English Forums > Web Proxy Filtering and Caching

Fetching of intermediate Certificates

(1/2) > >>

GrueneNeun:
I have a transparent proxy up and running which also uses SSL bumping. It works for most websites but some SSL sites do not deliver their intermediate certificate like https://incomplete-chain.badssl.com/ for example. This results in opnsense presenting the following errors to a client:

(92) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
SSL Certficate error: certificate issuer (CA) not known: /C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA

Since normal web browsers do not display that error and can verify the complete certificate chain there must be a way to download these missing certificates automatically. Can this be done in the web proxy too, so that even misconfigured servers can be reached?

fabian:
No, there is not. Browsers likely have those intermediate certificates in their store as well.

GrueneNeun:
Okay, i am just asking because i found https://www.spinics.net/lists/squid/msg94071.html which suggests that Squid should try to fetch missing certificates...

Mks:
Some TLS-Clients fetch intermediate certificates based on the AIA extension, but this differs from browser (TLS-Client) to browser. Search for SQUID and AIA.
Best practise is to deliver the whole certificate chain but this is a setting on serverside.

br

GrueneNeun:
Yes, and i try to minimize the impact of serverside misconfiguration on my users.


--- Quote from: Mks on March 01, 2022, 04:20:12 pm ---Search for SQUID and AIA.

--- End quote ---
Best advice ever - thank you very much, it is exactly what i was looking for ;D

For a test, i inserted the following lines i copied from http://lists.squid-cache.org/pipermail/squid-users/2020-July/022425.html


--- Code: ---# allow fetching of missing intermediate certificates
acl fetch_intermediate_certificate transaction_initiator certificate-fetching
http_access allow fetch_intermediate_certificate
cache allow fetch_intermediate_certificate
--- End code ---

and at least https://incomplete-chain.badssl.com/ worked like a charm. This leads me to believe that the default configuration blocks the access of squid itself to the AIA URLs to download missing certfificates.
 This is by no means a clean solution and i got other errors i can't inspect more closely at the moment - but something like this should be considered as an option in the GUI.

Navigation

[0] Message Index

[#] Next page

Go to full version