Squid 프록시를 이용한 SSL 복호화.

System / Package Manager / Available Packages 탭에 들어가면 여러 패키지를 설치 할수 있다. 이 중 squid 를 검색하여 squid 를 install 로 한다.

/etc/ssl/openssl.cnf 중 수정해야할 부분만 표시하겠다

# $FreeBSD: src/crypto/openssl/apps/openssl.cnf,v 1.6 2004/03/17 17:44:38 nectar Exp $
#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#
#
# This definition stops the following lines choking if HOME isn't
# defined.
HOME                    = .
RANDFILE                = $ENV::HOME/.rnd

# default SAN value if $ENV::SAN is not defined
#
SAN                     =

# Extra OBJECT IDENTIFIER info:
#oid_file               = $ENV::HOME/.oid
oid_section             = new_oids

# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions            =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)

[ new_oids ]

# We can add new OIDs in here for use by 'ca' and 'req'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6

####################################################################
[ ca ]
default_ca      = CA_default            # The default ca section

####################################################################
[ CA_default ]

dir             = ./demoCA              # Where everything is kept
certs           = $dir/certs            # Where the issued certs are kept
crl_dir         = $dir/crl              # Where the issued crl are kept
database        = $dir/index.txt        # database index file.
#unique_subject = no                    # Set to 'no' to allow creation of
                                        # several certificates with same subject.
new_certs_dir   = $dir/newcerts         # default place for new certs.

certificate     = $dir/cacert.pem       # The CA certificate
serial          = $dir/serial           # The current serial number
#crlnumber      = $dir/crlnumber        # the current crl number
                                        # must be commented out to leave a V1 CRL
crl             = $dir/crl.pem          # The current CRL
private_key     = $dir/private/cakey.pem# The private key
RANDFILE        = $dir/private/.rand    # private random number file

x509_extensions = usr_cert              # The extensions to add to the cert

# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt        = ca_default            # Subject Name options
cert_opt        = ca_default            # Certificate field options

# Extension copying option: use with caution.
# copy_extensions = copy

# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
crl_extensions        = crl_ext

default_days    = 365                   # how long to certify for
default_crl_days= 30                    # how long before next CRL
default_md      = md5                   # which md to use.
preserve        = no                    # keep passed DN ordering

# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy          = policy_match

# For the CA policy
[ policy_match ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

####################################################################
[ req ]
distinguished_name=req_distinguished_name
req_extensions = v3_req
prompt=yes          <==no 에서 yes 로 변경

default_bits            = 2048
default_keyfile         = privkey.pem
distinguished_name      = req_distinguished_name
attributes              = req_attributes
x509_extensions = v3_ca # The extensions to add to the self signed cert

# Passwords for private keys if not present they will be prompted for
#input_password=""
#output_password=""

# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix   : PrintableString, BMPString.
# utf8only: only UTF8Strings.
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
# so use this option with caution!
string_mask = nombstr

# req_extensions = v3_req # The extensions to add to a certificate request

[ req_distinguished_name ]
countryName                     = US
#countryName_default            = AU
#countryName_min                        = 2
#countryName_max                        = 2

stateOrProvinceName             = Somewhere
#stateOrProvinceName_default    = Somestate

localityName                    = Somecity

0.organizationName              = CompanyName
#0.organizationName_default     = SampleNameDefault

# we can do this but it is not needed normally :-)
#1.organizationName             = Second Organization Name (eg, company)
#1.organizationName_default     = World Wide Web Pty Ltd

organizationalUnitName          = Organizational Unit Name (eg, section)
#organizationalUnitName_default =

commonName                      = Common Name (eg, YOUR name)
#commonName_max                 = 64

emailAddress                    = Email Address
#emailAddress_max               = 64

# SET-ex3                       = SET extension number 3

[ req_attributes ]
challengePassword               = A challenge password
#challengePassword_min          = 4
#challengePassword_max          = 20

unstructuredName                = An optional company name

[ usr_cert ]

# These extensions are added when 'ca' signs a request.

# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.

basicConstraints=CA:FALSE

# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.

