Fetch missing certificate feature of Squid_v4

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Fetch missing certificate feature of Squid_v4

chgerber
I am wondering how to verify the feature "Fetch missing certificate"
which was added to Squid v4.
https://github.com/squid-cache/squid/commit/55369ae649646901d3038c63217386174d01eb7b

I tried to trigger the feature by requesting some domains via squid
which lack the intermediate certificate (e.g. www.facworld.com,
taas.citrix.com, karantina.genelsigorta.com).

Because of the following observation I believe something is not
working correctly:
1. Curl retruns with a "SSL certificate problem: Invalid certificate
chain" in all three cases
2. By enabling 33,5 83,5 81,5 88,3 logging and analysing the log trace
I get the feeling that the code of the feature is not called (->
missing certificate not downloaded). See the log trace in the
attachment

I verified that these domains deliver an incomplete certificate by:
$ openssl s_client -connect taas.citrix.com:443 -showcerts -verify 32
-CApath  $path/to/root/certs/
Which returns "Verify return code: 21 (unable to verify the first
certificate)" for all of them

Question:
1. How to verify that the feature is working? Am I doing something wrong?
2. Is this feature always on or do I have to configure/enable it in Squid v4?

Squid Cache: Version v4.0-6d8f397398995c4512cb045920ee2747cc6b14f8

--
Christof Gerber
Email: [hidden email]

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

logs_squid4-facworld (34K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Fetch missing certificate feature of Squid_v4

Amos Jeffries
Administrator
On 20/08/18 9:10 PM, Christof Gerber wrote:

> I am wondering how to verify the feature "Fetch missing certificate"
> which was added to Squid v4.
> https://github.com/squid-cache/squid/commit/55369ae649646901d3038c63217386174d01eb7b
>
> I tried to trigger the feature by requesting some domains via squid
> which lack the intermediate certificate (e.g. www.facworld.com,
> taas.citrix.com, karantina.genelsigorta.com).
>
> Because of the following observation I believe something is not
> working correctly:
> 1. Curl retruns with a "SSL certificate problem: Invalid certificate
> chain" in all three cases

This is the chain received by curl. Not the chain received by Squid.

To get this from curl either Squid is not even involved in any TLS with
the broken cert chain (splice, regular tunneling, not using the proxy).
Or, the CA cert chain you configured Squid to use is itself incomplete.


> 2. By enabling 33,5 83,5 81,5 88,3 logging and analysing the log trace
> I get the feeling that the code of the feature is not called (->
> missing certificate not downloaded). See the log trace in the
> attachment

Log trace says Squid identified http://aia.entrust.net/l1k-chain256.cer
as the missing CA and downloaded it. AFAICT the verification then passed
and bump proceeded to happen.

>
> I verified that these domains deliver an incomplete certificate by:
> $ openssl s_client -connect taas.citrix.com:443 -showcerts -verify 32
> -CApath  $path/to/root/certs/
> Which returns "Verify return code: 21 (unable to verify the first
> certificate)" for all of them
>
> Question:
> 1. How to verify that the feature is working?

AFAIK, just what you did. The problem seems to be not understanding the
log resulting.

...
2018/08/20 10:37:26.975 kid1| 83,5| PeerConnector.cc(712)
checkForMissingCertificates: SSL server sent 1 certificates
...
2018/08/20 10:37:26.976 kid1| 33,3| Downloader.cc(226) handleReply:
Object data transfer successfully complete
...
2018/08/20 10:37:27.089 kid1| 83,5| PeekingPeerConnector.cc(353)
serverCertificateVerified: HTTPS server CN: www.facworld.com bumped:
local=213.156.236.180:59365 remote=208.227.150.131:443 FD 17 flags=1
..
2018/08/20 10:37:27.091 kid1| 33,5| client_side.cc(2917)
getTlsContextFromCache: Cached SSL certificate for www.facworld.com is valid
...


> Am I doing something wrong?

Maybe. It only can D/L *if* the present certificate provides a URL for
its absent CA certificate. Not all types of incomplete chains have that
required info.


> 2. Is this feature always on or do I have to configure/enable it in Squid v4?

Always on.


>
> Squid Cache: Version v4.0-6d8f397398995c4512cb045920ee2747cc6b14f8
>

Uhm, Squid code at 6d8f397 self-identify as 4.2.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users