how-to_‎ > ‎

Cisco VPN 3000 certificate bypass through Squid HTTPS reverse proxy

posted Mar 16, 2011, 8:04 AM by Daniele Albrizio   [ updated Mar 21, 2011, 11:15 AM ]
This fabulous product generates certificate requests with 1023 or 2047 bit modulus (instead of 1024 and 2048) and 3 or 7 as exponent (instead of 65537).
These certificate requests are unsignable by the majority of CA.

The solution is to terminate the SSL tunnel in front of them on a squid proxy configured as reverse proxy for https and installing regular signed certificates (obtained with openssl; I use TinyCA to speedup testing) in it.

#  Squid configuration for Reverse https proxy
https_port [<IP>:]443 accel cert=/usr/local/squid/etc/certs/trapano.pem key=/usr/local/squid/etc/certs/trapano.key cafile=/usr/local/squid/etc/certs/CA.pem defaultsite=trapano.trincatrinca.it vhost
# trapano.units.it is the FQDN of the vpn concentrator

# HTTPS peer ( 300.300.300.300 is the ip server of the VPN concentrator)
cache_peer 300.300.300.300 parent 443 0 proxy-only no-query originserver ssl DONT_VERIFY_PEER,NO_DEFAULT_CA,DONT_VERIFY_DOMAIN ssloptions=NO_TLSv1 name=trapano
# ssloptions=NO_TLSv1 needed for Cisco VPN 3000

acl webvpn dstdomain trapano.trincatrinca.it
cache_peer_access trapano allow webvpn
http_access allow webvpn
always_direct allow webvpn

# ignore errors with certain sites (very dangerous!)
#sslproxy_cert_error allow all
acl TrustedName dst 300.300.300.300
sslproxy_cert_error allow TrustedName


Restart Squid and don't forget to point your dns at the new proxy machine.

In production environments you can test the whole functionality using a bogus entry in your /etc/hosts file pointing trapano.trincatrinca.it at the IP of your proxy machine.


Comments