Hello, I fall into a bug when trying sslbump configuration on FreeBSD 10. It seems that Host header forgery detection leads to a fatal segment violation. When accessing several times https://www.google.fr/search?q=test&biw=1920&bih=953&source=lnms&tbm=isch&sa=X&ved=0ahUKEwjI1vayuLjLAhUBVhoKHeJIB0gQ_AUIBygC forged header is detected and child dies. After several times all squid processes have died. Here's /var/log/squid/cache.log : 2016/03/11 11:35:34.503 kid1| SECURITY ALERT: Host header forgery detected on local=172.217.19.142:443 remote=10.0.0.2:51113 FD 11 flags=33 (local IP does not match any domain IP) FATAL: Received Segment Violation...dying. Backtrace follows (deepest frame first): #1: swapcontext + 0x15a, ip = 0x803dcb47a, sp = 0x7fffffffcdb0 #2: _sigaction + 0x342, ip = 0x803dcb062, sp = 0x7fffffffd170 #3: [unknown] + 0x0, ip = 0x7ffffffff003, sp = 0x7fffffffd1f0 #4: strlen + 0xb, ip = 0x804121f8b, sp = 0x7fffffffd7a0 #5: _ZNSt3__1lsINS_11char_traitsIcEEEERNS_13basic_ostreamIcT_EES6_PKc + 0x7b, ip = 0x56308b, sp = 0x7fffffffd7b0 #6: _ZN20ClientRequestContext22hostHeaderVerifyFailedEPKcS1_ + 0x58f, ip = 0x60ad0f, sp = 0x7fffffffd960 #7: _ZN20ClientRequestContext18hostHeaderIpVerifyEPK14_ipcache_addrsRK16DnsLookupDetails + 0x8eb, ip = 0x60a6cb, sp = 0x7fffffffdb30 #8: _ZL25hostHeaderIpVerifyWrapperPK14_ipcache_addrsRK16DnsLookupDetailsPv + 0x2d, ip = 0x60c7cd, sp = 0x7fffffffdd80 #9: _ZL15ipcacheCallbackP13ipcache_entryi + 0x121, ip = 0x6e5141, sp = 0x7fffffffddb0 #10: _ZL18ipcacheHandleReplyPvPK11_rfc1035_rriPKc + 0xad, ip = 0x6e52dd, sp = 0x7fffffffde50 #11: _ZL12idnsCallbackP11_idns_queryPKc + 0x785, ip = 0x643365, sp = 0x7fffffffde90 #12: _ZL13idnsGrokReplyPKcmi + 0x1366, ip = 0x6461a6, sp = 0x7fffffffdfa0 #13: _ZL8idnsReadiPv + 0xd9a, ip = 0x63e02a, sp = 0x7fffffffe1f0 #14: _ZN4Comm8DoSelectEi + 0x225, ip = 0x966235, sp = 0x7fffffffe560 #15: _ZN16CommSelectEngine11checkEventsEi + 0x44, ip = 0x871fb4, sp = 0x7fffffffe5f0 #16: _ZN9EventLoop11checkEngineEP11AsyncEngineb + 0x5a, ip = 0x65205a, sp = 0x7fffffffe630 #17: _ZN9EventLoop7runOnceEv + 0x29f, ip = 0x65266f, sp = 0x7fffffffe690 #18: _ZN9EventLoop3runEv + 0x5f, ip = 0x65239f, sp = 0x7fffffffe7c0 #19: _Z9SquidMainiPPc + 0xe68, ip = 0x6eb1a8, sp = 0x7fffffffe7e0 #20: _ZL13SquidMainSafeiPPc + 0x1a, ip = 0x6e9eea, sp = 0x7fffffffea80 #21: main + 0x22, ip = 0x6e9ec2, sp = 0x7fffffffebc0 #22: _start + 0x16f, ip = 0x5586cf, sp = 0x7fffffffebe0 #23: [unknown] + 0x0, ip = 0x800e34000, sp = 0x7fffffffec20 Use addr2line of similar to translate offsets to line information. CPU Usage: 0.151 seconds = 0.100 user + 0.050 sys Maximum Resident Size: 101264 KB Page faults with physical i/o: 0 -------------------------------------------------------------------------------- # uname -a FreeBSD VNF-SSLBump 10.1-RELEASE FreeBSD 10.1-RELEASE #0 r274401: Tue Nov 11 21:02:49 UTC 2014 root@releng1.