[Bug 207901] www/squid Host header forgery detection with sslbump leads to crash
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Fri Mar 11 10:43:25 UTC 2016
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=207901
Bug ID: 207901
Summary: www/squid Host header forgery detection with sslbump
leads to crash
Product: Ports & Packages
Version: Latest
Hardware: amd64
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: Individual Port(s)
Assignee: freebsd-ports-bugs at FreeBSD.org
Reporter: christophe.anselmemoizan at orange.com
CC: fabrice.bruel at orange.com, timp87 at gmail.com
CC: timp87 at gmail.com
Flags: maintainer-feedback?(timp87 at gmail.com)
Hello,
I fall into a bug when trying sslbump configuration on FreeBSD 10.
It seems that Host header forgery detection leads to a fatal segment violation.
When accessing several times
https://www.google.fr/search?q=test&biw=1920&bih=953&source=lnms&tbm=isch&sa=X&ved=0ahUKEwjI1vayuLjLAhUBVhoKHeJIB0gQ_AUIBygC
forged header is detected and child dies.
After several times all squid processes have died.
Here's /var/log/squid/cache.log :
2016/03/11 11:35:34.503 kid1| SECURITY ALERT: Host header forgery detected on
local=172.217.19.142:443 remote=10.0.0.2:51113 FD 11 flags=33 (local IP does
not match any domain IP)
FATAL: Received Segment Violation...dying.
Backtrace follows (deepest frame first):
#1: swapcontext + 0x15a, ip = 0x803dcb47a, sp = 0x7fffffffcdb0
#2: _sigaction + 0x342, ip = 0x803dcb062, sp = 0x7fffffffd170
#3: [unknown] + 0x0, ip = 0x7ffffffff003, sp = 0x7fffffffd1f0
#4: strlen + 0xb, ip = 0x804121f8b, sp = 0x7fffffffd7a0
#5: _ZNSt3__1lsINS_11char_traitsIcEEEERNS_13basic_ostreamIcT_EES6_PKc + 0x7b,
ip = 0x56308b, sp = 0x7fffffffd7b0
#6: _ZN20ClientRequestContext22hostHeaderVerifyFailedEPKcS1_ + 0x58f, ip =
0x60ad0f, sp = 0x7fffffffd960
#7:
_ZN20ClientRequestContext18hostHeaderIpVerifyEPK14_ipcache_addrsRK16DnsLookupDetails
+ 0x8eb, ip = 0x60a6cb, sp = 0x7fffffffdb30
#8: _ZL25hostHeaderIpVerifyWrapperPK14_ipcache_addrsRK16DnsLookupDetailsPv +
0x2d, ip = 0x60c7cd, sp = 0x7fffffffdd80
#9: _ZL15ipcacheCallbackP13ipcache_entryi + 0x121, ip = 0x6e5141, sp =
0x7fffffffddb0
#10: _ZL18ipcacheHandleReplyPvPK11_rfc1035_rriPKc + 0xad, ip = 0x6e52dd, sp =
0x7fffffffde50
#11: _ZL12idnsCallbackP11_idns_queryPKc + 0x785, ip = 0x643365, sp =
0x7fffffffde90
#12: _ZL13idnsGrokReplyPKcmi + 0x1366, ip = 0x6461a6, sp = 0x7fffffffdfa0
#13: _ZL8idnsReadiPv + 0xd9a, ip = 0x63e02a, sp = 0x7fffffffe1f0
#14: _ZN4Comm8DoSelectEi + 0x225, ip = 0x966235, sp = 0x7fffffffe560
#15: _ZN16CommSelectEngine11checkEventsEi + 0x44, ip = 0x871fb4, sp =
0x7fffffffe5f0
#16: _ZN9EventLoop11checkEngineEP11AsyncEngineb + 0x5a, ip = 0x65205a, sp =
0x7fffffffe630
#17: _ZN9EventLoop7runOnceEv + 0x29f, ip = 0x65266f, sp = 0x7fffffffe690
#18: _ZN9EventLoop3runEv + 0x5f, ip = 0x65239f, sp = 0x7fffffffe7c0
#19: _Z9SquidMainiPPc + 0xe68, ip = 0x6eb1a8, sp = 0x7fffffffe7e0
#20: _ZL13SquidMainSafeiPPc + 0x1a, ip = 0x6e9eea, sp = 0x7fffffffea80
#21: main + 0x22, ip = 0x6e9ec2, sp = 0x7fffffffebc0
#22: _start + 0x16f, ip = 0x5586cf, sp = 0x7fffffffebe0
#23: [unknown] + 0x0, ip = 0x800e34000, sp = 0x7fffffffec20
Use addr2line of similar to translate offsets to line information.
