Enhancement #3434

Upgrade from default version of Squid for SHA2 certificates

Added by Jacob Oliver almost 3 years ago. Updated almost 3 years ago.

Status:CLOSEDStart date:
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:nethserver-squid
Target version:v6.8
Resolution:NEXTRELEASE NEEDINFO:No

Description

Not 100% sure where to log this but it is a high priority as it not only produces security issues for anyone using SSL web filtering but will also cause NethServer to break clients with web filtering over the next few months.

Currently NethServer is running squid that is shipped with CentOS - CentOS 7 only provides Squid 3.3.8 and it only generates certificates using SHA-1 algorithms which are now classed as a security risk. Browsers such as Google Chrome will be removing support for SHA-1 certificates in January 2017 which means all devices making use of the web filtering will start to be restricted as to the content that they can access.

I have tested an install of Squid 3.5.22 which supports SHA-2 certificates and can confirm that so far it has worked throughout some limited testing. I am not yet sure whether an upgrade works but I don't see any reason why it wouldn't work.

The steps to upgrade are as following:
Modify /etc/yum.repos.d/CentOS-Base.repo and add "exclude=squid*" to the bottom of the [base] repo section

Create /etc/yum.repos.d/squid.repo with the following contents:
[squid]
name=Squid repo for CentOS
baseurl=http://www1.ngtech.co.il/repo/centos/$releasever/$basearch/
failovermethod=priority
enabled=1
gpgcheck=0

Then install/upgrade squid and all of it's respective libraries. It may be worth removing all old versions before installing.
The packaged needed to be installed are:
squid
squid-helpers (Used to provide ssl_crtd and other useful binaries)

Then run:
/usr/lib64/squid/ssl_crtd -c -s /var/lib/ssl_db

After this, start/restart squid and it will be up and running again but this time with SHA2 support.

History

#1 Updated by Jacob Oliver almost 3 years ago

See https://github.com/NethServer/nethserver-squid/pull/10 for the initial commit for the ssl_db work.
Now need to add the repos and exclude squid from one.

#2 Updated by Filippo Carletti almost 3 years ago

Jacob Oliver wrote:

Not 100% sure where to log this but it is a high priority as it not only produces security issues for anyone using SSL web filtering but will also cause NethServer to break clients with web filtering over the next few months.

Thank you for bringing this to attention.
I've recently proposed to drop the MITM squid ssl bump feature and stop generating SSL certificates, did you follow the discussion?
http://community.nethserver.org/t/transparent-https-proxy/5064

I have tested an install of Squid 3.5.22 which supports SHA-2 certificates and can confirm that so far it has worked throughout some limited testing. I am not yet sure whether an upgrade works but I don't see any reason why it wouldn't work.

I've used Eliezer's squid package for my tests and I know it can't be an upgrade (but I have a patch). Meanwhile, Red Hat released 7.3, which brings squid 3.5.20, you'll find more details in the forum link above.

If you don't mind, I'll try to merge your github pull request after my pull request for the new transparent proxy is merged.
Let's move the discussion on github:
https://github.com/NethServer/dev/issues/5169

#3 Updated by Giacomo Sanchietti almost 3 years ago

  • Priority changed from High to Normal

#4 Updated by Filippo Carletti almost 3 years ago

  • Status changed from NEW to CLOSED
  • % Done changed from 0 to 100
  • Resolution set to NEXTRELEASE

Jacob, the issue is fixed on NethServer 7, I'm closing this.

Also available in: Atom PDF