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64 ------------------------------------------------------------------------------- # pkg info squid squid-3.5.15 Name : squid Version : 3.5.15 Installed on : Fri Mar 11 10:32:56 2016 CET Origin : www/squid Architecture : freebsd:10:x86:64 Prefix : /usr/local Categories : ipv6 www Licenses : GPLv2 Maintainer : timp87@gmail.com WWW : http://www.squid-cache.org/ Comment : HTTP Caching Proxy Options : ARP_ACL : off AUTH_LDAP : on AUTH_NIS : on AUTH_SASL : off AUTH_SMB : off AUTH_SQL : off CACHE_DIGESTS : off DEBUG : on DELAY_POOLS : off DOCS : on ECAP : on ESI : off EXAMPLES : on FOLLOW_XFF : off FS_AUFS : on FS_DISKD : on FS_ROCK : off GSSAPI_BASE : on GSSAPI_HEIMDAL : off GSSAPI_MIT : off GSSAPI_NONE : off HTCP : on ICAP : on ICMP : off IDENT : on IPV6 : on KQUEUE : on LARGEFILE : off LAX_HTTP : off NETTLE : off SNMP : on SSL : on SSL_CRTD : on STACKTRACES : on TP_IPF : off TP_IPFW : off TP_PF : on VIA_DB : off WCCP : on WCCPV2 : off Shared Libs required: liblber-2.4.so.2 libecap.so.3 libunwind.so.8 libldap-2.4.so.2 Annotations : cpe : cpe:2.3:a:squid-cache:squid:3.5.15:::::freebsd10:x64 Flat size : 40.2MiB Description : Squid is a fully-featured HTTP/1.0 proxy which is almost (but not quite) HTTP/1.1 compliant. Squid offers a rich access control, authorization and logging environment to develop web proxy and content serving applications. WWW: http://www.squid-cache.org/ ------------------------------------------------------------------------------ # cat /usr/local/etc/squid/squid.conf # # Recommended minimum configuration: # visible_hostname VNF-SSLBump # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports # Only allow cachemgr access from localhost http_access allow localhost manager http_access deny manager # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user #http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # # Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed http_access allow localnet http_access allow localhost # And finally deny all other access to this proxy http_access deny all # Squid normally listens to port 3128 http_port 3128 http_port 3129 intercept #https_port 3130 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/etc/squid/ssl/squid.pem https_port 3130 intercept ssl-bump cert=/usr/local/etc/squid/ssl/squid.pem always_direct allow all acl step1 at_step SslBump1 acl step2 at_step SslBump2 acl step3 at_step SslBump3 acl banned ssl::server_name .fnac.com acl banned ssl::server_name .fnac.fr ssl_bump peek step1 all ssl_bump terminate banned ssl_bump splice all #ssl_bump bump all sslproxy_cafile /usr/local/etc/squid/cabundle.crt url_rewrite_program /usr/local/bin/squidGuard -c /usr/local/etc/squid/squidGuard.conf url_rewrite_children 10 startup=4 idle=2 concurrency=0 # Uncomment and adjust the following to add a disk cache directory. #cache_dir ufs /var/squid/cache 100 16 256 # Leave coredumps in the first cache dir coredump_dir /var/squid/cache # # Add any of your own refresh_pattern entries above these. # refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 ------------------------------------------------------------------------------- Thanks for your help Best Regards Christophe
(In reply to Christophe Anselme-Moizan from comment #0) I'm sorry, but I think squid's bugzilla (http://bugs.squid-cache.org/index.cgi) is a better place to report this issue.