# This is OK for an SSL server.
# nsCertType                    = server

# For an object signing certificate this would be used.
# nsCertType = objsign

# For normal client use this is typical
# nsCertType = client, email

# and for everything including object signing:
# nsCertType = client, email, objsign

# This is typical in keyUsage for a client certificate.
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

# This will be displayed in Netscape's comment listbox.
nsComment                       = "OpenSSL Generated User Certificate"

# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=clientAuth

# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move

# Copy subject details
# issuerAltName=issuer:copy

#nsCaRevocationUrl              = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName

[ usr_cert_san ]

# copy of [ usr_cert ] plus nonempty Subject Alternative Names
basicConstraints=CA:FALSE
nsComment                       = "OpenSSL Generated User Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=clientAuth
subjectAltName=$ENV::SAN

[ server ]

# Make a cert with nsCertType=server
basicConstraints=CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=serverAuth,1.3.6.1.5.5.8.2.2
keyUsage = digitalSignature, keyEncipherment

[ server_san ]

# copy of [ server ] plus nonempty Subject Alternative Names
basicConstraints=CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=serverAuth,1.3.6.1.5.5.8.2.2
keyUsage = digitalSignature, keyEncipherment
subjectAltName=$ENV::SAN

[ v3_req ]

# Extensions to add to a certificate request

basicConstraints = CA:TRUE             <==FALSE 에서 TRUE 변경
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

[ v3_ca ]


# Extensions for a typical CA


# PKIX recommendation.

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid:always,issuer:always

# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true

# Key usage: this is typical for a CA certificate.
keyUsage = cRLSign, keyCertSign

# Some might want this also
# nsCertType = sslCA, emailCA

# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy

# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF

[ v3_ca_san ]

# copy of [ v3_ca ] plus nonempty Subject Alternative Names
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:true
subjectAltName=$ENV::SAN

[ crl_ext ]

# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.

# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always

여기까지 변경이 완료되었으면 인증서를 만들어보도록하자.

openssl genrsa -out private.key 2048

openssl req -x509 -new -nodes -key private.key -sha256 -days 365 -out CA.pem

이렇게 개인키와 공개키를 만들었으면 winscp 를 통해 파일을 윈도우에 저장을 하도록하자.

위에 명령어를 통해 생성된 키값이다.

Pfsense 관리자 페이지에 접속하여 System / Certificate Manager / CAs / Add 를 선택하면
다음과 같은 페이지가 나온다. Import an existing Certificate Authority 를 선택하고
Certificate data 안에는 CA.pem 정보값을 워드패드로 열어 붙여넣기를 하고 Certificate Private Key 는 private.key 파일 안에 있는 정보를 붙여넣기하고 Save를 한다.

저장을 하게되면 다음과 같이 생성이 완료된것을 확인할 수 있다.

마지막으로 오른쪽에 보면 Actions 메뉴 중 Export CA가 있다. Export하여 인증서를 가지고 있도록하자.

이렇게 완료되었다면 이제 위에서 설치한 Squid 프록시 설정 부분에 가보도록하자.
Services / Squid Proxy Server  항목에 가면 아래에 관련된 옵션을 모두 체크한다.

Enable Squid Proxy

Check to enable the Squid proxy. Note: If unchecked, ALL Squid services will be disabled and stopped.

Transparent HTTP Proxy

Enable transparent mode to forward all requests for destination port 80 to the proxy server without any additional configuration being necessary. Note: Transparent mode will filter SSL (port 443) if you enable man-in-the-middle options below.
In order to proxy both HTTP and HTTPS protocols without intercepting SSL connections, configure WPAD/PAC options on your DNS/DHCP servers

HTTPS/SSL Interception

Enable SSL filtering.

옵션 중 CA라는 옵션이 있는데 아까 인증성 생성했던 CA를 선택해준다. 그리고 Save 를 한다.

그리곤 위에서 Export 한 인증서를 신뢰할 수 있는 루트 인증 기관으로 선택하여 설치해준다. 

설치를 하고 들어가면 아까 생성한 인증서가 보이고 https 접속시 나오는 SSL 관련 페이지도 뜨지 않게된다.

이제 준비가 모두 완료되었다. 와이어샤크를 이용하여 SSL 통신을 볼수 있도록 해보자.

vmware 에 설치된 PC는 squid 프록시를 통해서 인터넷을 사용하는 사용자라고 생각하면
된다. 구글에서 비밀번호를 대충치고 난 뒤의 와이어샤크 결과를 보도록하자.

보다시피 모두 암호화되어 있어서 아무것도 볼수가 없다. 개인키를 이용하여 복호화를 해보도록하자. Wireshark 메뉴중 Edit -> Preferences -> Protocols -> SSL 에 들어가면 다음과 같은 화면이 나오고 Edit 를 선택한다.

그리고 SSL 443포트 프로토콜은 http 로 해주고 확인을 하면 !

암호화 되어 있는 패킷들이 모두 복호화되어 있다. 패스워드는 임의로 막 입력한 값이므로
접속시도도 하지마라. 추가적인 설명은 나중에 포스팅.