Project

General

Profile

Bug #8774

Whitelist ALC type not supported by ssl_bump

Added by Ortwin Angermeier 12 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Squid
Target version:
-
Start date:
08/09/2018
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.4.x
Affected Architecture:
All

Description

The general purpose whitelist (/var/squid/acl/whitelist.acl) uses a dstdom_regex ACL. dstdomain ACLs do not work with ssl_bump.

Quoting the Squid wiki
At no point during ssl_bump processing will dstdomain ACL work. That ACL relies on HTTP message details that are not yet decrypted. An ssl::server_name acl type is provided instead that uses CONNECT, SNI, or server certificate Subject name (whichever is available).

This results in just ignoring the whitelist and bumping all.

squid -k parse output with mode "Splice whitelist, bump others"

2018/08/09 07:35:47| Processing: acl whitelist dstdom_regex -i "/var/squid/acl/whitelist.acl" 
2018/08/09 07:35:47| Processing: http_access allow manager localhost
2018/08/09 07:35:47| Processing: http_access deny manager
2018/08/09 07:35:47| Processing: http_access allow purge localhost
2018/08/09 07:35:47| Processing: http_access deny purge
2018/08/09 07:35:47| Processing: http_access deny !safeports
2018/08/09 07:35:47| Processing: http_access deny CONNECT !sslports
2018/08/09 07:35:47| Processing: http_access allow localhost
2018/08/09 07:35:47| Processing: request_body_max_size 0 KB
2018/08/09 07:35:47| Processing: delay_pools 1
2018/08/09 07:35:47| Processing: delay_class 1 2
2018/08/09 07:35:47| Processing: delay_parameters 1 -1/-1 -1/-1
2018/08/09 07:35:47| Processing: delay_initial_bucket_level 100
2018/08/09 07:35:47| Processing: delay_access 1 deny unrestricted_hosts
2018/08/09 07:35:47| Processing: delay_access 1 allow allsrc
2018/08/09 07:35:47| Processing: http_access allow unrestricted_hosts
2018/08/09 07:35:47| Processing: http_access allow whitelist
2018/08/09 07:35:47| Processing: ssl_bump peek step1
2018/08/09 07:35:47| Processing: ssl_bump splice whitelist
2018/08/09 07:35:47| Processing: ssl_bump bump all

squid -k parse output with mode "Custom" and the following custom config:

acl noBump ssl::server_name .discord.gg 
acl noBump ssl::server_name .discordapp.com 
acl noBump ssl::server_name .discordapp.net
ssl_bump peek step1
ssl_bump splice noBump
ssl_bump bump all

Discord was not working anymore after replacing my old fw with pfSense :)

Tested ssl::server_name and ssl::server_name_regex, both work.

2018/08/09 07:54:16| Processing: acl whitelist dstdom_regex -i "/var/squid/acl/whitelist.acl" 
2018/08/09 07:54:16| Processing: http_access allow manager localhost
2018/08/09 07:54:16| Processing: http_access deny manager
2018/08/09 07:54:16| Processing: http_access allow purge localhost
2018/08/09 07:54:16| Processing: http_access deny purge
2018/08/09 07:54:16| Processing: http_access deny !safeports
2018/08/09 07:54:16| Processing: http_access deny CONNECT !sslports
2018/08/09 07:54:16| Processing: http_access allow localhost
2018/08/09 07:54:16| Processing: request_body_max_size 0 KB
2018/08/09 07:54:16| Processing: delay_pools 1
2018/08/09 07:54:16| Processing: delay_class 1 2
2018/08/09 07:54:16| Processing: delay_parameters 1 -1/-1 -1/-1
2018/08/09 07:54:16| Processing: delay_initial_bucket_level 100
2018/08/09 07:54:16| Processing: delay_access 1 deny unrestricted_hosts
2018/08/09 07:54:16| Processing: delay_access 1 allow allsrc
2018/08/09 07:54:16| Processing: http_access allow unrestricted_hosts
2018/08/09 07:54:16| Processing: http_access allow whitelist
2018/08/09 07:54:16| Processing: acl noBump ssl::server_name .discord.gg
2018/08/09 07:54:16| Processing: acl noBump ssl::server_name .discordapp.com
2018/08/09 07:54:16| Processing: acl noBump ssl::server_name .discordapp.net
2018/08/09 07:54:16| Processing: ssl_bump peek step1
2018/08/09 07:54:16| Processing: ssl_bump splice noBump
2018/08/09 07:54:16| Processing: ssl_bump bump all

Zacha pointed me to the right direction: https://forum.netgate.com/topic/119117/squid-acl-whitelist-not-working/3

As for how to solve the issue without breaking old whitelist configurations, i suggest to add a new ACL that is used for ssl_bump only in the UI.

Also available in: Atom PDF