Fetching of intermediate Certificates

Started by GrueneNeun, February 24, 2022, 02:56:04 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 24, 2022, 02:56:04 PM
I have a transparent proxy up and running which also uses SSL bumping. It works for most websites but some SSL sites do not deliver their intermediate certificate like https://incomplete-chain.badssl.com/ for example. This results in opnsense presenting the following errors to a client:

(92) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
SSL Certficate error: certificate issuer (CA) not known: /C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA

Since normal web browsers do not display that error and can verify the complete certificate chain there must be a way to download these missing certificates automatically. Can this be done in the web proxy too, so that even misconfigured servers can be reached?
February 28, 2022, 10:47:16 PM #1
No, there is not. Browsers likely have those intermediate certificates in their store as well.
March 01, 2022, 01:11:17 PM #2
Okay, i am just asking because i found https://www.spinics.net/lists/squid/msg94071.html which suggests that Squid should try to fetch missing certificates...
March 01, 2022, 04:20:12 PM #3 Last Edit: March 01, 2022, 05:16:20 PM by Mks
Some TLS-Clients fetch intermediate certificates based on the AIA extension, but this differs from browser (TLS-Client) to browser. Search for SQUID and AIA.
Best practise is to deliver the whole certificate chain but this is a setting on serverside.

br
March 01, 2022, 05:37:40 PM #4 Last Edit: March 01, 2022, 05:40:55 PM by GrueneNeun
Yes, and i try to minimize the impact of serverside misconfiguration on my users.

Quote from: Mks on March 01, 2022, 04:20:12 PMSearch for SQUID and AIA.
Best advice ever - thank you very much, it is exactly what i was looking for ;D

For a test, i inserted the following lines i copied from http://lists.squid-cache.org/pipermail/squid-users/2020-July/022425.html

Code Select
# allow fetching of missing intermediate certificates
acl fetch_intermediate_certificate transaction_initiator certificate-fetching
http_access allow fetch_intermediate_certificate
cache allow fetch_intermediate_certificate

and at least https://incomplete-chain.badssl.com/ worked like a charm. This leads me to believe that the default configuration blocks the access of squid itself to the AIA URLs to download missing certfificates.
This is by no means a clean solution and i got other errors i can't inspect more closely at the moment - but something like this should be considered as an option in the GUI.
December 21, 2022, 02:54:35 PM #5
Quotei inserted the following lines

Sorry to ask, but WHERE did you insert these lines?
Print
Go Up Pages1
User actions