[SOLVED] Squid Proxy Unknown Equifax Root CA

[pongafence]

Hi guys,

So I've implemented OPNsense almost EVERYWHERE now, with only my core IPSEC VPN gateways to replace, once I figure out configuration patterns and passing dynamic routes.

Anyway, the issue that I'm having, is once I configure SSL interception, almost every site works fine, except for Google sites, or sites that use the Google CA.

I've attempted to use the unknown intermediate CA configuration to include additional certificates, but nothing seems to work, so thus I either don't visit Google, or don't enable SSL interception.

Has anyone else run into this problem when visiting SSL intercepted sites and received the UNKNOWN_CA_ERROR?

And how did you resolve the issue without disabling SSL interception.


TIA,
D

[fabian]

I know this problem. This happens because the certificate chain contains an additional certificate. This one is checked against the installed CAs where it is not included (Equifax) The second certificate is valid in case of Google and should be the one which is validated.
This is a Bug in the TLS library which is afaik known (and fixed upstream) but the patch did not get into the stable version in the FreeBSD ports.

[pongafence]

Ah I see.  I'm using LibreSSL at the moment, so this problem that you mentioned is that with OpenSSL as well?

[franco]

I think if I remember Fabian's tickets right this was a LibreSSL issue. We're bumping LibreSSL to version 2.5.5 with 17.7.1 so that should be fixed.

OpenSSL should be fine either way.


Cheers,
Franco

[pongafence]

Hey guys,

Thanks to the both of you for that info.  I've switched back to OpenSSL for the time being, until LibreSSL catches up.

Resolves my issue!

[franco]

Ok, then I'm marking this solved.