How to see the full URL on HTTPS via ssl

C

CityCat42017-08-07 06:44:57

Squid

CityCat4, 2017-08-07 06:44:57

How to see the full URL on HTTPS via ssl_bump?

I was engaged here in setting up ssl_bump on the office proxy. I read a lot of documentation in tyrnet. I even set something up. But there is no understanding.
Two questions:
First and foremost - will ssl_bump allow me to see the URL as it is seen over HTTP?
Second - why doesn't bump actually work? :)
The config is like this:

http_port 10.87.1.39:8080 ssl-bump cert=/etc/pki/tls/certs/logsrv_subca.crt key=/etc/pki/tls/private/logsrv_subca.key cipher=kEECDH+AES:kEDH+AES:kRSA+AES:!aNULL:!DSS:!SSLv2 options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE cafile=/etc/pki/tls/certs/ca-bundle.trust.crt dhparams=/etc/pki/tls/private/dhparams.pem tls-dh=prime256v1:/etc/pki/tls/private/dhparams.pem
sslproxy_client_certificate /etc/pki/tls/certs/logsrv_client.crt
sslproxy_client_key /etc/pki/tls/private/logsrv_client.key
sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
sslproxy_cipher kEECDH+AES:kEDH+AES:kRSA+AES:!aNULL:!DSS:!SSLv2
sslproxy_cafile /etc/pki/tls/certs/ca-bundle.trust.crt
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all
#ssl_bump splice all
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB

It is quite possibly crooked, because nothing works in this form - when you access a banal Google, everything hangs. It starts working only when instead of bump all you put splice all.

UPD: Testing browsers for "lice". Testing was carried out by visiting vk.com through a bump proxy.
FF - Doesn't even notice. Calmly draws a "green lock". You can view the certificate.
Chrome - Insecure connection icon. The certificate cannot be viewed.
Opera - Insecure connection icon. You can see the certificate.
YaB - Warning in full screen! The only browser that noticed that it was being fooled and the certificate on vk.com was issued by some kind of logsrv :D If the warning is ignored, it reports that this is not a particularly secure connection, since a SHA-1 signed certificate is used

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

C

CityCat4, 2017-08-09
@CityCat4

Well, in general, as usual, I answer myself :)
1. ssl_bump allows you to see the URL as it would be over HTTP - so there is something to fight for.
2. Why the option above did not work - I still did not understand, but here is the working config

http_port 10.87.1.39:8080 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/pki/tls/certs/logsrv_subca.crt key=/etc/pki/tls/private/logsrv_subca.key cafile=/etc/pki/tls/rootca/dc3-CA.crt cipher=kEECDH+AES:kEDH+AES:kRSA+AES:!aNULL:!DSS:!SSLv2 options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE dhparams=/etc/pki/tls/private/dhparams.pem tls-dh=prime256v1:/etc/pki/tls/private/dhparams.pem
sslproxy_client_certificate /etc/pki/tls/certs/logsrv_client.crt
sslproxy_client_key /etc/pki/tls/private/logsrv_client.key
sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
sslproxy_cipher kEECDH+AES:kEDH+AES:kRSA+AES:!aNULL:!DSS:!SSLv2
sslproxy_cafile /etc/pki/tls/rootca/dc3-CA.crt
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 32 startup=5 idle=1

The certificate logsrv_subca.crt is actually a subCA, i.e.

X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign

Certificate dc3-CA.crt - Root CA certificate in which logsrv_subca.crt is issued. It must be added to the trusted root certificates - and there will be no certificate mismatch warnings. Well, at least in FF already checked (54.0.1).
Another very important note - the parameters in the http_port line are intended for the side working towards the client. sslproxy_* parameters - for the side working towards the server