Squid 4 and missing intermediate certs

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Squid 4 and missing intermediate certs

Alex Crow-2

Hi List,

I've just set up a new SSL interception proxy using peek/splice/bump using squid 4.0.22 and I'm getting SSL errors on some site indicating missing intermediate certs as described here:

https://blog.diladele.com/2015/04/21/fixing-x509_v_err_unable_to_get_issuer_cert_locally-on-ssl-bumping-squid/

I have read the wiki and I see this on the SslBumpExplicit page:

"Squid-4 is capable of downloading missing intermediate CA certificates, like popular browsers do."

However I'm finding that I have to follow the procedure in the diladele article and manually install the intermediate certs into the PKI trust to work around this.

My interception config is like this:

ssl_bump splice localhost
ssl_bump peek step1 all
ssl_bump splice nobumpdoms
ssl_bump stare step2 all
ssl_bump bump all

nobumpdoms is an acl pointing to a file listing domains that should not be subject to interception, and works fine.

Is there something else I have to specify to get squid4 to behave as described on the wiki?

Many thanks,

Alex


--
This message is intended only for the addressee and may contain
confidential information. Unless you are that person, you may not
disclose its contents or use it in any way and are requested to delete
the message along with any attachments and notify us immediately.
This email is not intended to, nor should it be taken to, constitute advice.
The information provided is correct to our knowledge & belief and must not
be used as a substitute for obtaining tax, regulatory, investment, legal or
any other appropriate advice.

"Transact" is operated by Integrated Financial Arrangements Ltd.
29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300.
(Registered office: as above; Registered in England and Wales under
number: 3727592). Authorised and regulated by the Financial Conduct
Authority (entered on the Financial Services Register; no. 190856).


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid 4 and missing intermediate certs

Alex Rousskov
On 01/26/2018 02:30 AM, Alex Crow wrote:

> I've just set up a new SSL interception proxy using peek/splice/bump
> using squid 4.0.22 and I'm getting SSL errors on some site indicating
> missing intermediate certs as described here:
>
> https://blog.diladele.com/2015/04/21/fixing-x509_v_err_unable_to_get_issuer_cert_locally-on-ssl-bumping-squid/
>
> I have read the wiki and I see this on the SslBumpExplicit page:
>
> "Squid-4 <https://wiki.squid-cache.org/Squid-4> is capable of
> downloading missing intermediate CA certificates, like popular browsers do."
>
> However I'm finding that I have to follow the procedure in the diladele
> article and manually install the intermediate certs into the PKI trust
> to work around this.


Several cases are possible here:

1. Squid is missing the root certificate used by the origin server.
Neither Squid nor browsers can fetch root certificates automatically
(for hopefully obvious reasons).

2. Squid is missing an intermediate certificate used by the origin
server, and the origin server provided no instructions on how to fetch
that missing certificate automatically. Neither Squid (for sure) nor
browsers (AFAIK) can fetch missing intermediate certificates
automatically if they are not given origin server instructions of where
to get them. Those instructions are usually given as various extension
fields in signed certificates.

3. Squid is missing an intermediate certificate used by the origin
server, the origin server provided instructions on how to fetch that
missing certificate automatically, but Squid does not understand/support
those instructions. There are several instruction formats/variants, and
Squid does not support some of them. Please consider adding that support
to Squid (requires writing code or sponsoring development).

4. Squid is missing an intermediate certificate used by the origin
server, the origin server provided instructions on how to fetch that
missing certificate automatically, Squid followed those instructions,
but something went wrong. Study detailed Squid debugging logs or post
them for analysis by others.

You need to study each error to understand which case applies to it.

To make matters worse, a combination of #1 and other cases is possible:
Sometimes, automatically fetching a missing certificate leads to
certificate validation problems that could have been avoided if Squid
had the right (and different) trusted certificate in the first place:
https://github.com/squid-cache/squid/commit/9ef7d9d5ddef54283cea4f1fdb7b3bbc1715755c


I doubt Squid logs enough information (by default) to quickly and easily
distinguish the four cases for a given error -- you may need to study
the origin server certificates and Squid logs. For example, #4 should
manifest itself as access.log errors associated with failed certificate
fetching requests.


