Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] AppID signatures fail to download via Squid Proxy Server

0

0

Article ID: KB34330 KB Last Updated: 24 May 2019Version: 1.0
Summary:

This article explains why the Junos OS Application Signature Package download via the Squid Proxy Server fails with the "Downloading application package (latest) failed with error (Failed to connect to https://signatures.juniper.net/cgi-bin/index.cgi ...)" error, and describes how to resolve the error.

 

Symptoms:

Without configuring a proxy server, the SRX device is able to download the AppID signatures as shown below:

lab@SRX> request services application-identification download check-server
Download server URL: https://signatures.juniper.net/cgi-bin/index.cgi
Sigpack Version: 3158
Protobundle version: 1.380.0-60.105
Build Time: Jan 13 2019 23:05:04

lab@SRX> request services application-identification download
Please use command
"request services application-identification download status" to check download status

lab@SRX> request services application-identification download status
Downloading application package 3158 succeeded.
 

After adding the proxy server configuration based on Downloading Junos OS Application Signature Package from A Proxy Server, the proxy configuration shows correctly:

set services application-identification download ignore-server-validation
set services application-identification download proxy-profile test
set services proxy profile test protocol http host 10.10.10.1
set services proxy profile test protocol http port 21729
 
lab@SRX> show services application-identification status

Application Identification
Status                            Enabled
Sessions under app detection      0
Max TCP session packet memory     0
Force packet plugin               Disabled
Force stream plugin               Disabled
Statistics collection interval    1440 (in minutes)

Application System Cache
Status                            Enabled
Cache lookup security-services   Disabled
Cache lookup miscellaneous-services Enabled
Max Number of entries in cache    0
Cache timeout                     3600 (in seconds)

Protocol Bundle
Download Server https://signatures.juniper.net/cgi-bin/index.cgi
AutoUpdate                        Disabled

Proxy Details
Proxy Profile                     test
Proxy Address                     http://10.10.10.1:21729 <<<<<<<<<<<<
Slot 1:
Application package version       0
Status                            Free
PB Version                        N/A
Engine version                    0
Sessions                          0
 

But the SRX device still fails to download the signatures and reports the following errors:

lab@SRX> request services application-identification download check-server
error: timeout communicating with application-identification daemon

lab@SRX> request services application-identification download
Please use command
"request services application-identification download status" to check download status

lab@SRX> request services application-identification download status
Downloading application package (latest) failed with error (Failed to connect to https://signatures.juniper.net/cgi-bin/index.cgi ...)

 

Cause:

The reason that the SRX device is unable to download AppID signatures (through the Squid Proxy Server) is that the proxy software (Squid) that we use does not support SSL connections currently.

When proxies are used, the message that an SRX device sends to the proxy server is a GET message. This means that the proxy server must be able to establish an SSL connection and get the data.

In our case as well, the SRX device sends a GET instead of CONNECT to the Squid Proxy Server. Although CONNECT is preferred for HTTPS requests, GET is also an acceptable way to make a request to a proxy server. The difference is that the proxy server can see everything in the response now, which might be preferable for some organizations.

Theoretically, both ways can work:

  1. Setting up an HTTP connection between the client and the proxy > client sending CONNECT to proxy > client setting up an HTTPS connection between the client and the server
  2. Setting up an HTTP connection between the client and the proxy > client sending GET to proxy > if proxy does not find the requested URL in the GET message, then setting up an HTTPS connection between the proxy and the wherein the HTTPS is negotiated between the proxy and the server

The communication flow, briefly, is as follows:

[SRX]-----(HTTP)-----[Proxy]-----(HTTPS)-----[Server]
  1. The SRX device uses the GET method for the HTTPS resources in HTTP.

  2. The Proxy Server initiates an SSL connection to the Server.

  3. The Proxy Server downloads contents from the Server.

  4. The Proxy Server sends the contents to the SRX device in HTTP.

Because SSL configuration is not supported in the Squid package, the SSL connection for the GET message is not established and the download fails.

 

Solution:

After rebuilding a Squid package by adding the SSL parameter, the SRX device will be able to download the signatures. Refer to Feature: Squid-in-the-middle SSL Bump for more information about enabling SSL configuration in the Squid Proxy setup.

To rebuild the package with the SSL parameter, use the following configuration. Then check for these flags :  '--with-openssl', '--enable-ssl', and '--enable-ssl-crtd'.

root@ubuntu:~# squid -v
Squid Cache: Version 3.5.12
Service Name: squid
Ubuntu linux

configure options:  '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=$ /include' '--mandir=$ /share/man' '--infodir=$ /share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=$ /lib/squid3' '--srcdir=.' '--disable-maintainer-mode' '--disable-dependency-tracking' '--disable-silent-rules' 'BUILDCXXFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--libexecdir=/usr/lib/squid' '--mandir=/usr/share/man' '--enable-inline' '--disable-arch-native' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB' '--enable-auth-digest=file,LDAP' '--enable-auth-negotiate=kerberos,wrapper' '--enable-auth-ntlm=fake,smb_lm' '--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,unix_group,wbinfo_group' '--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi' '--enable-icmp' '--enable-zph-qos' '--enable-ecap' '--disable-translation' '--with-swapdir=/var/spool/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--with-openssl' '--enable-ssl' '--enable-ssl-crtd' '--enable-build-info=Ubuntu linux' '--enable-linux-netfilter' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wall' 'LDFLAGS=-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security'

root@ubuntu:~#

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search