search

opnsense / ports

OPNsense ports on top of FreeBSD
https://opnsense.org/
Other
163 stars 116 forks source link

Squid SNI Inspection results in errors in log #66

Closed aneillans closed 5 years ago

aneillans commented 5 years ago

When you enable SNI inspection only on Squid, you encounter a large number of errors in the log such as:

SECURITY ALERT: Host header forgery detected on local=[blah-ip]:443 remote=[my-ip]:52382 FD 12 flags=33 (local IP does not match any domain IP)

This is identifiable as something other vendors of Squid have encountered and had to disable, such as: https://github.com/NethServer/squid/blob/c7/SOURCES/squid-3.5.20-ssl-forgery.patch

Forum Thread: https://forum.opnsense.org/index.php?topic=10013.new;topicseen#new

fichtner commented 5 years ago

Work still needs to be done for squid 4 migration, but I'd like to use this opportunity to look closer into the code as the current solution only skips the check unconditionally, but limitations should apply:

http://www.squid-cache.org/Doc/config/host_verify_strict/

    Regardless of this option setting, when dealing with intercepted
    traffic, Squid always verifies that the destination IP address matches
    the Host header domain or IP (called 'authority form URL').
aneillans commented 5 years ago

Happy to help with understanding it's behaviour if required. The issues around this check stems from sites that use multiple IPs bound to a name so get different ips back when client requests Vs squid doing its check. On 13 Feb 2019 07:21, Franco Fichtner notifications@github.com wrote:Work still needs to be done for squid 4 migration, but I'd like to use this opportunity to look closer into the code as the current solution only skips the check unconditionally, but limitations should apply: http://www.squid-cache.org/Doc/config/host_verify_strict/ Regardless of this option setting, when dealing with intercepted traffic, Squid always verifies that the destination IP address matches the Host header domain or IP (called 'authority form URL').

—You are receiving this because you authored the thread.Reply to this email directly, view it on GitHub, or mute the thread.

fichtner commented 5 years ago

@aneillans thanks, ideally we should see if we can inject the expected IP addresses into the verification check... Maybe we could build a subnet check in this case?!

aneillans commented 5 years ago

Subnets probably wouldn't work as no guarantee that a site has IPs on the name within same subnet. We would need to request all IPs for a given name to match against a bit like nslookup does. Make sense?  I'll see if I can find some examples. On 13 Feb 2019 10:01, Franco Fichtner notifications@github.com wrote:@aneillans thanks, ideally we should see if we can inject the expected IP addresses into the verification check... Maybe we could build a subnet check in this case?!

—You are receiving this because you were mentioned.Reply to this email directly, view it on GitHub, or mute the thread.

fichtner commented 5 years ago

also in squid(4) now