ssl proxy

foetz

Member
Feb 19, 2019
96
48
18
more and more websites don't support tls 1.0 anymore which makes browsing with irix increasingly problematic. that's particularly annoying since most of the sites wouldn't need ssl at all. but looking at how websites developed in recent years that's not exactly a surprise.

anyway, to compensate this i thought about using an ssl proxy. i'm using a squid anyway so i thought about upgrading and making use of sslbump. now before i dig into that, maybe someone tried that already? or maybe there's a better way to have the ssl part done by something else?
 
For what it's worth there is a new version of OpenSSL ported for IRIX, 1.0.2: https://github.com/larb0b/irixports/blob/master/openssl/package.sh
It should support newer TLS and could presumably be used to build a browser that supports it?

An SSL proxy will work although it pushes the problem of certificate validation back to the proxy so the interface for dealing with that can be somewhat clumsy. The squid + ssl_bump solution is a reasonable setup if you want to do that! I seem to remember a proxy whose explicit purpose was stripping off SSL locally, but unfortunately I don't recall what it was named and can't find it anymore.
 
For what it's worth there is a new version of OpenSSL ported for IRIX, 1.0.2: https://github.com/larb0b/irixports/blob/master/openssl/package.sh
thanks but no gcc builds for me unless absolutely necessary :D

The squid + ssl_bump solution is a reasonable setup
and does what i want it to do. i gave it a quick try on an x86 just to see whether it works at all.

now the not so pleasant part is getting that compiled on irix. unfortunately a squid 3.x needs gcc and exceptions and rtti ... pretty much the worst case :p
but the main problem seems to be that irix has a different struct msghdr. not a big problem to replace that in squid but the related irix functions expect their native version. and that is exactly what's used heavily for ipc between squid itself and its ssl workers => crashes.
 
Oh, you want to run the squid proxy on IRIX as well? I just assumed it would be running on another server with the IRIX machine as the client. If running squid on the IRIX machine it will still need to be compiled with a version of OpenSSL that supports newer TLS and ciphers.
 
thanks but no gcc builds for me unless absolutely necessary :D


and does what i want it to do. i gave it a quick try on an x86 just to see whether it works at all.

now the not so pleasant part is getting that compiled on irix. unfortunately a squid 3.x needs gcc and exceptions and rtti ... pretty much the worst case :p
but the main problem seems to be that irix has a different struct msghdr. not a big problem to replace that in squid but the related irix functions expect their native version. and that is exactly what's used heavily for ipc between squid itself and its ssl workers => crashes.

FYI, there is an openssl patch for 1.1.1a that's good enough for regular wget or openssh usage below (and I compile it with MIPSpro):


Configure with something like this

./Configure --prefix=$INSTALLDIR --openssldir=$INSTALLDIR/etc/ssl --libdir=$INSTALLDIR/$DIDBS_LIBDIR irix-mips3-cc threads shared

For the struct msghdr, I vaguely remember seeing something similar to your description - and I think I couldn't find the right combination of -D_SGI_SOURCE style defines that would pull in the needed definitions of msghdr.

Sorry I forgot where I did it and a quick grep didn't show anything up - but from memory, have a hunt in the /usr/include header files and pull out the _xpg#_recvmsg plus the actual struct and manually add it where it's needed rather than trying to get it from the system include files.
 
  • Like
Reactions: foetz
have a hunt in the /usr/include header files and pull out the _xpg#_recvmsg plus the actual struct and manually add it where it's needed
ah yeah, an xpg version of recvmsg(), that's a good idea. too bad it doesn't work with mipspro. otherwise i could just set _XPG.
 
  • Like
Reactions: Elf
too bad it doesn't work with mipspro.

Above approach worked fine with MIPSpro AFAIR, I just created a little "irix_xpgmsghdr.h" within the project, and then find/replaced use of recvmsg and struct msghdr to the redefined versions in that header.

What probs you hitting with MIPSpro?
 
Got you. Yeah, that's the price of entry for "sticking with MIPSpro".

