SSL Bump and Certificate issue - RapidSSL Intermediate Cert

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

SSL Bump and Certificate issue - RapidSSL Intermediate Cert

stylemessiah
This is driving me nuts, its the only issue ive found running ssl bump on my home network for eons

I cant see image thumbnails on xda-developers...

When i access a thread with them, i get text links, not thumbnails, and if i click on the links i get the following:


    (71) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)

    SSL Certficate error: certificate issuer (CA) not known: /C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA

I figured out by googling how to (i hope) trace the problem certificate via s_client:


OpenSSL> s_client -showcerts -verify 32 -connect dl.xda-developers.com:443
verify depth is 32
CONNECTED(0000012C)
depth=0 CN = *.xda-developers.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = *.xda-developers.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/CN=*.xda-developers.com
   i:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
-----BEGIN CERTIFICATE-----
MIIFgTCCBGmgAwIBAgIQfA25Jbjbsyz/PbnaPlV5ozANBgkqhkiG9w0BAQsFADBC
MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UEAxMS
UmFwaWRTU0wgU0hBMjU2IENBMB4XDTE2MTAwNDAwMDAwMFoXDTE3MTIwMzIzNTk1
OVowHzEdMBsGA1UEAwwUKi54ZGEtZGV2ZWxvcGVycy5jb20wggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQCtz+7A2NWVYg04JZTLCLf8+UGiJEBQXHgJENZd
bzGJpp8ue+L3a1o00uAnBYKAXzdEYYJ0cCHE4G+87okgDbSU2IO6Vvm2xf79tId/
BtQ6E6EXy4dSLya37k+fwnVo+b0c7sCnv6KRPG/z5zEQZLstY0RmUf+uS8ufoEII
Xv7HQFTXJ8by6VbA2PXKPZY+4Ok8mWMdMZx7F6kl0l+AP/pOyg59HLfvirtUElok
nwBHj20QbMg0ZF5wVYZn+7za51Ac3/Mrq0jJzs4WlofokDQWuB9pr7MZawkn2oj3
r+Ty4zeRLC4X7QMdiQAdB4OV1Uvl7sTl13g7reZoYHFUNrJ/AgMBAAGjggKUMIIC
kDAzBgNVHREELDAqghQqLnhkYS1kZXZlbG9wZXJzLmNvbYISeGRhLWRldmVsb3Bl
cnMuY29tMAkGA1UdEwQCMAAwKwYDVR0fBCQwIjAgoB6gHIYaaHR0cDovL2dwLnN5
bWNiLmNvbS9ncC5jcmwwbwYDVR0gBGgwZjBkBgZngQwBAgEwWjAqBggrBgEFBQcC
ARYeaHR0cHM6Ly93d3cucmFwaWRzc2wuY29tL2xlZ2FsMCwGCCsGAQUFBwICMCAM
Hmh0dHBzOi8vd3d3LnJhcGlkc3NsLmNvbS9sZWdhbDAfBgNVHSMEGDAWgBSXwidQ
nsLJ7AyIMsh8reKmAU/abzAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYB
BQUHAwEGCCsGAQUFBwMCMFcGCCsGAQUFBwEBBEswSTAfBggrBgEFBQcwAYYTaHR0
cDovL2dwLnN5bWNkLmNvbTAmBggrBgEFBQcwAoYaaHR0cDovL2dwLnN5bWNiLmNv
bS9ncC5jcnQwggEFBgorBgEEAdZ5AgQCBIH2BIHzAPEAdwDd6x0reg1PpiCLga2B
aHB+Lo6dAdVciI09EcTNtuy+zAAAAVeRQGjoAAAEAwBIMEYCIQCGhvkj2j2G8/HS
+goN5+KUNcOo489VZB0yiuZ/i3O8EAIhAJarnN3GazZP/2MBfEK9bFaO+XTfnLSE
b+KC8+45pL65AHYAaPaY+B9kgr46jO65KB1M/HFRXWeT1ETRCmesu09P+8QAAAFX
kUBpCAAABAMARzBFAiB9Fc1GeA7oj/P31joQQbOTtlXr3v0Sy7wgg24WfcmcIQIh
ALjzk7c5ekv3D/TatIWhU249FMIOWeqs0HI9xXiC9ufwMA0GCSqGSIb3DQEBCwUA
A4IBAQCQTUYrtmdS+tgmIwnpSfufAnv4y1Zn+NuJFg9m3N1oFbNeEOoJ3C9LjzJC
jtzW5Z8HHZieT3jHAdEXGVe1uNqPX3jSQVOYNM+TXVb7rwqjUvaYYRuGp2cU4uis
pEHlsytWbMn1iGQVAr7cpJ4+wIby9c1sRXSHbFsPisR4mKzyAi2f0Dyb8CKIGLwN
6JuQw+a5k76p/ff9khjsRSdQIe6KroMrgIKltlmpqZiNaslY4YpPXMkT5Uj6RVci
JX81NejSjYGUbD1B0MXhuCzwSgjfuNKxTi73uoreQRgug1Tp3ObneM6pP/njp+sz
KI1VqiFrve2K2ebXvJ0EftQRclEi
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=*.xda-developers.com
issuer=/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2067 bytes and written 302 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 733B4D29302703E57D32AB496A42CC1AB24056B9973A56F297F0B7D9429DFE0C