(In reply to Christophe Anselme-Moizan from comment #0) You could try the patch from https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=207762 at least.
I posted on squid's bugzilla too after your comment. I will try the patch today.
(In reply to timp87 from comment #2) Thanks you for your help. The patch didn't resolve my problem. I'm still facing the same issue. I'm waiting for squid's bugzilla feedback and will let you know
(In reply to Christophe Anselme-Moizan from comment #4) You could provide the link to squid's bugzilla
(In reply to timp87 from comment #5) http://bugs.squid-cache.org/show_bug.cgi?id=4465
I tried with STABLE, rather than RELEASE, same problem [root@FBSD10STABLE ~]# uname -a FreeBSD FBSD10STABLE 10.3-BETA2 FreeBSD 10.3-BETA2 #0 r295624: Mon Feb 15 15:49:00 CET 2016 root@aa:/usr/obj/usr/src/sys/FBSD10PF amd64 2016/03/17 10:17:23.173 kid1| SECURITY ALERT: Host header forgery detected on local=80.252.91.41:443 remote=10.0.0.2:58678 FD 55 flags=33 (local IP does not match any domain IP) FATAL: Received Segment Violation...dying. Backtrace follows (deepest frame first): #1: _pthread_sigmask + 0x51a, ip = 0x803b20b4a, sp = 0x7fffffffda70 #2: _pthread_getspecific + 0xe1c, ip = 0x803b2022c, sp = 0x7fffffffde30 #3: [unknown] + 0x0, ip = 0x7ffffffff193, sp = 0x7fffffffdeb0 #4: strlen + 0xb, ip = 0x803e7a3ab, sp = 0x7fffffffe460 #5: _ZN20ClientRequestContext22hostHeaderVerifyFailedEPKcS1_ + 0x2fe, ip = 0x571eee, sp = 0x7fffffffe470 #6: _ZN20ClientRequestContext18hostHeaderIpVerifyEPK14_ipcache_addrsRK16DnsLookupDetails + 0x3f7, ip = 0x571987, sp = 0x7fffffffe4f0 #7: _ZL15ipcacheCallbackP13ipcache_entryi + 0xc3, ip = 0x5fa6d3, sp = 0x7fffffffe5b0 #8: _ZL18ipcacheHandleReplyPvPK11_rfc1035_rriPKc + 0x1079, ip = 0x5fb7a9, sp = 0x7fffffffe620 #9: _ZL12idnsCallbackP11_idns_queryPKc + 0x5b9, ip = 0x590fa9, sp = 0x7fffffffe710 #10: _ZL13idnsGrokReplyPKcmi + 0xe47, ip = 0x5930f7, sp = 0x7fffffffe780 #11: _ZL8idnsReadiPv + 0x57d, ip = 0x58d2dd, sp = 0x7fffffffe7d0 #12: _ZN4Comm8DoSelectEi + 0x140, ip = 0x797ec0, sp = 0x7fffffffe8b0 #13: _ZN16CommSelectEngine11checkEventsEi + 0x2e, ip = 0x710f4e, sp = 0x7fffffffe900 #14: _ZN9EventLoop11checkEngineEP11AsyncEngineb + 0x2c, ip = 0x59a30c, sp = 0x7fffffffe920 #15: _ZN9EventLoop7runOnceEv + 0xa6, ip = 0x59a5e6, sp = 0x7fffffffe960 #16: _ZN9EventLoop3runEv + 0x48, ip = 0x59a528, sp = 0x7fffffffe9a0 #17: _Z9SquidMainiPPc + 0x26ad, ip = 0x600aad, sp = 0x7fffffffe9c0 #18: main + 0x14, ip = 0x5fe164, sp = 0x7fffffffec70 #19: _start + 0x16f, ip = 0x503d9f, sp = 0x7fffffffecb0 #20: [unknown] + 0x0, ip = 0x800b89000, sp = 0x7fffffffecf0 Use addr2line of similar to translate offsets to line information. CPU Usage: 33.255 seconds = 31.437 user + 1.818 sys Maximum Resident Size: 550688 KB Page faults with physical i/o: 28
The patch referenced in the URL (the take 2 patch) doesn't appear to be reflected in http://www.squid-cache.org/Versions/v3/3.5/squid-3.5.16.patch for the most recent release. Is this still needed to resolve the issue or can we ask upstream to get this in and release a 3.5.17?
