Trusted first verification regarding cross root cert

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Trusted first verification regarding cross root cert

mikio.kishi
Hi all,

I am currently using sslbump feature. Sometimes, squid failed to verify a https web site with
cross root cert. On the other hand, the site is accessible directly from major web browsers,
such as chrome and firefox. I am guessing that the cert verification handling of the current
sslbump seems to be NOT trusted_first mode. Are there any solutions to change to trusted_first
verification mode for squid ?

Regards,
--
Mikio Kishi

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Trusted first verification regarding cross root cert

Amos Jeffries
Administrator
On 27/06/20 7:07 pm, mikio.kishi wrote:

> Hi all,
>
> I am currently using sslbump feature. Sometimes, squid failed to verify
> a https web site with
> cross root cert. On the other hand, the site is accessible directly from
> major web browsers,
> such as chrome and firefox. I am guessing that the cert verification
> handling of the current
> sslbump seems to be NOT trusted_first mode. Are there any solutions to
> change to trusted_first
> verification mode for squid ?
>

Solutions based purely on guesswork are unlikely to work.


Missing information:

 * Squid version

 * details of the chain being delivered to Squid

 * details of the expected cross-signing chain(s).

 * by "trusted_first mode" do you mean TOFU or something else?


Squid supports a helper, which can to do any type of validation -
including none. BUT ... you first need to eliminate the guesses to see
if it is a validation or something completely unexpected.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Trusted first verification regarding cross root cert

mikio.kishi
Hi Amos,

Thank you for your reply and I apologize for the missing information.
The following is the detailed one.

> * Squid version
* squid version 3.5.26 (probably, ver4.X also might have same issue)
* OpenSSL 1.0.2k

> * details of the chain being delivered to Squid
> * details of the expected cross-signing chain(s).

There are so many websites which are facing this issue.
For instance, "sbv.gov.vn:443".

# openssl s_client -connect sbv.gov.vn:443 -servername sbv.gov.vn -showcerts -verify 5 -state
verify depth is 5
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=3 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
verify return:1
depth=2 OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
verify error:num=10:certificate has expired
notAfter=Mar 18 10:00:00 2019 GMT
verify return:1
depth=2 OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
notAfter=Mar 18 10:00:00 2019 GMT
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Extended Validation CA - SHA256 - G3
notAfter=Sep 21 00:00:00 2026 GMT
verify return:1
depth=0 businessCategory = Government Entity, serialNumber = Government Entity, jurisdictionC = VN, C = VN, ST = Ha Noi, L = Ha Noi, street = "47-49 Ly Thai To, Hoan Kiem District", OU = Department of Information Technology, O = The State Bank of Viet Nam, CN = www.sbv.gov.vn
notAfter=Nov  8 03:31:58 2020 GMT
verify return:1
... snip ...
    Verify return code: 10 (certificate has expired)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

The above verification was NG(certificate has expired))
On the other hand, the verification was OK if  the "-trusted_first" option was given.

# openssl s_client -trusted_first -connect sbv.gov.vn:443 -servername sbv.gov.vn -showcerts -verify 5 -state
verify depth is 5
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=2 OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Extended Validation CA - SHA256 - G3
verify return:1
depth=0 businessCategory = Government Entity, serialNumber = Government Entity, jurisdictionC = VN, C = VN, ST = Ha Noi, L = Ha Noi, street = "47-49 Ly Thai To, Hoan Kiem District", OU = Department of Information Technology, O = The State Bank of Viet Nam, CN = www.sbv.gov.vn
verify return:1
... snip ...
    Verify return code: 0 (ok)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^

In the "Cross-Signed Certificate" case, openssl failed to verify by default even if  another signed root is available.
Squid's behavior seems to be also the same. That's why I needed the "trusted_first" feature.
For your information, a major web browser(like chrome/firefox) could access the site directly because of trusted first mode.

In my opinion, appending the following codes(in ssl/support.cc) will be effective.

 X509_VERIFY_PARAM_set_flags(ctx->param, X509_V_FLAG_TRUSTED_FIRST);
 (The type of ctx is "X509_STORE_CTX *").

Could you please add the trusted_first option on squid ?

By the way, I think that the following topic is also the same issue.
 [squid-users] (92) Protocol error (TLS code: X509_V_ERR_CERT_HAS_EXPIRED)

Regards,
--
Mikio Kishi

On Sat, Jun 27, 2020 at 9:29 PM Amos Jeffries <[hidden email]> wrote:
On 27/06/20 7:07 pm, mikio.kishi wrote:
> Hi all,
>
> I am currently using sslbump feature. Sometimes, squid failed to verify
> a https web site with
> cross root cert. On the other hand, the site is accessible directly from
> major web browsers,
> such as chrome and firefox. I am guessing that the cert verification
> handling of the current
> sslbump seems to be NOT trusted_first mode. Are there any solutions to
> change to trusted_first
> verification mode for squid ?
>

Solutions based purely on guesswork are unlikely to work.


Missing information:

 * Squid version

 * details of the chain being delivered to Squid

 * details of the expected cross-signing chain(s).

 * by "trusted_first mode" do you mean TOFU or something else?