    Session-ID-ctx:
    Master-Key: 6B679C5560D68A9409F80DCEE91985E458A3D949CF7840F47832D75325B8DA3E
5E00C3AF2A099E51D95AC1290D1EA8C0
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 4c b4 25 2c 68 1a c0 fc-8c e6 d7 9c 66 37 a0 ec   L.%,h.......f7..
    0010 - fa 2c f6 7a 78 2b 3a b0-f9 14 53 0e ed 93 21 5e   .,.zx+:...S...!^
    0020 - 5f e6 48 db aa d5 7f c7-30 dc fe b1 e8 0d ff a5   _.H.....0.......
    0030 - ad 50 40 ab 97 49 d8 ad-27 dc c1 e6 88 db 15 8c   .P@..I..'.......
    0040 - ed f6 dd d1 3f c9 70 a3-14 df a5 d6 c0 0d e2 cf   ....?.p.........
    0050 - 8f 19 3e 0c da 14 02 f1-83 83 82 61 39 bc f2 52   ..>........a9..R
    0060 - c4 92 6f cb cb 9b 05 4d-ce 96 ef 64 86 cb cb 85   ..o....M...d....
    0070 - 2d 51 0e 99 9a fd 1d b0-98 07 4e 8f c5 f7 57 ec   -Q........N...W.
    0080 - 70 f1 28 bb d2 6a c9 57-bc f0 6d d3 e1 f5 13 c0   p.(..j.W..m.....
    0090 - 37 ff f7 47 96 94 df eb-6a c9 f1 89 be c8 77 8a   7..G....j.....w.

    Start Time: 1488297409
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
    Extended master secret: no


Ive found the intermediate bundle from RapidSS, and added it to my existing pem bundle...no change
Added as a separate pem i.e. sslproxy_foreign_intermediate_certs /cygdrive/e/Squid/etc/ssl/extra-intermediate-CA.pem...no change

My sslbump related config lines are:

http_port 127.0.0.1:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/cygdrive/e/Squid/etc/ssl/myCA.pem capath=/cygdrive/e/Squid/etc/ssl cafile=/cygdrive/e/Squid/etc/ssl/extra-intermediate-CA.pem tls-dh=/cygdrive/e/Squid/etc/ssl/dhparam.pem options=NO_SSLv2,NO_SSLv3,SINGLE_ECDH_USE

acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all


sslcrtd_program /cygdrive/e/Squid/lib/squid/ssl_crtd -s /cygdrive/e/Squid/var/cache/squid_ssldb -M 4MB -b 2048
sslcrtd_children 10 startup=10 idle=1

sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS

Im at my wits end, its the only site that has a glitch

I tried all i could think of, and google, before posting, hopefully someone has an idea/suggestion

cheers in advance
Reply | Threaded
Open this post in threaded view
|

Re: SSL Bump and Certificate issue - RapidSSL Intermediate Cert

Amos Jeffries
Administrator
On 1/03/2017 4:58 a.m., stylemessiah wrote:

> This is driving me nuts, its the only issue ive found running ssl bump on my
> home network for eons
>
> I cant see image thumbnails on xda-developers...
>
> When i access a thread with them, i get text links, not thumbnails, and if i
> click on the links i get the following:
>
>
>     (71) Protocol error (TLS code:
> X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
>
>     SSL Certficate error: certificate issuer (CA) not known:
> /C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
>
> I figured out by googling how to (i hope) trace the problem certificate via
> s_client:
>
>
> OpenSSL> s_client -showcerts -verify 32 -connect dl.xda-developers.com:443
> verify depth is 32
> CONNECTED(0000012C)
> depth=0 CN = *.xda-developers.com
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 CN = *.xda-developers.com
> verify error:num=21:unable to verify the first certificate
> verify return:1

That command you used does not send data through the proxy. So that
confirms that the servers TLS is broken in a way unrelated to Squid.



> ---
> Certificate chain
>  0 s:/CN=*.xda-developers.com
>    i:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
...

> ---
> Server certificate
> subject=/CN=*.xda-developers.com
> issuer=/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
> ---
> No client certificate CA names sent
> Peer signing digest: SHA512
> Server Temp Key: ECDH, P-256, 256 bits
> ---
> SSL handshake has read 2067 bytes and written 302 bytes
> Verification error: unable to verify the first certificate

>
> Ive found the intermediate bundle from RapidSS, and added it to my existing
> pem bundle...no change

You need to locate the root CA and/or intermediate CA certificates used
to sign the domain servers certificate.

You then need to identify *why* they are not being trusted by your OS
library.

Be sure to determine whether the CA which is missing is actually
trustworthy before adding it to your trusted set. More than a few of the
CA which are around are not trusted because they have been hacked or
caught signing forged certificates they should not have.


> Added as a separate pem i.e. sslproxy_foreign_intermediate_certs
> /cygdrive/e/Squid/etc/ssl/extra-intermediate-CA.pem...no change
>
> My sslbump related config lines are:
>
> http_port 127.0.0.1:3128 ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=10MB cert=/cygdrive/e/Squid/etc/ssl/myCA.pem
> capath=/cygdrive/e/Squid/etc/ssl
> cafile=/cygdrive/e/Squid/etc/ssl/extra-intermediate-CA.pem
> tls-dh=/cygdrive/e/Squid/etc/ssl/dhparam.pem
> options=NO_SSLv2,NO_SSLv3,SINGLE_ECDH_USE

PS.  EECDH will not work unless you configure a curve name in the
tls-dh= option. Just having dhparam.pem alone will only enable the less
secure DH ciphers.

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: SSL Bump and Certificate issue - RapidSSL Intermediate Cert

stylemessiah
Thanks Amos for the info, appreciate your tireless assistance for us numpties :)

On 2 Mar. 2017 4:06 am, "Amos Jeffries [via Squid Web Proxy Cache]" <[hidden email]> wrote:
On 1/03/2017 4:58 a.m., stylemessiah wrote:

> This is driving me nuts, its the only issue ive found running ssl bump on my
> home network for eons
>
> I cant see image thumbnails on xda-developers...
>
> When i access a thread with them, i get text links, not thumbnails, and if i
> click on the links i get the following:
>
>
>     (71) Protocol error (TLS code:
> X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
>
>     SSL Certficate error: certificate issuer (CA) not known:
> /C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
>
> I figured out by googling how to (i hope) trace the problem certificate via
> s_client:
>
>
> OpenSSL> s_client -showcerts -verify 32 -connect dl.xda-developers.com:443
> verify depth is 32
> CONNECTED(0000012C)
> depth=0 CN = *.xda-developers.com
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 CN = *.xda-developers.com
> verify error:num=21:unable to verify the first certificate
> verify return:1
That command you used does not send data through the proxy. So that
confirms that the servers TLS is broken in a way unrelated to Squid.



> ---
> Certificate chain
>  0 s:/CN=*.xda-developers.com
>    i:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
...

> ---
> Server certificate
> subject=/CN=*.xda-developers.com
> issuer=/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
> ---
> No client certificate CA names sent
> Peer signing digest: SHA512
> Server Temp Key: ECDH, P-256, 256 bits
> ---
> SSL handshake has read 2067 bytes and written 302 bytes
> Verification error: unable to verify the first certificate

>
> Ive found the intermediate bundle from RapidSS, and added it to my existing
> pem bundle...no change

You need to locate the root CA and/or intermediate CA certificates used
to sign the domain servers certificate.