It's your time and pleasure, so I'll just wish you the best .-)
 
another box external to your SGI gear.
no thanks. running a second box 24/7 is not an option. if i had that, the problem here wouldn't exist because then squid would work :p

as mentioned before, the problem is getting an ssl proxy that works on irix. so far i didn't find anything else but squid 3.x (or higher) which does what i'm looking for.
in the meantime i tried a couple of more things with squid. things like defining _XOPEN_5, manual copy & paste of the related functions and struct ... but no matter which combination i tried, it always breaks something else. so i think for now i'm done with squid and if i don't find anything else, the only other way i see is writing something myself.
 
no thanks. running a second box 24/7 is not an option. if i had that, the problem here wouldn't exist because then squid would work :p

as mentioned before, the problem is getting an ssl proxy that works on irix. so far i didn't find anything else but squid 3.x (or higher) which does what i'm looking for.
in the meantime i tried a couple of more things with squid. things like defining _XOPEN_5, manual copy & paste of the related functions and struct ... but no matter which combination i tried, it always breaks something else. so i think for now i'm done with squid and if i don't find anything else, the only other way i see is writing something myself.

Have you looked into using nginx? I think it could handle proxying ssl.
 
sure and yes it can. same goes for apache, stunnel and a few others. however, they all can only do that for a fixed target. what i'm after tho is a proxy, not a static forwarder.
 
tl;dr:
  1. Create a CA cert, key, etc.
  2. Build openssl 1.1.1.c with ssl2 and ssl3
  3. Configure squid as SSL bump
  4. preload above ssl library and run squid
  5. Import the CA cert into your browser
Build openssl 1.1.1.c with:
<code>
no-idea no-mdc2 no-rc5 no-zlib enable-ssl3 enable-unit-test enable-ssl3-method enable-rfc3779 enable-cms enable-ssl2
</code>

Then configure squid to act as SSL bump:
<code>
--- /etc/squid/squid.conf.orig 2019-07-24 10:33:25.000000000 -0700
+++ /etc/squid/squid.conf 2019-11-03 09:30:34.371013823 -0800
@@ -1377,6 +1487,7 @@
#Default:
# Deny, unless rules exist in squid.conf.
#
+http_access allow localnet

#
# Recommended minimum Access Permission configuration:
@@ -1904,7 +2015,13 @@
#

# Squid normally listens to port 3128
-http_port 3128
+http_port 3128 ssl-bump \
  • cert=/etc/squid/certs/squid-ca-cert-key.pem \
  • generate-host-certificates=on dynamic_cert_mem_cache_size=16MB \
  • cipher=ALL
+https_port 3129 intercept ssl-bump \
  • cert=/etc/squid/certs/squid-ca-cert-key.pem \
  • generate-host-certificates=on dynamic_cert_mem_cache_size=16MB
# TAG: https_port
# Usage: [ip:]port [mode] tls-cert=certificate.pem [options]
@@ -2539,11 +2636,15 @@
# ssl_bump bump all
#Default:
# Become a TCP tunnel without decrypting proxied traffic.
+acl step1 at_step SslBump1
+ssl_bump peek step1
+ssl_bump bump all
+ssl_bump splice all

@@ -2690,12 +2776,12 @@
# For more information use:
# /usr/lib/squid/security_file_certgen -h
#Default:
-# sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/spool/squid/ssl_db -M 4MB
+sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/spool/squid/ssl_db -M 16MB

</code>

And finally run squid with the new ssl lib:
<code>
--- /tmp/etc/init.d/squid 2019-07-24 10:33:25.000000000 -0700
+++ /etc/init.d/squid 2019-10-16 19:11:19.407420861 -0700
@@ -23,6 +23,7 @@
PIDFILE=/var/run/$NAME.pid
CONFIG=/etc/squid/squid.conf
SQUID_ARGS="-YC -f $CONFIG"
+SSL_PRELOAD="LD_PRELOAD=/usr/src/openssl-1.1.1c/build_shared/libssl.so.1.1 "

[ ! -f /etc/default/squid ] || . /etc/default/squid

@@ -91,7 +92,7 @@
if test -d "$cache_dir" -a ! -d "$cache_dir/00"
then
log_warning_msg "Creating $DESC cache structure"
- $DAEMON -z -f $CONFIG
+ $SSL_PRELOAD $DAEMON -z -f $CONFIG
[ -x /sbin/restorecon ] && restorecon -R $cache_dir
fi

</code>
 
  • Like
Reactions: Elf
thanks but that doesn't address the msghdr issues. did you solve these?
 

About us

  • Silicon Graphics User Group (SGUG) is a community for users, developers, and admirers of Silicon Graphics (SGI) products. We aim to be a friendly hobbyist community for discussing all aspects of SGIs, including use, software development, the IRIX Operating System, and troubleshooting, as well as facilitating hardware exchange.

User Menu