sometimes intermediate certificates were not downloaded when using sslbump

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

sometimes intermediate certificates were not downloaded when using sslbump

Dieter Bloms-3
Hello,

I use a self compiled squid 4.10 compiled as follow:

~# squid --version
Squid Cache: Version 4.10
Service Name: squid

This binary uses OpenSSL 1.1.1d  10 Sep 2019. For legal restrictions on distribution see https://www.openssl.org/source/license.html

configure options:  '--prefix=/usr' '--sysconfdir=/etc/squid' '--bindir=/usr/sbin' '--sbindir=/usr/sbin' '--localstatedir=/var' '--libexecdir=/usr/sbin' '--datadir=/usr/share/squid' '--mandir=/usr/share/man' '--with-default-user=squid' '--with-filedescriptors=131072' '--with-logdir=/var/log/squid' '--disable-auto-locale' '--disable-auth-negotiate' '--disable-auth-ntlm' '--disable-eui' '--disable-carp' '--disable-htcp' '--disable-ident-lookups' '--disable-loadable-modules' '--disable-translation' '--disable-wccp' '--disable-wccpv2' '--enable-async-io=128' '--enable-auth' '--enable-auth-basic=LDAP NCSA' '--enable-auth-digest=LDAP file' '--enable-epoll' '--enable-log-daemon-helpers=file' '--enable-icap-client' '--enable-inline' '--enable-snmp' '--enable-disk-io=AIO,DiskThreads,IpcIo,Blocking' '--enable-storeio=ufs,aufs,rock' '--enable-referer-log' '--enable-useragent-log' '--enable-large-cache-files' '--enable-removal-policies=lru,heap' '--enable-follow-x-forwarded-for' '--enable-ssl-crtd' '--with-openssl'

in squid.conf I set following acl at the very benning of acl section:

# allow fetching of missing intermediate certificates
acl fetch_intermediate_certificate transaction_initiator certificate-fetching
cache allow fetch_intermediate_certificate
cache deny all
http_access allow fetch_intermediate_certificate

and squid fetches intermediate certificates for websites like: https://incomplete-chain.badssl.com/
But squid doesn't fetch the intermediate certificates for the site https://www.formulare-bfinv.de/
and I don't know why.

I checked all AiA entries in the certificates and it looks good to me.

Can anybody try the site https://www.formulare-bfinv.de/ with enabled sslbump,
so I can see whether my installation is broken or the webserver configuration isn't correct ?

Thank you very much.

--
Best regards

  Dieter Bloms

--
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
From field.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: sometimes intermediate certificates were not downloaded when using sslbump

L.P.H. van Belle
This is a simple one.

The certificate chain of that website is incorrect.
As shown here : https://www.ssllabs.com/ssltest/analyze.html?d=www.formulare%2dbfinv.de&latest 

Check you webserver first and correct you ciphers in your apache webserver.

Greetz,

Louis
 

> -----Oorspronkelijk bericht-----
> Van: squid-users
> [mailto:[hidden email]] Namens Dieter Bloms
> Verzonden: woensdag 8 april 2020 13:37
> Aan: [hidden email]
> Onderwerp: [squid-users] sometimes intermediate certificates
> were not downloaded when using sslbump
>
> Hello,
>
> I use a self compiled squid 4.10 compiled as follow:
>
> ~# squid --version
> Squid Cache: Version 4.10
> Service Name: squid
>
> This binary uses OpenSSL 1.1.1d  10 Sep 2019. For legal
> restrictions on distribution see
> https://www.openssl.org/source/license.html
>
> configure options:  '--prefix=/usr' '--sysconfdir=/etc/squid'
> '--bindir=/usr/sbin' '--sbindir=/usr/sbin'
> '--localstatedir=/var' '--libexecdir=/usr/sbin'
> '--datadir=/usr/share/squid' '--mandir=/usr/share/man'
> '--with-default-user=squid' '--with-filedescriptors=131072'
> '--with-logdir=/var/log/squid' '--disable-auto-locale'
> '--disable-auth-negotiate' '--disable-auth-ntlm'
> '--disable-eui' '--disable-carp' '--disable-htcp'
> '--disable-ident-lookups' '--disable-loadable-modules'
> '--disable-translation' '--disable-wccp' '--disable-wccpv2'
> '--enable-async-io=128' '--enable-auth'
> '--enable-auth-basic=LDAP NCSA' '--enable-auth-digest=LDAP
> file' '--enable-epoll' '--enable-log-daemon-helpers=file'
> '--enable-icap-client' '--enable-inline' '--enable-snmp'
> '--enable-disk-io=AIO,DiskThreads,IpcIo,Blocking'
> '--enable-storeio=ufs,aufs,rock' '--enable-referer-log'
> '--enable-useragent-log' '--enable-large-cache-files'
> '--enable-removal-policies=lru,heap'
> '--enable-follow-x-forwarded-for' '--enable-ssl-crtd' '--with-openssl'
>
> in squid.conf I set following acl at the very benning of acl section:
>
> # allow fetching of missing intermediate certificates
> acl fetch_intermediate_certificate transaction_initiator
> certificate-fetching
> cache allow fetch_intermediate_certificate
> cache deny all
> http_access allow fetch_intermediate_certificate
>
> and squid fetches intermediate certificates for websites
> like: https://incomplete-chain.badssl.com/
> But squid doesn't fetch the intermediate certificates for the
> site https://www.formulare-bfinv.de/
> and I don't know why.
>
> I checked all AiA entries in the certificates and it looks good to me.
>
> Can anybody try the site https://www.formulare-bfinv.de/ with
> enabled sslbump,
> so I can see whether my installation is broken or the
> webserver configuration isn't correct ?
>
> Thank you very much.
>
> --
> Best regards
>
>   Dieter Bloms
>
> --
> I do not get viruses because I do not use MS software.
> If you use Outlook then please do not put my email address in your
> address-book so that WHEN you get a virus it won't use my
> address in the
> From field.
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
>

