Describe EliezerCroitoru/Drafts/SSLBUMP here.

In order to use sslbump in intercept or tproxy mode there are couple things that should be known and done.

On compilation of squid add the flags "--enable-ssl enable-ssl-crtd" to configure.

Create a selfs signed root CA certificate and create a der format public certificate for clients.

* note that for mobile devices there might be a need for another certificate format then der.

Since squid 3.4 there is an option wich called bump-server-first which instructs squid to first try to identify the certificate properties aginst the origin server.

The above is good to allow a much more effective bumping and certificate mimicing.

How to use ssl-bump with squid 3.4?

   1 #!/usr/bin/env bash
   2 set -x 
   3 SQUIDCONF=/etc/squid/squid.conf
   4 SSLCRTD=/usr/lib64/squid/ssl_crtd
   5 SSLCRTDDB=/var/lib/ssl_db
   6 
   7 echo "The global variables"
   8 echo $SQUIDCONF
   9 echo $SSLCRTD
  10 echo $SSLCRTDDB
  11 
  12 echo "creating directories"
  13 mkdir -p /etc/squid/ssl_cert /var/lib
  14 
  15 echo "about to create certificate..."
  16 cd /etc/squid/ssl_cert
  17 openssl req -new -newkey rsa:1024 -days 365 -subj "/C=IL/ST=Shomron/L=Karney Shomron/O=NgTech LTD/CN=ytgv.ngtech.co.il" \
  18         -nodes -x509 -keyout myCA.pem  -out myCA.pem 
  19 echo "creating der x509 certificate format"
  20 openssl x509 -in myCA.pem -outform DER -out myCA.der
  21 echo "the next is the certificate for client in x509 format:"
  22 cat myCA.pem
  23 
  24 echo "initializing ssl_crtd_db"
  25 $SSLCRTD -c -s $SSLCRTDDB
  26 
  27 echo "changing ownership for ssl_db"
  28 chown -R nobody $SSLCRTDDB
  29 
  30 echo "adding settings into squid.conf"
  31 grep "^sslcrtd_program" $SQUIDCONF
  32 if [ "$?" -eq "1" ];then
  33 echo "https_port 13128 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB  cert=/etc/squid/ssl_cert/myCA.pem
  34 http_port 23128  ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB  cert=/etc/squid/ssl_cert/myCA.pem
  35 sslcrtd_program $SSLCRTD -s $SSLCRTDDB -M 16MB
  36 sslcrtd_children 10
  37 ssl_bump server-first all
  38 #sslproxy_cert_error allow all
  39 #sslproxy_flags DONT_VERIFY_PEER" >> $SQUIDCONF
  40 else
  41  echo "There is already sslcrtd settings"
  42 fi
  43 
  44 set +x

A nice script I wrote for initialization of RedWood proxy SSL-BUMP feature.

Couple things can be taken from the next script to enhance the above one like the addition of a UUID to the CA certificate.

   1 #!/usr/bin/env bash 
   2 
   3 DOMAIN="ngtech.co.il"
   4 COUNTRYCODE="IL"
   5 STATE="Shomron"
   6 REGION="Center"
   7 ORGINZATION="NgTech LTD"
   8 CERTUUID=`uuidgen | awk 'BEGIN { FS="-"}; {print $1}'`
   9 SUBJECDETAILS=`echo -n "/C=$COUNTRYCODE/ST=$STATE/L=$REGION/O=$ORGINAZATION/CN=px-$CERTUUID.$DOMAIN"`
  10 source /etc/sysconfig/redwood
  11 echo $SUBJECDETAILS
  12 if [ -d "/etc/redwood/ssl-cert" ];then
  13   echo "Abort since /etc/redwood/ssl-cert exists"
  14   exit 1
  15 else
  16   mkdir -p /etc/redwood/ssl-cert
  17   openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -subj "$SUBJECDETAILS" \
  18     -extensions v3_ca -keyout /etc/redwood/ssl-cert/myCAkey.pem -out /etc/redwood/ssl-cert/myCAcert.pem
  19 fi
  20 
  21 egrep "^(tls-cert\ |tls-key\ )" /etc/redwood/redwood.conf 
  22 if [ "$?" -eq "1" ];then
  23   echo "" >> /etc/redwood/redwood.conf
  24   echo "# ssl-bump tls key and certificate" >> /etc/redwood/redwood.conf
  25   echo "tls-cert /etc/redwood/ssl-cert/myCAcert.pem" >> /etc/redwood/redwood.conf
  26   echo "tls-key /etc/redwood/ssl-cert/myCAkey.pem" >> /etc/redwood/redwood.conf
  27   cat /etc/redwood/sslbump-defaultbypass-acls.conf /etc/redwood/acls.conf > /tmp/$CERTUUID-acls.conf
  28   cp /etc/redwood/acls.conf /etc/redwood/acls.conf.backup
  29   cp /tmp/$CERTUUID-acls.conf /etc/redwood/acls.conf
  30   systemctl restart redwood
  31 else
  32   echo "some sslbump settings are already in-place"
  33 fi
  34 
  35 if [ -e  "/etc/redwood/ssl-cert/myCAcert.pem" ];then
  36         cp -v /etc/redwood/ssl-cert/myCAcert.pem /var/redwood/static/
  37         echo "/etc/redwood/ssl-cert/myCAcert.pem was copied to /var/redwood/static/"
  38         openssl x509 -outform der -in /etc/redwood/ssl-cert/myCAcert.pem -out /var/redwood/static/myCAcert.der
  39         echo "/etc/redwood/ssl-cert/myCAcert.pem was converted to der and now at => /var/redwood/static/myCAcert.der"
  40 fi

iptables rules for intercept https proxy

   1 IPTABLES=/sbin/iptables
   2 LAN_INT="eth1"
   3 $IPTABLES -I PREROUTING 1 -i $LAN_INT -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 13128

squid.conf example from 3.5.25

request_header_access Surrogate-Capability deny all

forwarded_for transparent
via off
dns_v4_first on
visible_hostname filter
strip_query_terms off
acl ms_v6test_doms dstdomain ipv6.msftncsi.com
deny_info 503:/etc/squid/503.html ms_v6test_doms

http_port 13128 ssl-bump \
  cert=/etc/squid/ssl_cert/myCA.pem \
  generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
acl DiscoverSNIHost at_step SslBump1
acl NoSSLIntercept ssl::server_name_regex -i "/etc/squid/server-regex.nobump"

ssl_bump splice NoSSLIntercept

ssl_bump peek DiscoverSNIHost
#ssl_bump peek step1
ssl_bump bump all

sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB

sslcrtd_children 10

sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER

read_ahead_gap 64 MB

EliezerCroitoru/Drafts/SSLBUMP (last edited 2017-06-16 23:53:59 by Eliezer Croitoru)