You then need to identify *why* they are not being trusted by your OS
library.

Be sure to determine whether the CA which is missing is actually
trustworthy before adding it to your trusted set. More than a few of the
CA which are around are not trusted because they have been hacked or
caught signing forged certificates they should not have.


> Added as a separate pem i.e. sslproxy_foreign_intermediate_certs
> /cygdrive/e/Squid/etc/ssl/extra-intermediate-CA.pem...no change
>
> My sslbump related config lines are:
>
> http_port 127.0.0.1:3128 ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=10MB cert=/cygdrive/e/Squid/etc/ssl/myCA.pem
> capath=/cygdrive/e/Squid/etc/ssl
> cafile=/cygdrive/e/Squid/etc/ssl/extra-intermediate-CA.pem
> tls-dh=/cygdrive/e/Squid/etc/ssl/dhparam.pem
> options=NO_SSLv2,NO_SSLv3,SINGLE_ECDH_USE
PS.  EECDH will not work unless you configure a curve name in the
tls-dh= option. Just having dhparam.pem alone will only enable the less
secure DH ciphers.

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users



To unsubscribe from SSL Bump and Certificate issue - RapidSSL Intermediate Cert, click here.
NAML
Reply | Threaded
Open this post in threaded view
|

Re: SSL Bump and Certificate issue - RapidSSL Intermediate Cert

stylemessiah
In reply to this post by Amos Jeffries
>That command you used does not send data through the proxy. So that
>confirms that the servers TLS is broken in a way unrelated to Squid.

As that may be, when i go direct (sans proxy) i get thumbnails...no issues
Toggle the proxy back on and no thumbnails, and opening an image link gives the
error initially reported.

(71) Protocol error (TLS code:
 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)

SSL Certficate error: certificate issuer (CA) not known:
/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA

So both Ie and FF will just load anything from dl.xda-developers.com and not
register an issue, but squid will refuse to load the content and generate the error

>You need to locate the root CA and/or intermediate CA certificates used
>to sign the domain servers certificate.

>You then need to identify *why* they are not being trusted by your OS
>library.

>Be sure to determine whether the CA which is missing is actually
>trustworthy before adding it to your trusted set. More than a few of the
>CA which are around are not trusted because they have been hacked or
>caught signing forged certificates they should not have.

I aalways learn something when youre silly enough to reply :)

When i ran dl.xda-developers.com through ssllabs (thanks google), it gave me a less than glowing report, including
an incomplete cert chain (i say that like i understand it :) ) or as it put it:

This server is vulnerable to the OpenSSL CCS vulnerability (CVE-2014-0224) and exploitable. Grade set to F.
This server is vulnerable to the OpenSSL Padding Oracle vulnerability (CVE-2016-2107) and insecure. Grade set to F.
This server accepts RC4 cipher, but only with older browsers. Grade capped to B.  MORE INFO »
This server's certificate chain is incomplete. Grade capped to B.
For a few thumbnails im not going to torture myself, maybe ill send the forum admin a note instead :)

>PS.  EECDH will not work unless you configure a curve name in the
>tls-dh= option. Just having dhparam.pem alone will only enable the less
>secure DH ciphers.

I did add a curve to the tls-dh param, im guessing tis correct, little info on which one to use (grabbing the list from my local openssl had me going what the hell)

tls-dh=prime256v1:/cygdrive/e/Squid/etc/ssl/dhparam.pem

Note: this made no difference whatsoever with my issue

Cheers,

Adrian Miller



On 2 March 2017 at 04:08, Adrian Miller <[hidden email]> wrote:
Thanks Amos for the info, appreciate your tireless assistance for us numpties :)

On 2 Mar. 2017 4:06 am, "Amos Jeffries [via Squid Web Proxy Cache]" <[hidden email]> wrote:
On 1/03/2017 4:58 a.m., stylemessiah wrote:

> This is driving me nuts, its the only issue ive found running ssl bump on my
> home network for eons
>
> I cant see image thumbnails on xda-developers...
>
> When i access a thread with them, i get text links, not thumbnails, and if i
> click on the links i get the following:
>
>
>     (71) Protocol error (TLS code:
> X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
>
>     SSL Certficate error: certificate issuer (CA) not known:
> /C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
>
> I figured out by googling how to (i hope) trace the problem certificate via
> s_client:
>
>
> OpenSSL> s_client -showcerts -verify 32 -connect dl.xda-developers.com:443
> verify depth is 32
> CONNECTED(0000012C)
> depth=0 CN = *.xda-developers.com
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 CN = *.xda-developers.com
> verify error:num=21:unable to verify the first certificate
> verify return:1
That command you used does not send data through the proxy. So that
confirms that the servers TLS is broken in a way unrelated to Squid.