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: sometimes intermediate certificates were not downloaded when using sslbump

Dieter Bloms-3
Hello Louis,

thank you for your answer.

It is not my webserver. Am a user who wants to connect to the webserver.
I know that the certificate chain is incomplete.
As far as I know squid should be able to fetch the missing intermediate
certificates on its own with the help of Authority Information Access (AIA) to get the complete list.
So squid should be able to verify the server certificate even the
webserver doesn't deliver the intermediate certificates.

On Wed, Apr 08, L.P.H. van Belle wrote:

> This is a simple one.
>
> The certificate chain of that website is incorrect.
> As shown here : https://www.ssllabs.com/ssltest/analyze.html?d=www.formulare%2dbfinv.de&latest 
>
> Check you webserver first and correct you ciphers in your apache webserver.
>
> Greetz,
>
> Louis
>  
>
> > -----Oorspronkelijk bericht-----
> > Van: squid-users
> > [mailto:[hidden email]] Namens Dieter Bloms
> > Verzonden: woensdag 8 april 2020 13:37
> > Aan: [hidden email]
> > Onderwerp: [squid-users] sometimes intermediate certificates
> > were not downloaded when using sslbump
> >
> > Hello,
> >
> > I use a self compiled squid 4.10 compiled as follow:
> >
> > ~# squid --version
> > Squid Cache: Version 4.10
> > Service Name: squid
> >
> > This binary uses OpenSSL 1.1.1d  10 Sep 2019. For legal
> > restrictions on distribution see
> > https://www.openssl.org/source/license.html
> >
> > configure options:  '--prefix=/usr' '--sysconfdir=/etc/squid'
> > '--bindir=/usr/sbin' '--sbindir=/usr/sbin'
> > '--localstatedir=/var' '--libexecdir=/usr/sbin'
> > '--datadir=/usr/share/squid' '--mandir=/usr/share/man'
> > '--with-default-user=squid' '--with-filedescriptors=131072'
> > '--with-logdir=/var/log/squid' '--disable-auto-locale'
> > '--disable-auth-negotiate' '--disable-auth-ntlm'
> > '--disable-eui' '--disable-carp' '--disable-htcp'
> > '--disable-ident-lookups' '--disable-loadable-modules'
> > '--disable-translation' '--disable-wccp' '--disable-wccpv2'
> > '--enable-async-io=128' '--enable-auth'
> > '--enable-auth-basic=LDAP NCSA' '--enable-auth-digest=LDAP
> > file' '--enable-epoll' '--enable-log-daemon-helpers=file'
> > '--enable-icap-client' '--enable-inline' '--enable-snmp'
> > '--enable-disk-io=AIO,DiskThreads,IpcIo,Blocking'
> > '--enable-storeio=ufs,aufs,rock' '--enable-referer-log'
> > '--enable-useragent-log' '--enable-large-cache-files'
> > '--enable-removal-policies=lru,heap'
> > '--enable-follow-x-forwarded-for' '--enable-ssl-crtd' '--with-openssl'
> >
> > in squid.conf I set following acl at the very benning of acl section:
> >
> > # allow fetching of missing intermediate certificates
> > acl fetch_intermediate_certificate transaction_initiator
> > certificate-fetching
> > cache allow fetch_intermediate_certificate
> > cache deny all
> > http_access allow fetch_intermediate_certificate
> >
> > and squid fetches intermediate certificates for websites
> > like: https://incomplete-chain.badssl.com/
> > But squid doesn't fetch the intermediate certificates for the
> > site https://www.formulare-bfinv.de/
> > and I don't know why.
> >
> > I checked all AiA entries in the certificates and it looks good to me.
> >
> > Can anybody try the site https://www.formulare-bfinv.de/ with
> > enabled sslbump,
> > so I can see whether my installation is broken or the
> > webserver configuration isn't correct ?
> >
> > Thank you very much.
> >
> > --
> > Best regards
> >
> >   Dieter Bloms
> >
> > --
> > I do not get viruses because I do not use MS software.
> > If you use Outlook then please do not put my email address in your
> > address-book so that WHEN you get a virus it won't use my
> > address in the
> > From field.
> > _______________________________________________
> > squid-users mailing list
> > [hidden email]
> > http://lists.squid-cache.org/listinfo/squid-users
> >
>

--
Gruß

  Dieter

--
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
From field.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users