Project

General

Profile

Actions

Bug #7871

closed

Add squid validation for selected CA when MITM is enabled

Added by Kill Bill over 6 years ago. Updated over 6 years ago.

Status:
Resolved
Priority:
Low
Assignee:
Category:
Squid
Target version:
-
Start date:
09/17/2017
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
All
Affected Plus Version:
Affected Architecture:
All

Description

Obviously, this needs to be a CA we have a private key to so that it can issue certificates on the fly to prevent PEBKAC cases such as [1]. The current validation does not check this. [2]

Jim Pingle: Any chance you can hack a quick check for this? Otherwise please re-assign to myself and I'll dig into the certs.inc later, not exactly something I'd be familiar with. The other relevant code is here [3] - so it basically adds the required bits to squid.conf if we can get the private key, if not, it results in broken config as in [1]. I guess there's no need to touch that once the validation is in place though.

[1] https://forum.pfsense.org/index.php?topic=136450.0
[2] https://github.com/pfsense/FreeBSD-ports/blob/devel/www/pfSense-pkg-squid/files/usr/local/pkg/squid.inc#L808
[3] https://github.com/pfsense/FreeBSD-ports/blob/devel/www/pfSense-pkg-squid/files/usr/local/pkg/squid.inc#L1124

Actions #1

Updated by Kill Bill over 6 years ago

P.S. There's https://github.com/pfsense/FreeBSD-ports/pull/402 that's been sitting there for about a month, would be nice to get both done at the same time.

Actions #2

Updated by Jim Pingle over 6 years ago

  • Status changed from New to Feedback
  • Target version deleted (2.4.1)

OK I added two different sets of protection:

1. Input validation to warn if a user selected a CA without a private key
2. I changed it so the CA list does not include entries without a private key

I added #1 in case somehow the user manages to submit the form with an old/invalid setting, but really #2 should make #1 unnecessary. Since it impacts squid so severely, I felt both were warranted.

Removing target version since this is a package and not tied to a specific release.

Actions #3

Updated by Kill Bill over 6 years ago

Looks good here, only usable CAs are being offered in the Squid GUI with 0.4.42. Thanks!

Actions #4

Updated by Jim Pingle over 6 years ago

  • Status changed from Feedback to Resolved

Great, thanks for testing!

Actions

Also available in: Atom PDF