On 2014-06-30 20:21, James Lay wrote:
> On Mon, 2014-06-30 at 22:56 +1000, Dan Charlesworth wrote:
>> Yeah, pinned SSL ‘aint gonna be bumped. The Twitter apps are another
>> popular one that use pinning.
>>
>> As far as your broken_sites ACL goes, you can’t use `dstdomain`
>> because the only thing Squid can see of the destination before bumping
>> an intercepted connection is the IP address. So for `ssl_bump none`
>> you’ll need to be use `dst` ACLs instead.
>>
>> ProTip: Here are the Apple and Akamai public IP blocks (to use in a
>> dst equivalent of your broken_sites), respectively: 17.0.0.0/8,
>> 23.0.0.0/12.
>>
>> Good luck
>>
>> On 30 Jun 2014, at 10:38 pm, James Lay <jlay_at_slave-tothe-box.net>
>> wrote:
>>
>> > Topic pretty much says it...most sites work fine using my below
>> set up,
>> > but some (Apple's app store) do not. I'm wondering if cert
>> pinning is
>> > the issue? Since this set up is basically two separate sessions,
>> I
>> > packet captured both. The side the I have control over gives me a
>> TLS
>> > Record Layer Alert Close Notify. I am unable to decrypt the other
>> side
>> > as the device in question is an iDevice and I can't capture the
>> master
>> > secret.
>> >
>> > I've even tried to ACL certain sites to not bump, but they don't
>> go
>> > through. Below is my complete setup. This is running the below:
>> >
>> > Squid Cache: Version 3.4.6
>> > configure options: '--prefix=/opt' '--enable-icap-client'
>> > '--enable-ssl' '--enable-linux-netfilter'
>> > '--enable-follow-x-forwarded-for' '--with-large-files'
>> > '--sysconfdir=/opt/etc/squid'
>> >
>> >
>> > Any assistance with troubleshooting would be wonderful...thank
>> you.
>> >
>> > James
>> >
>> >
>> >
>> > $IPTABLES -t nat -A PREROUTING -i eth0 -s 192.168.1.96/28 -p tcp
>> --dport
>> > 80 -j REDIRECT --to-port 3128
>> > $IPTABLES -t nat -A PREROUTING -i eth0 -s 192.168.1.96/28 -p tcp
>> --dport
>> > 443 -j REDIRECT --to-port 3129
>> >
>> >
>> > acl localnet src 192.168.1.0/24
>> >
>> > acl SSL_ports port 443
>> > acl Safe_ports port 80 # http
>> > acl Safe_ports port 21 # ftp
>> > acl Safe_ports port 443 # https
>> > acl Safe_ports port 70 # gopher
>> > acl Safe_ports port 210 # wais
>> > acl Safe_ports port 1025-65535 # unregistered ports
>> > acl Safe_ports port 280 # http-mgmt
>> > acl Safe_ports port 488 # gss-http
>> > acl Safe_ports port 591 # filemaker
>> > acl Safe_ports port 777 # multiling http
>> >
>> > acl CONNECT method CONNECT
>> > acl broken_sites dstdomain textnow.me
>> > acl broken_sites dstdomain akamaiedge.net
>> > acl broken_sites dstdomain akamaihd.net
>> > acl broken_sites dstdomain apple.com
>> > acl allowed_sites url_regex "/opt/etc/squid/url.txt"
>> > acl all_others dst all
>> > acl SSL method CONNECT
>> >
>> >
>> > http_access deny !Safe_ports
>> > http_access deny CONNECT !SSL_ports
>> >
>> > http_access allow manager localhost
>> > http_access deny manager
>> >
>> > http_access allow allowed_sites
>> > http_access deny all_others
>> > http_access allow localnet
>> > http_access allow localhost
>> >
>> > http_access deny all
>> > icp_access deny all
>> >
>> > sslproxy_cert_error allow broken_sites
>> > sslproxy_cert_error deny all
>> >
>> > sslproxy_options ALL
>> > ssl_bump none broken_sites
>> > ssl_bump server-first all
>> >
>> > http_port 192.168.1.253:3128 intercept
>> > https_port 192.168.1.253:3129 intercept ssl-bump
>> > generate-host-certificates=on cert=/opt/sslsplit/sslsplit.crt
>> > key=/opt/sslsplit/sslsplitca.key options=ALL
>> sslflags=NO_SESSION_REUSE
>> >
>> > always_direct allow all
>> >
>> >
>> > hierarchy_stoplist cgi-bin ?
>> >
>> > access_log syslog:daemon.info common
>> >
>> > refresh_pattern ^ftp: 1440 20% 10080
>> > refresh_pattern ^gopher: 1440 0% 1440
>> > refresh_pattern -i (cgi-bin|\?) 0 0% 0
>> > refresh_pattern . 0 20% 4320
>> >
>> > icp_port 3130
>> >
>> > coredump_dir /opt/var
>> >
>> >
>
> So adding:
>
> acl broken_sites dst 23.0.0.0/12
>
> now gives me the below:
>
> Jun 30 20:16:51 gateway (squid-1): 192.168.1.100 - -
> [30/Jun/2014:20:16:51 -0600] "CONNECT 23.204.162.217:443 HTTP/1.1"
> 403
> 3385 TCP_DENIED:HIER_NONE
> Jun 30 20:16:51 gateway (squid-1): 192.168.1.100 - -
> [30/Jun/2014:20:16:51 -0600] "NONE error:invalid-request HTTP/0.0"
> 400
> 3981 TAG_NONE:HIER_NONE
>
> So something is off. Any help on these beastie? Thank you.
>
> James
Bah..had to add:
http_access allow broken_sites
Go me! Thank you.
James
Received on Tue Jul 01 2014 - 13:51:44 MDT
This archive was generated by hypermail 2.2.0 : Tue Jul 01 2014 - 12:00:06 MDT