Squid supports a helper, which can to do any type of validation -
including none. BUT ... you first need to eliminate the guesses to see
if it is a validation or something completely unexpected.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Trusted first verification regarding cross root cert

Amos Jeffries
Administrator
On 29/06/20 7:29 pm, mikio.kishi wrote:

> Hi Amos,
>
> Thank you for your reply and I apologize for the missing information.
> The following is the detailed one.
>
>> * Squid version
> * squid version 3.5.26 (probably, ver4.X also might have same issue)
> * OpenSSL 1.0.2k
>
>> * details of the chain being delivered to Squid
>> * details of the expected cross-signing chain(s).
>
> There are so many websites which are facing this issue.
> For instance, "sbv.gov.vn:443 <http://sbv.gov.vn:443>".
>
> # openssl s_client -connect sbv.gov.vn:443 <http://sbv.gov.vn:443>
> -servername sbv.gov.vn <http://sbv.gov.vn> -showcerts -verify 5 -state
> verify depth is 5

...
>
> Could you please add the trusted_first option on squid ?
>

Ah. This is a feature of OpenSSL v1.1. Apparently your OpenSSL v1.0 has
had the feature *partially* backported to it.

I suggest you upgrade to Squid-4 and build against OpenSSL v1.1 where
this "feature" is the default behaviour. Squid-3 is no longer supported
for code updates.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Trusted first verification regarding cross root cert

mikio.kishi
Hi Amos,

>Ah. This is a feature of OpenSSL v1.1. Apparently your OpenSSL v1.0 has
>had the feature *partially* backported to it.
>I suggest you upgrade to Squid-4 and build against OpenSSL v1.1 where
>this "feature" is the default behaviour.   

Yes, Exactly.  However, currently I am using CentOS7 which openssl package version is still 1.0.....
Upgrading  openssl to v1.1.1 is challenging for me. Could you please implement the rusted first option to squid-4 ? ...

Regards,
--
Mikio Kishi


On Mon, Jun 29, 2020 at 7:05 PM Amos Jeffries <[hidden email]> wrote:
On 29/06/20 7:29 pm, mikio.kishi wrote:
> Hi Amos,
>
> Thank you for your reply and I apologize for the missing information.
> The following is the detailed one.
>
>> * Squid version
> * squid version 3.5.26 (probably, ver4.X also might have same issue)
> * OpenSSL 1.0.2k
>
>> * details of the chain being delivered to Squid
>> * details of the expected cross-signing chain(s).
>
> There are so many websites which are facing this issue.
> For instance, "sbv.gov.vn:443 <http://sbv.gov.vn:443>".
>
> # openssl s_client -connect sbv.gov.vn:443 <http://sbv.gov.vn:443>
> -servername sbv.gov.vn <http://sbv.gov.vn> -showcerts -verify 5 -state
> verify depth is 5

...
>
> Could you please add the trusted_first option on squid ?
>

Ah. This is a feature of OpenSSL v1.1. Apparently your OpenSSL v1.0 has
had the feature *partially* backported to it.

I suggest you upgrade to Squid-4 and build against OpenSSL v1.1 where
this "feature" is the default behaviour. Squid-3 is no longer supported
for code updates.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Trusted first verification regarding cross root cert

Eliezer Croitoru-3
Upgrading to 1.1 on a running os is a challenge for any sysadmin.

Eliezer

On Mon, Jun 29, 2020, 13:30 <[hidden email]> wrote:
Hi Amos,

>Ah. This is a feature of OpenSSL v1.1. Apparently your OpenSSL v1.0 has
>had the feature *partially* backported to it.
>I suggest you upgrade to Squid-4 and build against OpenSSL v1.1 where
>this "feature" is the default behaviour.   

Yes, Exactly.  However, currently I am using CentOS7 which openssl package version is still 1.0.....
Upgrading  openssl to v1.1.1 is challenging for me. Could you please implement the rusted first option to squid-4 ? ...

Regards,
--
Mikio Kishi


On Mon, Jun 29, 2020 at 7:05 PM Amos Jeffries <[hidden email]> wrote:
On 29/06/20 7:29 pm, mikio.kishi wrote:
> Hi Amos,
>
> Thank you for your reply and I apologize for the missing information.
> The following is the detailed one.
>
>> * Squid version
> * squid version 3.5.26 (probably, ver4.X also might have same issue)
> * OpenSSL 1.0.2k
>
>> * details of the chain being delivered to Squid
>> * details of the expected cross-signing chain(s).
>
> There are so many websites which are facing this issue.
> For instance, "sbv.gov.vn:443 <http://sbv.gov.vn:443>".
>
> # openssl s_client -connect sbv.gov.vn:443 <http://sbv.gov.vn:443>
> -servername sbv.gov.vn <http://sbv.gov.vn> -showcerts -verify 5 -state
> verify depth is 5

...
>
> Could you please add the trusted_first option on squid ?
>

Ah. This is a feature of OpenSSL v1.1. Apparently your OpenSSL v1.0 has
had the feature *partially* backported to it.

I suggest you upgrade to Squid-4 and build against OpenSSL v1.1 where
this "feature" is the default behaviour. Squid-3 is no longer supported
for code updates.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users