Describe EliezerCroitoru/Drafts/SSLBUMP here.

In order to use sslbump in intercept or tproxy mode there are couple things that should be known and done.

On compilation of squid add the flags "--enable-ssl enable-ssl-crtd" to configure.

Create a selfs signed root CA certificate and create a der format public certificate for clients.

* note that for mobile devices there might be a need for another certificate format then der.

Since squid 3.4 there is an option wich called bump-server-first which instructs squid to first try to identify the certificate properties aginst the origin server.

The above is good to allow a much more effective bumping and certificate mimicing.

How to use ssl-bump with squid 3.4?

   1 #!/usr/bin/env bash 
   2 
   3 set -x
   4 
   5 DOMAIN="ngtech.co.il"
   6 COUNTRYCODE="IL"
   7 STATE="Shomron"
   8 REGION="Center"
   9 ORGINZATION="NgTech LTD"
  10 CERTUUID=`uuidgen | awk 'BEGIN { FS="-"}; {print $1}'`
  11 SUBJECDETAILS=`echo -n "/C=$COUNTRYCODE/ST=$STATE/L=$REGION/O=$ORGINAZATION/CN=px$CERTUUID.$DOMAIN"`
  12 
  13  
  14 SQUIDCONF=/etc/squid/squid.conf
  15 SSLCRTD=/usr/lib64/squid/ssl_crtd
  16 SSLCRTDDB=/var/lib/ssl_db
  17 
  18 echo "The global variables"
  19 echo $SQUIDCONF
  20 echo $SSLCRTD
  21 echo $SSLCRTDDB
  22 
  23 echo "creating directories"
  24 mkdir -p /etc/squid/ssl_cert /var/lib
  25 
  26 echo "about to create certificate..."
  27 cd /etc/squid/ssl_cert
  28 #openssl req -new -newkey rsa:1024 -days 365 -subj "/C=IL/ST=Shomron/L=Karney Shomron/O=NgTech LTD/CN=ytgv.ngtech.co.il" \
  29 #        -nodes -x509 -keyout myCA.pem  -out myCA.pem
  30                 
  31 openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -subj "$SUBJECDETAILS" \
  32     -extensions v3_ca -keyout myCA.pem  -out myCA.pem 
  33 echo "creating der x509 certificate format"
  34 openssl x509 -in myCA.pem -outform DER -out myCA.der
  35 echo "the next is the certificate for client in x509 format:"
  36 cat myCA.pem
  37 
  38 echo "initializing ssl_crtd_db"
  39 $SSLCRTD -c -s $SSLCRTDDB
  40 
  41 echo "changing ownership for ssl_db"
  42 chown -R nobody $SSLCRTDDB
  43 
  44 echo "adding settings into squid.conf"
  45 grep "^sslcrtd_program" $SQUIDCONF
  46 if [ "$?" -eq "1" ];then
  47 echo "https_port 13128 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB  cert=/etc/squid/ssl_cert/myCA.pem
  48 http_port 23128  ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB  cert=/etc/squid/ssl_cert/myCA.pem
  49 sslcrtd_program $SSLCRTD -s $SSLCRTDDB -M 16MB
  50 sslcrtd_children 10
  51 ssl_bump server-first all
  52 #sslproxy_cert_error allow all
  53 #sslproxy_flags DONT_VERIFY_PEER" >> $SQUIDCONF
  54 else
  55  echo "There is already sslcrtd settings"
  56 fi
  57 
  58 chown squid.squid -R $SSLCRTDDB
  59 set +x

A nice script I wrote for initialization of RedWood proxy SSL-BUMP feature.

Couple things can be taken from the next script to enhance the above one like the addition of a UUID to the CA certificate.

   1 #!/usr/bin/env bash 
   2 
   3 DOMAIN="ngtech.co.il"
   4 COUNTRYCODE="IL"
   5 STATE="Shomron"
   6 REGION="Center"
   7 ORGINZATION="NgTech LTD"
   8 CERTUUID=`uuidgen | awk 'BEGIN { FS="-"}; {print $1}'`
   9 SUBJECDETAILS=`echo -n "/C=$COUNTRYCODE/ST=$STATE/L=$REGION/O=$ORGINAZATION/CN=px$CERTUUID.$DOMAIN"`
  10 source /etc/sysconfig/redwood
  11 echo $SUBJECDETAILS
  12 if [ -d "/etc/redwood/ssl-cert" ];then
  13   echo "Abort since /etc/redwood/ssl-cert exists"
  14   exit 1
  15 else
  16   mkdir -p /etc/redwood/ssl-cert
  17   openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -subj "$SUBJECDETAILS" \
  18     -extensions v3_ca -keyout /etc/redwood/ssl-cert/myCAkey.pem -out /etc/redwood/ssl-cert/myCAcert.pem
  19 fi
  20 
  21 egrep "^(tls-cert\ |tls-key\ )" /etc/redwood/redwood.conf 
  22 if [ "$?" -eq "1" ];then
  23   echo "" >> /etc/redwood/redwood.conf
  24   echo "# ssl-bump tls key and certificate" >> /etc/redwood/redwood.conf
  25   echo "tls-cert /etc/redwood/ssl-cert/myCAcert.pem" >> /etc/redwood/redwood.conf
  26   echo "tls-key /etc/redwood/ssl-cert/myCAkey.pem" >> /etc/redwood/redwood.conf
  27   cat /etc/redwood/sslbump-defaultbypass-acls.conf /etc/redwood/acls.conf > /tmp/$CERTUUID-acls.conf
  28   cp /etc/redwood/acls.conf /etc/redwood/acls.conf.backup
  29   cp /tmp/$CERTUUID-acls.conf /etc/redwood/acls.conf
  30   systemctl restart redwood
  31 else
  32   echo "some sslbump settings are already in-place"
  33 fi
  34 
  35 if [ -e  "/etc/redwood/ssl-cert/myCAcert.pem" ];then
  36         cp -v /etc/redwood/ssl-cert/myCAcert.pem /var/redwood/static/
  37         echo "/etc/redwood/ssl-cert/myCAcert.pem was copied to /var/redwood/static/"
  38         openssl x509 -outform der -in /etc/redwood/ssl-cert/myCAcert.pem -out /var/redwood/static/myCAcert.der
  39         echo "/etc/redwood/ssl-cert/myCAcert.pem was converted to der and now at => /var/redwood/static/myCAcert.der"
  40 fi

iptables rules for intercept https proxy

   1 IPTABLES=/sbin/iptables
   2 LAN_INT="eth1"
   3 $IPTABLES -I PREROUTING 1 -i $LAN_INT -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 13128

squid.conf example from 3.5.25

request_header_access Surrogate-Capability deny all

forwarded_for transparent
via off
dns_v4_first on
visible_hostname filter
strip_query_terms off
acl ms_v6test_doms dstdomain ipv6.msftncsi.com
deny_info 503:/etc/squid/503.html ms_v6test_doms

http_port 13128 ssl-bump \
  cert=/etc/squid/ssl_cert/myCA.pem \
  generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
acl DiscoverSNIHost at_step SslBump1
acl NoSSLIntercept ssl::server_name_regex -i "/etc/squid/server-regex.nobump"

ssl_bump splice NoSSLIntercept

ssl_bump peek DiscoverSNIHost
#ssl_bump peek step1
ssl_bump bump all

sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB

sslcrtd_children 10

sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER

read_ahead_gap 64 MB

EliezerCroitoru/Drafts/SSLBUMP (last edited 2017-07-08 23:49:28 by Eliezer Croitoru)