3

Full disclosure here I am fairly new to Squid. I am trying to upgrade outbound TLS connections using Squid 3.5 on FreeBSD 11 to TLS 1.2. We have an older application that does not support TLS 1.2, but the end server its communicating with requires it. I am trying to get Squid to 'upgrade' the TLS connections (Client---->Proxy TLS 1.0------->Proxy ----->End server TLS 1.2). I have configured Squid using this thread along with various other sites:

https://stackoverflow.com/questions/34398484/can-i-use-squid-to-upgrade-client-tls-connections

While I can see squid trying to make connections as TLS 1.2 to the destination host when using the proxy normally, the handshake fails with the following:

    (SSLDump Output on Squid server while proxying connections)

    2  1490815989.3016 (0.0527)  S>CV3.3(85)  Handshake
    ServerHello
    Version 3.3 
    random[32]=
      15 21 18 2a 4f 7f 76 2e 49 fd 7e fa ea ac 3b f1 
      0e fe 7e f9 ce d6 46 b1 fb 14 e3 4a 5c 3d 82 b4 
    session_id[32]=
      41 7f 92 6a 90 7f f0 1a 2f c6 b6 17 f4 a2 ab a4 
      cf 1a e8 65 51 bc 11 0d 3e b9 9d 4e cd bc 49 29 
    cipherSuite         TLS_RSA_WITH_AES_256_CBC_SHA256
    compressionMethod                   NULL
    4 3  1490815989.3017 (0.0001)  S>CV3.3(3031)  Handshake
    Certificate
    4 4  1490815989.3017 (0.0000)  S>CV3.3(4)  Handshake
    ServerHelloDone
    4 5  1490815989.3028 (0.0010)  C>SV3.3(262)  Handshake
    ClientKeyExchange
    4 6  1490815989.3028 (0.0000)  C>SV3.3(1)  ChangeCipherSpec
    4 7  1490815989.3028 (0.0000)  C>SV3.3(80)  Handshake
    4 8  1490815989.3581 (0.0552)  S>CV3.3(1)  ChangeCipherSpec
    4 9  1490815989.3581 (0.0000)  S>CV3.3(80)  Handshake
    4 10 1490815989.3619 (0.0037)  C>SV3.3(64)  Alert
    4    1490815989.3620 (0.0001)  C>S  TCP FIN
    4 11 1490815989.4140 (0.0520)  S>CV3.3(64)  Alert
    4    1490815989.4140 (0.0000)  S>C  TCP FIN

The above shows the second half of the proxied connection (Squid server to remote host) while connecting from our application to the destination host through the proxy. I think the Alert fields are whats causing the issue, but since they are encrypted I am not sure what the alerts are. The end result is that our application fails with an error saying it cannot connect to the remote host. I see the Squid server trying to connect out, but the SSL handshake looks as though it failing somehow. When I connect directly from the Squid Proxy server itself using open SSL client it completes properly:

    (From Squid server itself)

    openssl s_client -connect host.domain.com:443

    (SSLDump Output during OpenSSL Client Handshake)

    1 2  1490817039.1215 (0.0541)  S>CV3.3(81)  Handshake
    ServerHello
    Version 3.3 
    random[32]=
      28 44 f5 a1 69 9b 6f 04 c6 51 6c c0 82 05 e0 a8 
      5c b1 8d e0 e0 15 7b b8 29 dc 91 af ad eb 9b 03 
    session_id[32]=
      41 7f 92 6a 90 7e a0 a2 2f c6 b6 17 f4 a2 a8 a4 
      55 c8 27 dc c8 8a 35 9e 3e b9 9d 4e cd bc 4d 13 
    cipherSuite         TLS_RSA_WITH_AES_256_CBC_SHA256
    compressionMethod                   NULL
    1 3  1490817039.1216 (0.0000)  S>CV3.3(3031)  Handshake
    Certificate
    1 4  1490817039.1216 (0.0000)  S>CV3.3(4)  Handshake
    ServerHelloDone
    1 5  1490817039.1244 (0.0028)  C>SV3.3(262)  Handshake
    ClientKeyExchange
    1 6  1490817039.1244 (0.0000)  C>SV3.3(1)  ChangeCipherSpec
    1 7  1490817039.1244 (0.0000)  C>SV3.3(80)  Handshake
    1 8  1490817039.1811 (0.0567)  S>CV3.3(1)  ChangeCipherSpec
    1 9  1490817039.1811 (0.0000)  S>CV3.3(80)  Handshake

Current relevant Squid configuration:

    # Squid normally listens to port 3128
    http_port 3128 ssl-bump generate-host-certificates=on version=1 dynamic_cert_mem_cache_size=8MB cert=/usr/local/etc/squid/certs/domain.com.cert key=/usr/local/etc/squid/certs/domain.com.private

    # SSL Bump Config

    always_direct allow all  
    ssl_bump server-first all
    sslproxy_cert_error allow all  
    sslproxy_flags DONT_VERIFY_PEER  
    sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /var/ssl_db -M  4MB sslcrtd_children 8 startup=1 idle=1

I should point out that I don't have issues with connecting through this proxy to other SSL enabled websites. TLS upgrade to 1.2 works fine. Using a client that only supports TLS 1.0 for example, to connect to a site that only supports TLS 1.2 through the proxy results in a successful connection. I have read that perhaps the problem is an SSL certificate trust issue with the client (the squid server in this context), but I don't get the alerts when I connect directly from the Squid proxy itself. What am I missing or is there a better tool I should be using to do what I want? Any help here would be appreciated. Thanks in advance.

Community
  • 1
Robert Franzke
  • 31
  • 1
  • 1
  • 2
  • "I think the Alert fields are whats causing the issue, but since they are encrypted I am not sure what the alerts are." to debug that you would need to have the client random and the master key, and then the result may not get you advanced a lot. Based on the fact that they are issued by the client, just after the server sent its ChangeCipherSpec message, I suppose the client did not accept what the server sent as algorithms. Try to dump this message. – Patrick Mevzek Sep 26 '18 at 01:07
  • "perhaps the problem is an SSL certificate trust issue with the client" the server is not sending a `CertifcateRequest` message hence it is not mandating the client to send its certificate, and as for the server certificate, if the client had a problem with it it should have broke the connection after the server `Certificate` message already I guess. – Patrick Mevzek Sep 26 '18 at 01:10

0 Answers0