Project

General

Profile

Bug #7871

Add squid validation for selected CA when MITM is enabled

Added by Kill Bill about 1 month ago. Updated 3 days ago.

Status:
Resolved
Priority:
Low
Assignee:
Category:
Squid
Target version:
-
Start date:
09/17/2017
Due date:
% Done:

0%

Affected Version:
All
Affected Architecture:
All

Description

Obviously, this needs to be a CA we have a private key to so that it can issue certificates on the fly to prevent PEBKAC cases such as [1]. The current validation does not check this. [2]

@jimp: Any chance you can hack a quick check for this? Otherwise please re-assign to myself and I'll dig into the certs.inc later, not exactly something I'd be familiar with. The other relevant code is here [3] - so it basically adds the required bits to squid.conf if we can get the private key, if not, it results in broken config as in [1]. I guess there's no need to touch that once the validation is in place though.

[1] https://forum.pfsense.org/index.php?topic=136450.0
[2] https://github.com/pfsense/FreeBSD-ports/blob/devel/www/pfSense-pkg-squid/files/usr/local/pkg/squid.inc#L808
[3] https://github.com/pfsense/FreeBSD-ports/blob/devel/www/pfSense-pkg-squid/files/usr/local/pkg/squid.inc#L1124

History

#1 Updated by Kill Bill about 1 month ago

P.S. There's https://github.com/pfsense/FreeBSD-ports/pull/402 that's been sitting there for about a month, would be nice to get both done at the same time.

#2 Updated by Jim Pingle 3 days ago

  • Status changed from New to Feedback
  • Target version deleted (2.4.1)

OK I added two different sets of protection:

1. Input validation to warn if a user selected a CA without a private key
2. I changed it so the CA list does not include entries without a private key

I added #1 in case somehow the user manages to submit the form with an old/invalid setting, but really #2 should make #1 unnecessary. Since it impacts squid so severely, I felt both were warranted.

Removing target version since this is a package and not tied to a specific release.

#3 Updated by Kill Bill 3 days ago

Looks good here, only usable CAs are being offered in the Squid GUI with 0.4.42. Thanks!

#4 Updated by Jim Pingle 3 days ago

  • Status changed from Feedback to Resolved

Great, thanks for testing!

Also available in: Atom PDF