> ---
> Certificate chain
>  0 s:/CN=*.xda-developers.com
>    i:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
...

> ---
> Server certificate
> subject=/CN=*.xda-developers.com
> issuer=/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
> ---
> No client certificate CA names sent
> Peer signing digest: SHA512
> Server Temp Key: ECDH, P-256, 256 bits
> ---
> SSL handshake has read 2067 bytes and written 302 bytes
> Verification error: unable to verify the first certificate

>
> Ive found the intermediate bundle from RapidSS, and added it to my existing
> pem bundle...no change

You need to locate the root CA and/or intermediate CA certificates used
to sign the domain servers certificate.

You then need to identify *why* they are not being trusted by your OS
library.

Be sure to determine whether the CA which is missing is actually
trustworthy before adding it to your trusted set. More than a few of the
CA which are around are not trusted because they have been hacked or
caught signing forged certificates they should not have.


> Added as a separate pem i.e. sslproxy_foreign_intermediate_certs
> /cygdrive/e/Squid/etc/ssl/extra-intermediate-CA.pem...no change
>
> My sslbump related config lines are:
>
> http_port 127.0.0.1:3128 ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=10MB cert=/cygdrive/e/Squid/etc/ssl/myCA.pem
> capath=/cygdrive/e/Squid/etc/ssl
> cafile=/cygdrive/e/Squid/etc/ssl/extra-intermediate-CA.pem
> tls-dh=/cygdrive/e/Squid/etc/ssl/dhparam.pem
> options=NO_SSLv2,NO_SSLv3,SINGLE_ECDH_USE
PS.  EECDH will not work unless you configure a curve name in the
tls-dh= option. Just having dhparam.pem alone will only enable the less
secure DH ciphers.

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users



To unsubscribe from SSL Bump and Certificate issue - RapidSSL Intermediate Cert, click here.
NAML



--
I hate to advocate drugs, alcohol, violence or
insanity to anyone, but they've always worked for me

- Hunter S. Thompson
Reply | Threaded
Open this post in threaded view
|

Re: SSL Bump and Certificate issue - RapidSSL Intermediate Cert

stylemessiah
In reply to this post by Amos Jeffries
Decided to fiddle with it one last time....

If i change my cipher entries from

EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS

to

ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4

I get content from dl.xda-developers.com just fine

But i wont pretend i understand the cipher chain, or whether the change is a good thing


On 2 March 2017 at 13:01, Adrian Miller <[hidden email]> wrote:
>That command you used does not send data through the proxy. So that
>confirms that the servers TLS is broken in a way unrelated to Squid.

As that may be, when i go direct (sans proxy) i get thumbnails...no issues
Toggle the proxy back on and no thumbnails, and opening an image link gives the
error initially reported.

(71) Protocol error (TLS code:
 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)

SSL Certficate error: certificate issuer (CA) not known:
/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA

So both Ie and FF will just load anything from dl.xda-developers.com and not
register an issue, but squid will refuse to load the content and generate the error

>You need to locate the root CA and/or intermediate CA certificates used
>to sign the domain servers certificate.

>You then need to identify *why* they are not being trusted by your OS
>library.

>Be sure to determine whether the CA which is missing is actually
>trustworthy before adding it to your trusted set. More than a few of the
>CA which are around are not trusted because they have been hacked or
>caught signing forged certificates they should not have.

