Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SSL Splicing uses IP address instead of SNI

    Scheduled Pinned Locked Moved Cache/Proxy
    1 Posts 1 Posters 302 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      Dractyl
      last edited by Dractyl

      Hi everyone,

      I've got a curious problem regarding SSL Splicing on Squid (no SquidGuard) on 2.5.2.

      When I try to access any SSL web page (for which I have an entry in my whitelist), I get an error page from Squid showing me that I am not allowed to access the resolved IP address of that server.

      Screen Shot 2021-08-05 at 0.22.31.png

      This matches what is in the "Real Time" tab:

      04.08.2021 15:22:19 	[ADDRESS] 	NONE/403 	https://www.microsoft.com/ 	- 	-
      04.08.2021 15:22:19 	[ADDRESS] 	TCP_DENIED/200 	23.44.161.156:443 	- 	-
      

      I also turned on some more extensive logging (debug_options ALL,1 83,3 28,3 78,3 33,3 35,3) and noticed that there was header data in there, which I should not be able to get on a splice.

      My config works fine if I manually set the client's proxy. Transparent HTTP works as well.

      Here is the generated config:

      http_port [ADDRESS]:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/local/etc/squid/serverkey.pem cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!SHA1:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.4096 options=NO_SSLv3,NO_TLSv1,SINGLE_DH_USE,SINGLE_ECDH_USE
      
      http_port 127.0.0.1:3128 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/local/etc/squid/serverkey.pem cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!SHA1:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.4096 options=NO_SSLv3,NO_TLSv1,SINGLE_DH_USE,SINGLE_ECDH_USE
      
      https_port 127.0.0.1:3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/local/etc/squid/serverkey.pem cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!SHA1:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.4096 options=NO_SSLv3,NO_TLSv1,SINGLE_DH_USE,SINGLE_ECDH_USE
      
      icp_port 0
      digest_generation off
      dns_v4_first on
      pid_filename /var/run/squid/squid.pid
      cache_effective_user squid
      cache_effective_group proxy
      error_default_language en
      icon_directory /usr/local/etc/squid/icons
      visible_hostname [HOSTNAME]
      cache_mgr [EMAIL]
      access_log /var/squid/logs/access.log
      cache_log /var/squid/logs/cache.log
      cache_store_log none
      netdb_filename /var/squid/logs/netdb.state
      pinger_enable on
      pinger_program /usr/local/libexec/squid/pinger
      sslcrtd_program /usr/local/libexec/squid/security_file_certgen -s /var/squid/lib/ssl_db -M 4MB -b 2048
      tls_outgoing_options cafile=/usr/local/share/certs/ca-root-nss.crt
      tls_outgoing_options capath=/usr/local/share/certs/
      tls_outgoing_options options=NO_SSLv3,NO_TLSv1,SINGLE_DH_USE,SINGLE_ECDH_USE
      tls_outgoing_options cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!SHA1:!MD5:!EXP:!PSK:!SRP:!DSS
      sslcrtd_children 5
      
      logfile_rotate 0
      debug_options rotate=0
      shutdown_lifetime 3 seconds
      forwarded_for off
      via off
      httpd_suppress_version_string on
      uri_whitespace strip
      
      
      cache_mem 64 MB
      maximum_object_size_in_memory 256 KB
      memory_replacement_policy heap GDSF
      cache_replacement_policy heap LFUDA
      minimum_object_size 0 KB
      maximum_object_size 4 MB
      cache_dir ufs /var/squid/cache 100 16 256
      offline_mode off
      cache_swap_low 90
      cache_swap_high 95
      cache allow all
      # Add any of your own refresh_pattern entries above these.
      refresh_pattern ^ftp:    1440  20%  10080
      refresh_pattern ^gopher:  1440  0%  1440
      refresh_pattern -i (/cgi-bin/|\?) 0  0%  0
      refresh_pattern .    0  20%  4320
      
      
      #Remote proxies
      
      
      # Setup some default acls
      # ACLs all, manager, localhost, and to_localhost are predefined.
      acl allsrc src all
      acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901  3128 3129 1025-65535 
      acl sslports port 443 563  
      
      acl purge method PURGE
      acl connect method CONNECT
      
      # Define protocols used for redirects
      acl HTTP proto HTTP
      acl HTTPS proto HTTPS
      
      # SslBump Peek and Splice
      # http://wiki.squid-cache.org/Features/SslPeekAndSplice
      # http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
      # Match against the current step during ssl_bump evaluation [fast]
      # Never matches and should not be used outside the ssl_bump context.
      #
      # At each SslBump step, Squid evaluates ssl_bump directives to find
      # the next bumping action (e.g., peek or splice). Valid SslBump step
      # values and the corresponding ssl_bump evaluation moments are:
      #   SslBump1: After getting TCP-level and HTTP CONNECT info.
      #   SslBump2: After getting TLS Client Hello info.
      #   SslBump3: After getting TLS Server Hello info.
      # These ACLs exist even when 'SSL/MITM Mode' is set to 'Custom' so that
      # they can be used there for custom configuration.
      acl step1 at_step SslBump1
      acl step2 at_step SslBump2
      acl step3 at_step SslBump3
      acl whitelist dstdom_regex -i "/var/squid/acl/whitelist.acl"
      http_access allow manager localhost
      
      http_access deny manager
      http_access allow purge localhost
      http_access deny purge
      http_access deny !safeports
      http_access deny CONNECT !sslports
      
      # Always allow localhost connections
      http_access allow localhost
      
      request_body_max_size 0 KB
      delay_pools 1
      delay_class 1 2
      delay_parameters 1 -1/-1 -1/-1
      delay_initial_bucket_level 100
      delay_access 1 allow allsrc
      
      # Reverse Proxy settings
      
      
      # Custom options before auth
      
      # Always allow access to whitelist domains
      http_access allow whitelist
      # Set YouTube safesearch restriction
      acl youtubedst dstdomain -n www.youtube.com m.youtube.com youtubei.googleapis.com youtube.googleapis.com www.youtube-nocookie.com
      request_header_access YouTube-Restrict deny all
      request_header_add YouTube-Restrict none youtubedst
      ssl_bump peek step1
      ssl_bump splice all
      # Setup allowed ACLs
      # Default block all to be sure
      http_access deny allsrc
      

      So my basic concerns are:

      • Shouldn't this be using the SNI to check the white list?
      • Why is there an asterisk at the end of that URL?
      • Why am I seeing headers in the logs given that I am using "Splice All"? During a splice the system should neither be reading nor creating headers; it's a straight TCP pass thru.

      Does this look familiar to anyone?

      Thanks!

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.