I have a transparent proxy up and running which also uses SSL bumping. It works for most websites but some SSL sites do not deliver their intermediate certificate like https://incomplete-chain.badssl.com/ (https://incomplete-chain.badssl.com/) for example. This results in opnsense presenting the following errors to a client:
(92) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
SSL Certficate error: certificate issuer (CA) not known: /C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
Since normal web browsers do not display that error and can verify the complete certificate chain there must be a way to download these missing certificates automatically. Can this be done in the web proxy too, so that even misconfigured servers can be reached?
No, there is not. Browsers likely have those intermediate certificates in their store as well.
Okay, i am just asking because i found https://www.spinics.net/lists/squid/msg94071.html (https://www.spinics.net/lists/squid/msg94071.html) which suggests that Squid should try to fetch missing certificates...
Some TLS-Clients fetch intermediate certificates based on the AIA extension, but this differs from browser (TLS-Client) to browser. Search for SQUID and AIA.
Best practise is to deliver the whole certificate chain but this is a setting on serverside.
br
Yes, and i try to minimize the impact of serverside misconfiguration on my users.
Quote from: Mks on March 01, 2022, 04:20:12 PMSearch for SQUID and AIA.
Best advice ever - thank you very much, it is exactly what i was looking for ;D
For a test, i inserted the following lines i copied from http://lists.squid-cache.org/pipermail/squid-users/2020-July/022425.html (http://lists.squid-cache.org/pipermail/squid-users/2020-July/022425.html)
# allow fetching of missing intermediate certificates
acl fetch_intermediate_certificate transaction_initiator certificate-fetching
http_access allow fetch_intermediate_certificate
cache allow fetch_intermediate_certificateand at least https://incomplete-chain.badssl.com/ (https://incomplete-chain.badssl.com/) worked like a charm. This leads me to believe that the default configuration blocks the access of squid itself to the AIA URLs to download missing certfificates.
This is by no means a clean solution and i got other errors i can't inspect more closely at the moment - but something like this should be considered as an option in the GUI.
Quotei inserted the following lines
Sorry to ask, but WHERE did you insert these lines?