I aalways learn something when youre silly enough to reply :)

When i ran dl.xda-developers.com through ssllabs (thanks google), it gave me a less than glowing report, including
an incomplete cert chain (i say that like i understand it :) ) or as it put it:

This server is vulnerable to the OpenSSL CCS vulnerability (CVE-2014-0224) and exploitable. Grade set to F.
This server is vulnerable to the OpenSSL Padding Oracle vulnerability (CVE-2016-2107) and insecure. Grade set to F.
This server accepts RC4 cipher, but only with older browsers. Grade capped to B.  MORE INFO »
This server's certificate chain is incomplete. Grade capped to B.
For a few thumbnails im not going to torture myself, maybe ill send the forum admin a note instead :)

>PS.  EECDH will not work unless you configure a curve name in the
>tls-dh= option. Just having dhparam.pem alone will only enable the less
>secure DH ciphers.

I did add a curve to the tls-dh param, im guessing tis correct, little info on which one to use (grabbing the list from my local openssl had me going what the hell)

tls-dh=prime256v1:/cygdrive/e/Squid/etc/ssl/dhparam.pem

Note: this made no difference whatsoever with my issue

Cheers,

Adrian Miller



On 2 March 2017 at 04:08, Adrian Miller <[hidden email]> wrote:
Thanks Amos for the info, appreciate your tireless assistance for us numpties :)

On 2 Mar. 2017 4:06 am, "Amos Jeffries [via Squid Web Proxy Cache]" <[hidden email]> wrote:
On 1/03/2017 4:58 a.m., stylemessiah wrote:

> This is driving me nuts, its the only issue ive found running ssl bump on my
> home network for eons
>
> I cant see image thumbnails on xda-developers...
>
> When i access a thread with them, i get text links, not thumbnails, and if i
> click on the links i get the following:
>
>
>     (71) Protocol error (TLS code:
> X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
>
>     SSL Certficate error: certificate issuer (CA) not known:
> /C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
>
> I figured out by googling how to (i hope) trace the problem certificate via
> s_client:
>
>
> OpenSSL> s_client -showcerts -verify 32 -connect dl.xda-developers.com:443
> verify depth is 32
> CONNECTED(0000012C)
> depth=0 CN = *.xda-developers.com
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 CN = *.xda-developers.com
> verify error:num=21:unable to verify the first certificate
> verify return:1
That command you used does not send data through the proxy. So that
confirms that the servers TLS is broken in a way unrelated to Squid.



> ---
> Certificate chain
>  0 s:/CN=*.xda-developers.com
>    i:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
...

> ---
> Server certificate
> subject=/CN=*.xda-developers.com
> issuer=/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
> ---
> No client certificate CA names sent
> Peer signing digest: SHA512
> Server Temp Key: ECDH, P-256, 256 bits
> ---
> SSL handshake has read 2067 bytes and written 302 bytes
> Verification error: unable to verify the first certificate

>
> Ive found the intermediate bundle from RapidSS, and added it to my existing
> pem bundle...no change

You need to locate the root CA and/or intermediate CA certificates used
to sign the domain servers certificate.

You then need to identify *why* they are not being trusted by your OS
library.

Be sure to determine whether the CA which is missing is actually
trustworthy before adding it to your trusted set. More than a few of the
CA which are around are not trusted because they have been hacked or
caught signing forged certificates they should not have.


> Added as a separate pem i.e. sslproxy_foreign_intermediate_certs
> /cygdrive/e/Squid/etc/ssl/extra-intermediate-CA.pem...no change
>
> My sslbump related config lines are:
>
> http_port 127.0.0.1:3128 ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=10MB cert=/cygdrive/e/Squid/etc/ssl/myCA.pem
> capath=/cygdrive/e/Squid/etc/ssl
> cafile=/cygdrive/e/Squid/etc/ssl/extra-intermediate-CA.pem
> tls-dh=/cygdrive/e/Squid/etc/ssl/dhparam.pem
> options=NO_SSLv2,NO_SSLv3,SINGLE_ECDH_USE
PS.  EECDH will not work unless you configure a curve name in the
tls-dh= option. Just having dhparam.pem alone will only enable the less
secure DH ciphers.

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users



To unsubscribe from SSL Bump and Certificate issue - RapidSSL Intermediate Cert, click here.
NAML



--
I hate to advocate drugs, alcohol, violence or
insanity to anyone, but they've always worked for me

- Hunter S. Thompson



--
I hate to advocate drugs, alcohol, violence or
insanity to anyone, but they've always worked for me

- Hunter S. Thompson