Date: Fri, 11 Mar 2016 10:43:24 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-ports-bugs@FreeBSD.org Subject: [Bug 207901] www/squid Host header forgery detection with sslbump leads to crash Message-ID: <bug-207901-13@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D207901 Bug ID: 207901 Summary: www/squid Host header forgery detection with sslbump leads to crash Product: Ports & Packages Version: Latest Hardware: amd64 OS: Any Status: New Severity: Affects Some People Priority: --- Component: Individual Port(s) Assignee: freebsd-ports-bugs@FreeBSD.org Reporter: christophe.anselmemoizan@orange.com CC: fabrice.bruel@orange.com, timp87@gmail.com CC: timp87@gmail.com Flags: maintainer-feedback?(timp87@gmail.com) Hello, I fall into a bug when trying sslbump configuration on FreeBSD 10. It seems that Host header forgery detection leads to a fatal segment violat= ion. When accessing several times https://www.google.fr/search?q=3Dtest&biw=3D1920&bih=3D953&source=3Dlnms&tb= m=3Disch&sa=3DX&ved=3D0ahUKEwjI1vayuLjLAhUBVhoKHeJIB0gQ_AUIBygC forged header is detected and child dies. After several times all squid processes have died. Here's /var/log/squid/cache.log : 2016/03/11 11:35:34.503 kid1| SECURITY ALERT: Host header forgery detected = on local=3D172.217.19.142:443 remote=3D10.0.0.2:51113 FD 11 flags=3D33 (local = IP does not match any domain IP) FATAL: Received Segment Violation...dying. Backtrace follows (deepest frame first): #1: swapcontext + 0x15a, ip =3D 0x803dcb47a, sp =3D 0x7fffffffcdb0 #2: _sigaction + 0x342, ip =3D 0x803dcb062, sp =3D 0x7fffffffd170 #3: [unknown] + 0x0, ip =3D 0x7ffffffff003, sp =3D 0x7fffffffd1f0 #4: strlen + 0xb, ip =3D 0x804121f8b, sp =3D 0x7fffffffd7a0 #5: _ZNSt3__1lsINS_11char_traitsIcEEEERNS_13basic_ostreamIcT_EES6_PKc + 0x7= b, ip =3D 0x56308b, sp =3D 0x7fffffffd7b0 #6: _ZN20ClientRequestContext22hostHeaderVerifyFailedEPKcS1_ + 0x58f, ip =3D 0x60ad0f, sp =3D 0x7fffffffd960 #7: _ZN20ClientRequestContext18hostHeaderIpVerifyEPK14_ipcache_addrsRK16DnsLook= upDetails + 0x8eb, ip =3D 0x60a6cb, sp =3D 0x7fffffffdb30 #8: _ZL25hostHeaderIpVerifyWrapperPK14_ipcache_addrsRK16DnsLookupDetailsPv + 0x2d, ip =3D 0x60c7cd, sp =3D 0x7fffffffdd80 #9: _ZL15ipcacheCallbackP13ipcache_entryi + 0x121, ip =3D 0x6e5141, sp =3D 0x7fffffffddb0 #10: _ZL18ipcacheHandleReplyPvPK11_rfc1035_rriPKc + 0xad, ip =3D 0x6e52dd, = sp =3D 0x7fffffffde50 #11: _ZL12idnsCallbackP11_idns_queryPKc + 0x785, ip =3D 0x643365, sp =3D 0x7fffffffde90 #12: _ZL13idnsGrokReplyPKcmi + 0x1366, ip =3D 0x6461a6, sp =3D 0x7fffffffdf= a0 #13: _ZL8idnsReadiPv + 0xd9a, ip =3D 0x63e02a, sp =3D 0x7fffffffe1f0 #14: _ZN4Comm8DoSelectEi + 0x225, ip =3D 0x966235, sp =3D 0x7fffffffe560 #15: _ZN16CommSelectEngine11checkEventsEi + 0x44, ip =3D 0x871fb4, sp =3D 0x7fffffffe5f0 #16: _ZN9EventLoop11checkEngineEP11AsyncEngineb + 0x5a, ip =3D 0x65205a, sp= =3D 0x7fffffffe630 #17: _ZN9EventLoop7runOnceEv + 0x29f, ip =3D 0x65266f, sp =3D 0x7fffffffe690 #18: _ZN9EventLoop3runEv + 0x5f, ip =3D 0x65239f, sp =3D 0x7fffffffe7c0 #19: _Z9SquidMainiPPc + 0xe68, ip =3D 0x6eb1a8, sp =3D 0x7fffffffe7e0 #20: _ZL13SquidMainSafeiPPc + 0x1a, ip =3D 0x6e9eea, sp =3D 0x7fffffffea80 #21: main + 0x22, ip =3D 0x6e9ec2, sp =3D 0x7fffffffebc0 #22: _start + 0x16f, ip =3D 0x5586cf, sp =3D 0x7fffffffebe0 #23: [unknown] + 0x0, ip =3D 0x800e34000, sp =3D 0x7fffffffec20 Use addr2line of similar to translate offsets to line information. CPU Usage: 0.151 seconds =3D 0.100 user + 0.050 sys Maximum Resident Size: 101264 KB Page faults with physical i/o: 0 ---------------------------------------------------------------------------= ----- # uname -a FreeBSD VNF-SSLBump 10.1-RELEASE FreeBSD 10.1-RELEASE #0 r274401: Tue Nov 11 21:02:49 UTC 2014 root@releng1.nyi.freebsd.org:/usr/obj/usr/src/sys/GEN= ERIC amd64 ---------------------------------------------------------------------------= ---- # pkg info squid squid-3.5.15 Name : squid Version : 3.5.15 Installed on : Fri Mar 11 10:32:56 2016 CET Origin : www/squid Architecture : freebsd:10:x86:64 Prefix : /usr/local Categories : ipv6 www Licenses : GPLv2 Maintainer : timp87@gmail.com WWW : http://www.squid-cache.org/ Comment : HTTP Caching Proxy Options : ARP_ACL : off AUTH_LDAP : on AUTH_NIS : on AUTH_SASL : off AUTH_SMB : off AUTH_SQL : off CACHE_DIGESTS : off DEBUG : on DELAY_POOLS : off DOCS : on ECAP : on ESI : off EXAMPLES : on FOLLOW_XFF : off FS_AUFS : on FS_DISKD : on FS_ROCK : off GSSAPI_BASE : on GSSAPI_HEIMDAL : off GSSAPI_MIT : off GSSAPI_NONE : off HTCP : on ICAP : on ICMP : off IDENT : on IPV6 : on KQUEUE : on LARGEFILE : off LAX_HTTP : off NETTLE : off SNMP : on SSL : on SSL_CRTD : on STACKTRACES : on TP_IPF : off TP_IPFW : off TP_PF : on VIA_DB : off WCCP : on WCCPV2 : off Shared Libs required: liblber-2.4.so.2 libecap.so.3 libunwind.so.8 libldap-2.4.so.2 Annotations : cpe : cpe:2.3:a:squid-cache:squid:3.5.15:::::freebsd10:x= 64 Flat size : 40.2MiB Description : Squid is a fully-featured HTTP/1.0 proxy which is almost (but not quite) HTTP/1.1 compliant. Squid offers a rich access control, authorization and logging environment to develop web proxy and content serving applications. WWW: http://www.squid-cache.org/ ---------------------------------------------------------------------------= --- # cat /usr/local/etc/squid/squid.conf # # Recommended minimum configuration: # visible_hostname VNF-SSLBump # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports # Only allow cachemgr access from localhost http_access allow localhost manager http_access deny manager # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user #http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # # Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed http_access allow localnet http_access allow localhost # And finally deny all other access to this proxy http_access deny all # Squid normally listens to port 3128 http_port 3128 http_port 3129 intercept #https_port 3130 intercept ssl-bump generate-host-certificates=3Don dynamic_cert_mem_cache_size=3D4MB cert=3D/usr/local/etc/squid/ssl/squid.pem https_port 3130 intercept ssl-bump cert=3D/usr/local/etc/squid/ssl/squid.pem always_direct allow all acl step1 at_step SslBump1 acl step2 at_step SslBump2 acl step3 at_step SslBump3 acl banned ssl::server_name .fnac.com acl banned ssl::server_name .fnac.fr ssl_bump peek step1 all ssl_bump terminate banned ssl_bump splice all #ssl_bump bump all sslproxy_cafile /usr/local/etc/squid/cabundle.crt url_rewrite_program /usr/local/bin/squidGuard -c /usr/local/etc/squid/squidGuard.conf url_rewrite_children 10 startup=3D4 idle=3D2 concurrency=3D0 # Uncomment and adjust the following to add a disk cache directory. #cache_dir ufs /var/squid/cache 100 16 256 # Leave coredumps in the first cache dir coredump_dir /var/squid/cache # # Add any of your own refresh_pattern entries above these. # refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 ---------------------------------------------------------------------------= ---- Thanks for your help Best Regards Christophe --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-207901-13>