Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSL Bumping may cause an Unreachable Network and/or certificate issues #107

Open
leodexe opened this issue Apr 13, 2023 · 1 comment
Open

SSL Bumping may cause an Unreachable Network and/or certificate issues #107

leodexe opened this issue Apr 13, 2023 · 1 comment

Comments

@leodexe
Copy link

leodexe commented Apr 13, 2023

I have succesfully set up Squid as a filtering proxy, but I have issues when trying to enable SSL Bump.
Note that without SSL Bumping, the proxy works and my custom rules works just as fine, with the only difference that with SSL Bump enabled it displays the Squid error messages instead of the built-in browser error messages when connection isn't possible on HTTPS.
error114
I followed the steps in this guide to enable SSL Bump, but doing so cuts the internet connection so only the http insecure websites shows (example: somesite.org is still accesible), displaying this error message: The system returned: (114) Network is unreachable.

My squid.conf:

acl step2 at_step SslBump2
acl step3 at_step SslBump3

acl localnet src 0.0.0.1-0.255.255.255	# RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8		# RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10		# RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16 	# RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12		# RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16		# RFC 1918 local private network (LAN)
acl localnet src fc00::/7       	# RFC 4193 local private network range
acl localnet src fe80::/10      	# RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80		# http
acl Safe_ports port 21		# ftp
acl Safe_ports port 443		# https
acl Safe_ports port 70		# gopher
acl Safe_ports port 210		# wais
acl Safe_ports port 1025-65535	# unregistered ports
acl Safe_ports port 280		# http-mgmt
acl Safe_ports port 488		# gss-http
acl Safe_ports port 591		# filemaker
acl Safe_ports port 777		# multiling http
acl Safe_ports port 27886	# kaillera p2p
acl Safe_ports port 27888	# kaillera srv
acl CONNECT method CONNECT

# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

http_access deny to_localhost

# Note: localhost and localnet must be in a single line
http_access allow localhost localnet

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
acl list1 dstdomain "/etc/squid/list1.txt"
http_access allow list1
# list contains social media sites like facebook.com and some search engines

# And finally, deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128 ssl-bump cert=/etc/squid/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

# certificate generation program, I only ran this once to initialize DB
#sslcrtd_program /lib/squid/security_file_certgen -c -s /var/cache/squid/ssl_db -M 4MB

ssl_bump stare all
ssl_bump bump all

visible_hostname octo10

# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /var/cache/squid 3000 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/cache/squid

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:		1440	20%	10080
refresh_pattern ^gopher:	1440	0%	1440
refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
refresh_pattern .		0	20%	4320

#dns_nameservers 8.8.8.8 208.67.222.222
dns_nameservers 94.140.14.15 94.140.15.16

max_filedescriptors 3200

Additional info: Sometimes I would get this error71 instead, but I think that's because of my deny all policy. It still does happen on allow all but less likely to appear than err114. I also used this other guide, because I use Arch Linux and Squid Proxy works there just fine.

I hope with this info I can get some troubleshooting.

OS: Win10x64 22H2
error71

Attached cache.log and access.log when Err 114 occurs.
cache.log
access.log
@leodexe
Copy link
Author

leodexe commented Apr 13, 2023
edited
Loading

UPDATE: It seems some ssl_bump actions during certain steps will render the Network Unreachable. These are:

# Seems to be OK, but not useful for a functional urlpath_regex. Order matters.
#ssl_bump splice step1
#ssl_bump stare step1
#ssl_bump bump step2
#ssl_bump peek step2
#ssl_bump splice step2
#ssl_bump bump step3
#ssl_bump splice step3
#ssl_bump splice all steps

# OK if left alone, triggers code71 with some other actions
#ssl_bump peek step1 with stare step2
#ssl_bump stare step1 with stare step2

# Always triggers code71 and 114
#ssl_bump stare all
#ssl_bump stare step 2

# Always trigger code71 and 114 but urlpath_regex works correctly with https
#ssl_bump bump all
#ssl_bump bump step1

The step I need to get working urlpath_regex for https is bump step1, but this renders a network unreachable for the targeted domain. After investigating more I found a workaround, that fixes this problem but may create a security risk later.

I will also change the title so it reflects more accurately the issue I'm dealing with.

UPDATE2: I found a workaround to deal with the error (71) code while also being able to bump on step1 and still access a fully functional website:

acl g_img urlpath_regex -i ^.*&tbm=isch.*$
acl ddg_l urlpath_regex -i ^\/lite.*$
acl bump_this dstdom_regex -i "/etc/squid/sslbumpers.txt"
acl err71 ssl_error X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY

sslproxy_cert_error allow err71
sslproxy_cert_error deny all

ssl_bump bump bump_this

In sslbumpers.txt goes the websites I want to get bumped on step1, doesn't matter if you specify step1 or not because it ends there anyways. Because g_img (Google) and ddg_l (DuckDuckGo) uses a urlpath_regex they require a step1 bump so the rule can work properly. Doing so will trigger code 71 for these domains which is a Protocol/SSL Certificate Error as previously described.

The simplest way to "fix" code 71 is to simply allow this error through so you can access the website. But this can impose a security risk because the proxy will also ignore this error for other sites that aren't bumped on step1 but still it's the closest thing to fixing it and navigating without any more trouble until a better fix comes around.

Just to recap:

bump: Required for a fully functional urlpath_regex and other regex patterns, must bump in step1 or won't work.
Causes error code 71, which can be ignored to continue navigation, does not cause other certificate issues.
peek: Safe to use. Doesn't cause any certificate or connection issues.
stare: Can cause certificate issues like preventing the certificate from being trusted, it's more problematic than bump.
splice: Safe to use as it skips the proxy entirely.
client-first: Has the same properties as bump. Like same error code and not causing other certificate issues.
server-first: Has the same properties as stare. Same certificate issues as well, functionally worse than client-first.
terminate: Just terminates the connection. Not very useful I guess.

@leodexe leodexe changed the title SSL Bumping causes Network to be unreachable SSL Bumping may cause an Unreachable Network and/or certificate issues Apr 14, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@leodexe