Hi everybody ! Is it desirable that the Negotiate/Kerberos proxy authentication method be interrupted as soon as Squid knows the identity of the browser's user, without letting the browser authenticates Squid in response ?
When a browser wants to connect to some random HTTP website, it sends a GET request. A proxy wanting to authenticate the browser, via Kerberos, responds with 407, which lets the browser knows that it has to authenticate. Then the browser sends a Kerberos authenticator (in base64 in the Proxy-Authorization header). Then Squid *should* answer back with a Proxy-Authentication-Info letting the browser finish the Kerberos process and validating that it is communicating with the real proxy it wants to use. It is how gss-api is intended to be used. It was the case with Squid 3.3.8, where Squid answers back, along with the response (200 OK), the Proxy-Authentication-Info header with the final token. But with Squid 4.2, the browser doesn't anymore add this headers, preventing the browser to authenticate back the proxy. The problem is that it enables some potentially Man in the Middle attack (since any malicious proxy where the traffic is diverted could then answers back without the client knowing it talks to a malicious proxy) Here is an example of this phenomenon with GET and CONNECT : GET http://perdu.com/ HTTP/1.1 Host: perdu.com User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: fr,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Upgrade-Insecure-Requests: 1 HTTP/1.1 407 Proxy Authentication Required Server: squid/4.2 Mime-Version: 1.0 Date: Tue, 02 Oct 2018 08:35:27 GMT Content-Type: text/html;charset=utf-8 Content-Length: 1852 X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0 Vary: Accept-Language Content-Language: fr Proxy-Authenticate: Negotiate X-Cache: MISS from ceriseconfite X-Cache-Lookup: NONE from ceriseconfite:3129 Via: 1.1 ceriseconfite (squid/4.2) Connection: keep-alive <some really long webpage for something that shouldn't be displayed> GET http://perdu.com/ HTTP/1.1 Host: perdu.com User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: fr,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Upgrade-Insecure-Requests: 1 Proxy-Authorization: Negotiate YIIChwYGKw[...blablabla some random authenticator...]W6m HTTP/1.1 200 OK (with Squid 4.2) Date: Tue, 02 Oct 2018 08:35:27 GMT Server: Apache Last-Modified: Thu, 02 Jun 2016 06:01:08 GMT ETag: "cc-5344555136fe9" Accept-Ranges: bytes Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 163 Content-Type: text/html X-Cache: MISS from ceriseconfite X-Cache-Lookup: MISS from ceriseconfite:3129 Via: 1.1 ceriseconfite (squid/4.2) Connection: keep-alive <------------- Missing the Proxy-Authentication-Info HTTP/1.1 200 OK (with older Squid 3.3.8) Date: Fri, 28 Sep 2018 08:09:27 GMT Server: Apache Last-Modified: Thu, 02 Jun 2016 06:01:08 GMT ETag: "cc-5344555136fe9" Accept-Ranges: bytes Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 163& Content-Type: text/html Proxy-Authentication-Info: Negotiate oRQwEqADCgEAoQsGCSqGSIb3EgECAg== <--- here was the authentication response back to the client X-Cache: MISS from sucre-SQUID-50118215 X-Cache-Lookup: MISS from sucre-SQUID-50118215:3127 Connection: keep-alive ..........5....0.Dw...H.....L.l..Cc.H%).S..'!....:...L..:B :3.S.pU.0....4....#.O....\...-*KdmzE...m........."...v...R..0...$\. j.....ny 2...0.4.B...>....|....-.... And here is the same exchange but with TLS : CONNECT perdu.com:443 HTTP/1.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Proxy-Connection: keep-alive Connection: keep-alive Host: perdu.com:443 HTTP/1.1 407 Proxy Authentication Required Server: squid/4.2 Mime-Version: 1.0 Date: Tue, 02 Oct 2018 08:30:51 GMT Content-Type: text/html;charset=utf-8 Content-Length: 1813 X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0 Vary: Accept-Language Content-Language: en Proxy-Authenticate: Negotiate X-Cache: MISS from ceriseconfite X-Cache-Lookup: NONE from ceriseconfite:3129 Via: 1.1 ceriseconfite (squid/4.2) Connection: keep-alive <some really long webpage for something that shouldn't be displayed> CONNECT perdu.com:443 HTTP/1.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Proxy-Connection: keep-alive Connection: keep-alive Host: perdu.com:443 Proxy-Authorization: Negotiate YIIChwYGKwYBBQUCo[...blablabla some other random authenticator...]zCqD HTTP/1.1 200 Connection established (same with Squid 4.2 and Squid 3.3.8) <---- is the Proxy-Authentication-Info missing ? (TLS tunnel exchange) It this behavior endorsed, or is it a bug ? Actually, I know that browsers seem not to care, but they won't be able to care if they don't receive all the needed information. Thanks for reading and your response :-) -- Emmanuel Coirier _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
