Fetching of intermediate Certificates

[GrueneNeun]

I have a transparent proxy up and running which also uses SSL bumping. It works for most websites but some SSL sites do not deliver their intermediate certificate like https://incomplete-chain.badssl.com/ for example. This results in opnsense presenting the following errors to a client:

(92) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
SSL Certficate error: certificate issuer (CA) not known: /C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA

Since normal web browsers do not display that error and can verify the complete certificate chain there must be a way to download these missing certificates automatically. Can this be done in the web proxy too, so that even misconfigured servers can be reached?

[fabian]

No, there is not. Browsers likely have those intermediate certificates in their store as well.

[GrueneNeun]

Okay, i am just asking because i found https://www.spinics.net/lists/squid/msg94071.html which suggests that Squid should try to fetch missing certificates...

[Mks]

Some TLS-Clients fetch intermediate certificates based on the AIA extension, but this differs from browser (TLS-Client) to browser. Search for SQUID and AIA.
Best practise is to deliver the whole certificate chain but this is a setting on serverside.

br

[GrueneNeun]

Yes, and i try to minimize the impact of serverside misconfiguration on my users.

Search for SQUID and AIA.

Best advice ever - thank you very much, it is exactly what i was looking for

For a test, i inserted the following lines i copied from http://lists.squid-cache.org/pipermail/squid-users/2020-July/022425.html

Code: [Select]

# allow fetching of missing intermediate certificates
acl fetch_intermediate_certificate transaction_initiator certificate-fetching
http_access allow fetch_intermediate_certificate
cache allow fetch_intermediate_certificate
and at least https://incomplete-chain.badssl.com/ worked like a charm. This leads me to believe that the default configuration blocks the access of squid itself to the AIA URLs to download missing certfificates.
 This is by no means a clean solution and i got other errors i can't inspect more closely at the moment - but something like this should be considered as an option in the GUI.

[kd.gundermann]

i inserted the following lines

Sorry to ask, but WHERE did you insert these lines?