(In reply to Jason Unovitch from comment #8) Let's wait for a couple of days. I think they'll officially apply it for 3.5 soon.
Created attachment 169422 [details] port patch Add all available patches, including that one which fixes 'Host header forgery detection with sslbump' problem. Exclude squid-3.5-14026.patch because looks like it's not appropriate for 3.5
(In reply to timp87 from comment #10) Sorry, don't commit it, I'm going to provide a better patch
Created attachment 169468 [details] port patch 1. Add all available official patches up to 14030. One of these patches fixes 'header forgery detection with sslbump' problem. 2. Also add 14626 patch from squid4 which addresses "Add chained certificates and signing certificate to peek-then-bumped connections." problem.
Created attachment 169469 [details] poudriere log
Ok, now it can be committed.
Created attachment 169481 [details] port patch up to 14031 Add all available official patches up to 14031. It fixes two annoying and long-standing problems: - header forgery detection leads to crash; - add chained certificates and signing certificate to peek-then-bumped connections.
Created attachment 169482 [details] poudriere log I suppose this change should go to quarter branch too.
testbuilds@work
Sorry, every time I have different problems with maintainer-approval flag =)
testbuilds are fine
A commit references this bug: Author: pi Date: Wed Apr 20 13:45:23 UTC 2016 New revision: 413688 URL: https://svnweb.freebsd.org/changeset/ports/413688 Log: www/squid: Add all available official patches up to 14031 It fixes two annoying and long-standing problems: - header forgery detection (using sslbump) leads to crash - add chained certificates and signing certificate to peek-then-bumped connections. PR: 207901 MFH: 2016Q2 Submitted by: Pavel Timofeev <timp87@gmail.com> (maintainer) Reported by: Christophe Anselme-Moizan <christophe.anselmemoizan@orange.com> Changes: head/www/squid/Makefile head/www/squid/distinfo head/www/squid/files/patch-src__ip__Intercept.cc
Jason, you know my mfh handicap...
(In reply to Kurt Jaeger from comment #21) Don't waste your time for this, they've just released 3.5.17 with CVE. https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=208939 Good help us :)
MFH is obsolete, new version was released.
A commit references this bug: Author: pi Date: Thu Apr 21 07:44:45 UTC 2016 New revision: 413719 URL: https://svnweb.freebsd.org/changeset/ports/413719 Log: MFH: r413688 r413697 www/squid: Add all available official patches up to 14031 It fixes two annoying and long-standing problems: - header forgery detection (using sslbump) leads to crash - add chained certificates and signing certificate to peek-then-bumped connections. PR: 207901 Submitted by: Pavel Timofeev <timp87@gmail.com> (maintainer) Reported by: Christophe Anselme-Moizan <christophe.anselmemoizan@orange.com> www/squid: 3.5.16 -> 3.5.17 Changes: http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID_3_5_17.html http://www.squid-cache.org/Advisories/SQUID-2016_5.txt PR: 208939 Submitted by: Pavel Timofeev <timp87@gmail.com> (maintainer) Security: CVE-2016-4052, CVE-2016-4053, CVE-2016-4054 Approved by: ports-secteam (junovitch) Changes: _U branches/2016Q2/ branches/2016Q2/www/squid/Makefile branches/2016Q2/www/squid/distinfo branches/2016Q2/www/squid/files/patch-src__ip__Intercept.cc
Set merge-quarterly+ appropriately. Kurt, thanks for taking this. I have been sidetracked with work quite a bit lately.