OPNsense Forum

English Forums => Web Proxy Filtering and Caching => Topic started by: GrueneNeun on February 24, 2022, 02:56:04 pm

Title: Fetching of intermediate Certificates
Post by: GrueneNeun on February 24, 2022, 02:56:04 pm

I have a transparent proxy up and running which also uses SSL bumping. It works for most websites but some SSL sites do not deliver their intermediate certificate like https://incomplete-chain.badssl.com/ (https://incomplete-chain.badssl.com/) for example. This results in opnsense presenting the following errors to a client:

(92) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
SSL Certficate error: certificate issuer (CA) not known: /C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA

Since normal web browsers do not display that error and can verify the complete certificate chain there must be a way to download these missing certificates automatically. Can this be done in the web proxy too, so that even misconfigured servers can be reached?

Title: Re: Fetching of intermediate Certificates
Post by: fabian on February 28, 2022, 10:47:16 pm

No, there is not. Browsers likely have those intermediate certificates in their store as well.

Title: Re: Fetching of intermediate Certificates
Post by: GrueneNeun on March 01, 2022, 01:11:17 pm

Okay, i am just asking because i found https://www.spinics.net/lists/squid/msg94071.html (https://www.spinics.net/lists/squid/msg94071.html) which suggests that Squid should try to fetch missing certificates...

Title: Re: Fetching of intermediate Certificates
Post by: Mks on March 01, 2022, 04:20:12 pm

Some TLS-Clients fetch intermediate certificates based on the AIA extension, but this differs from browser (TLS-Client) to browser. Search for SQUID and AIA.
Best practise is to deliver the whole certificate chain but this is a setting on serverside.

br

Title: Re: Fetching of intermediate Certificates
Post by: GrueneNeun on March 01, 2022, 05:37:40 pm

Yes, and i try to minimize the impact of serverside misconfiguration on my users.

Quote from: Mks on March 01, 2022, 04:20:12 pm

Search for SQUID and AIA.

Best advice ever - thank you very much, it is exactly what i was looking for ;D

For a test, i inserted the following lines i copied from http://lists.squid-cache.org/pipermail/squid-users/2020-July/022425.html (http://lists.squid-cache.org/pipermail/squid-users/2020-July/022425.html)

Code: [Select]

# allow fetching of missing intermediate certificates
acl fetch_intermediate_certificate transaction_initiator certificate-fetching
http_access allow fetch_intermediate_certificate
cache allow fetch_intermediate_certificate
and at least https://incomplete-chain.badssl.com/ (https://incomplete-chain.badssl.com/) worked like a charm. This leads me to believe that the default configuration blocks the access of squid itself to the AIA URLs to download missing certfificates.
 This is by no means a clean solution and i got other errors i can't inspect more closely at the moment - but something like this should be considered as an option in the GUI.

Title: Re: Fetching of intermediate Certificates
Post by: kd.gundermann on December 21, 2022, 02:54:35 pm

Quote

i inserted the following lines

Sorry to ask, but WHERE did you insert these lines?