OPNsense Forum

Archive => 17.7 Legacy Series => Topic started by: pongafence on August 09, 2017, 11:06:34 pm

Title: [SOLVED] Squid Proxy Unknown Equifax Root CA
Post by: pongafence on August 09, 2017, 11:06:34 pm
Hi guys,

So I've implemented OPNsense almost EVERYWHERE now, with only my core IPSEC VPN gateways to replace, once I figure out configuration patterns and passing dynamic routes.

Anyway, the issue that I'm having, is once I configure SSL interception, almost every site works fine, except for Google sites, or sites that use the Google CA.

I've attempted to use the unknown intermediate CA configuration to include additional certificates, but nothing seems to work, so thus I either don't visit Google, or don't enable SSL interception.

Has anyone else run into this problem when visiting SSL intercepted sites and received the UNKNOWN_CA_ERROR?

And how did you resolve the issue without disabling SSL interception.


TIA,
D
Title: Re: Squid Proxy Unknown Equifax Root CA
Post by: fabian on August 10, 2017, 07:09:55 am
I know this problem. This happens because the certificate chain contains an additional certificate. This one is checked against the installed CAs where it is not included (Equifax) The second certificate is valid in case of Google and should be the one which is validated.
This is a Bug in the TLS library which is afaik known (and fixed upstream) but the patch did not get into the stable version in the FreeBSD ports.
Title: Re: Squid Proxy Unknown Equifax Root CA
Post by: pongafence on August 10, 2017, 12:53:55 pm
Ah I see.  I'm using LibreSSL at the moment, so this problem that you mentioned is that with OpenSSL as well?
Title: Re: Squid Proxy Unknown Equifax Root CA
Post by: franco on August 10, 2017, 01:25:31 pm
I think if I remember Fabian's tickets right this was a LibreSSL issue. We're bumping LibreSSL to version 2.5.5 with 17.7.1 so that should be fixed.

OpenSSL should be fine either way.


Cheers,
Franco
Title: Re: Squid Proxy Unknown Equifax Root CA
Post by: pongafence on August 10, 2017, 03:21:18 pm
Hey guys,

Thanks to the both of you for that info.  I've switched back to OpenSSL for the time being, until LibreSSL catches up.

Resolves my issue!
Title: Re: Squid Proxy Unknown Equifax Root CA
Post by: franco on August 10, 2017, 04:18:46 pm
Ok, then I'm marking this solved. :)