icap://127.0.0.1:1344/squid_clamav bypass=off
    adaptation_access service_avi_req allow all
    icap_service service_avi_resp respmod_precache icap://127.0.0.1:1344/squid_clamav bypass=on
    adaptation_access service_avi_resp allow all_


  • Banned

    Noone read the GUI descriptions these days? Sigh…

    Stop ticking that checkbox or configure a valid CA certificate created in Cert. Manager.