AIA fetching in squid

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

AIA fetching in squid

ygirardin

Hi all,

 

I am using ssl bump and it’s work fine a lot of SSL sites, but some of those are misconfigured and squid won’t succeed to get the correct certificate, and give me the following error :

SEC_ERROR_UNKNOWN_ISSUER

 

Looking on the internet I understand that this is a SSL server misconfiguration, but I know that some browser like safari, and chrome are implementing the AIA fetching to get the missing certificates using the information store in the authority information access of the certificate.

 

Is there a way to activate this AIA fetching in squid or do i have to implement it myself using a helper with the sslcrtvalidator_program ?

 

Thanks

 

 

 

Yann Girardin
Product Owner

t :  +33 (0)1 84 17 71 75 

e :  [hidden email] 

w :  www.olfeo.com 

4 rue de Ventadour, 75001 Paris 

 

 


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: AIA fetching in squid

Dieter Bloms-2
Hello,

On Wed, Feb 06, Yann Girardin wrote:

> I am using ssl bump and it's work fine a lot of SSL sites, but some of
> those are misconfigured and squid won't succeed to get the correct
> certificate, and give me the following error :
> SEC_ERROR_UNKNOWN_ISSUER
>
> Looking on the internet I understand that this is a SSL server
> misconfiguration, but I know that some browser like safari, and chrome
> are implementing the AIA fetching to get the missing certificates
> using the information store in the authority information access of the
> certificate.
>
> Is there a way to activate this AIA fetching in squid or do i have to
> implement it myself using a helper with the sslcrtvalidator_program ?

I've added these few lines:

--snip--
acl fetch_intermediate_certificate transaction_initiator certificate-fetching
http_access allow fetch_intermediate_certificate
cache allow fetch_intermediate_certificate
cache deny all
--snip--


--
Regards

  Dieter

--
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
From field.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: AIA fetching in squid

Amos Jeffries
Administrator
In reply to this post by ygirardin
On 6/02/19 10:10 pm, Yann Girardin wrote:
>
> Is there a way to activate this AIA fetching in squid or do i have to

Fetching missing intermediate CA certificates is implemented in Squid-4.
All you need do is check that your access controls permit those requests
to happen.

If you have Squid-3.5 the
<http://www.squid-cache.org/Doc/config/sslproxy_foreign_intermediate_certs/>
directive can load intermediate certs to use for the missing cert chain
entries.


> implement it myself using a helper with the sslcrtvalidator_program ?
>

That is also possible.


PS. AIA fetching requires the certificate AIA to have a value. Some of
these misconfigurations are because it is missing. In that case there is
nothing that can be done to resolve the error without already having the
relevant Issuer cert.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users