As the solution for #1-2 or workaround for #3-4, if you trust the
missing certificate, manually add it to your trust store (which is what
you were doing).


HTH,

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid 4 and missing intermediate certs

Alex Crow-2
On 26/01/18 17:50, Alex Rousskov wrote:

> On 01/26/2018 02:30 AM, Alex Crow wrote:
>
>> I've just set up a new SSL interception proxy using peek/splice/bump
>> using squid 4.0.22 and I'm getting SSL errors on some site indicating
>> missing intermediate certs as described here:
>>
>> https://blog.diladele.com/2015/04/21/fixing-x509_v_err_unable_to_get_issuer_cert_locally-on-ssl-bumping-squid/
>>
>> I have read the wiki and I see this on the SslBumpExplicit page:
>>
>> "Squid-4 <https://wiki.squid-cache.org/Squid-4> is capable of
>> downloading missing intermediate CA certificates, like popular browsers do."
>>
>> However I'm finding that I have to follow the procedure in the diladele
>> article and manually install the intermediate certs into the PKI trust
>> to work around this.
>
> Several cases are possible here:
>
> 1. Squid is missing the root certificate used by the origin server.
> Neither Squid nor browsers can fetch root certificates automatically
> (for hopefully obvious reasons).
>
> 2. Squid is missing an intermediate certificate used by the origin
> server, and the origin server provided no instructions on how to fetch
> that missing certificate automatically. Neither Squid (for sure) nor
> browsers (AFAIK) can fetch missing intermediate certificates
> automatically if they are not given origin server instructions of where
> to get them. Those instructions are usually given as various extension
> fields in signed certificates.
>
> 3. Squid is missing an intermediate certificate used by the origin
> server, the origin server provided instructions on how to fetch that
> missing certificate automatically, but Squid does not understand/support
> those instructions. There are several instruction formats/variants, and
> Squid does not support some of them. Please consider adding that support
> to Squid (requires writing code or sponsoring development).
>
> 4. Squid is missing an intermediate certificate used by the origin
> server, the origin server provided instructions on how to fetch that
> missing certificate automatically, Squid followed those instructions,
> but something went wrong. Study detailed Squid debugging logs or post
> them for analysis by others.
>
> You need to study each error to understand which case applies to it.
>
> To make matters worse, a combination of #1 and other cases is possible:
> Sometimes, automatically fetching a missing certificate leads to
> certificate validation problems that could have been avoided if Squid
> had the right (and different) trusted certificate in the first place:
> https://github.com/squid-cache/squid/commit/9ef7d9d5ddef54283cea4f1fdb7b3bbc1715755c
>
>
> I doubt Squid logs enough information (by default) to quickly and easily
> distinguish the four cases for a given error -- you may need to study
> the origin server certificates and Squid logs. For example, #4 should
> manifest itself as access.log errors associated with failed certificate
> fetching requests.
>
>
> As the solution for #1-2 or workaround for #3-4, if you trust the
> missing certificate, manually add it to your trust store (which is what
> you were doing).
>
>
> HTH,
>
> Alex.

Thanks very much Alex. I thought it might be something like that. I'm
guessing it's most likely #3 or #4 as the site works direct from the
browser.

Cheers

Alex
--
This message is intended only for the addressee and may contain
confidential information. Unless you are that person, you may not
disclose its contents or use it in any way and are requested to delete
the message along with any attachments and notify us immediately.
This email is not intended to, nor should it be taken to, constitute advice.
The information provided is correct to our knowledge & belief and must not
be used as a substitute for obtaining tax, regulatory, investment, legal or
any other appropriate advice.

"Transact" is operated by Integrated Financial Arrangements Ltd.
29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300.
(Registered office: as above; Registered in England and Wales under
number: 3727592). Authorised and regulated by the Financial Conduct
Authority (entered on the Financial Services Register; no. 190856).
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid 4 and missing intermediate certs

Amos Jeffries
Administrator
On 29/01/18 22:48, Alex Crow wrote:
>
> Thanks very much Alex. I thought it might be something like that. I'm
> guessing it's most likely #3 or #4 as the site works direct from the
> browser.
>

That does not preclude #1 or #2 from being possibilities.

It is very common to have a server with outdated ca certificates package
installed. Whereas client Browsers get their CA certificates regularly
upgraded.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users