CPU Usage: 0.151 seconds = 0.100 user + 0.050 sys
Maximum Resident Size: 101264 KB
Page faults with physical i/o: 0
--------------------------------------------------------------------------------
# uname -a
FreeBSD VNF-SSLBump 10.1-RELEASE FreeBSD 10.1-RELEASE #0 r274401: Tue Nov 11
21:02:49 UTC 2014 root at releng1.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC
amd64
-------------------------------------------------------------------------------
# pkg info squid
squid-3.5.15
Name : squid
Version : 3.5.15
Installed on : Fri Mar 11 10:32:56 2016 CET
Origin : www/squid
Architecture : freebsd:10:x86:64
Prefix : /usr/local
Categories : ipv6 www
Licenses : GPLv2
Maintainer : timp87 at gmail.com
WWW : http://www.squid-cache.org/
Comment : HTTP Caching Proxy
Options :
ARP_ACL : off
AUTH_LDAP : on
AUTH_NIS : on
AUTH_SASL : off
AUTH_SMB : off
AUTH_SQL : off
CACHE_DIGESTS : off
DEBUG : on
DELAY_POOLS : off
DOCS : on
ECAP : on
ESI : off
EXAMPLES : on
FOLLOW_XFF : off
FS_AUFS : on
FS_DISKD : on
FS_ROCK : off
GSSAPI_BASE : on
GSSAPI_HEIMDAL : off
GSSAPI_MIT : off
GSSAPI_NONE : off
HTCP : on
ICAP : on
ICMP : off
IDENT : on
IPV6 : on
KQUEUE : on
LARGEFILE : off
LAX_HTTP : off
NETTLE : off
SNMP : on
SSL : on
SSL_CRTD : on
STACKTRACES : on
TP_IPF : off
TP_IPFW : off
TP_PF : on
VIA_DB : off
WCCP : on
WCCPV2 : off
Shared Libs required:
liblber-2.4.so.2
libecap.so.3
libunwind.so.8
libldap-2.4.so.2
Annotations :
cpe : cpe:2.3:a:squid-cache:squid:3.5.15:::::freebsd10:x64
Flat size : 40.2MiB
Description :
Squid is a fully-featured HTTP/1.0 proxy which is almost (but not quite)
HTTP/1.1 compliant. Squid offers a rich access control, authorization and
logging environment to develop web proxy and content serving applications.
WWW: http://www.squid-cache.org/
------------------------------------------------------------------------------
# cat /usr/local/etc/squid/squid.conf
#
# Recommended minimum configuration:
#
visible_hostname VNF-SSLBump
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged)
machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3128
http_port 3128
http_port 3129 intercept
#https_port 3130 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/usr/local/etc/squid/ssl/squid.pem
https_port 3130 intercept ssl-bump cert=/usr/local/etc/squid/ssl/squid.pem
always_direct allow all
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
acl banned ssl::server_name .fnac.com
acl banned ssl::server_name .fnac.fr
ssl_bump peek step1 all
ssl_bump terminate banned
ssl_bump splice all
#ssl_bump bump all
sslproxy_cafile /usr/local/etc/squid/cabundle.crt
url_rewrite_program /usr/local/bin/squidGuard -c
/usr/local/etc/squid/squidGuard.conf
url_rewrite_children 10 startup=4 idle=2 concurrency=0
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/squid/cache 100 16 256
# Leave coredumps in the first cache dir
coredump_dir /var/squid/cache
#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
-------------------------------------------------------------------------------
Thanks for your help
Best Regards
Christophe
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-ports-bugs
mailing list