squid doesn't fetch the intermediate certificate for some sites

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

squid doesn't fetch the intermediate certificate for some sites

Dieter Bloms-3
Hello,

we use the sslbump feature and it works very well.
But some sites can't be reached because of missing intermediate
certificate.

In squid.conf we have configured the following parameters:

--snip--
# allow fetching of missing intermediate certificates
acl fetch_intermediate_certificate transaction_initiator certificate-fetching
http_access allow fetch_intermediate_certificate
cache allow fetch_intermediate_certificate
cache deny all
--snip--

and fetching the intermediate certificate works for sites like: https://incomplete-chain.badssl.com/

but for some sites like https://mycase.cloudapps.cisco.com/
squid doesn't fetch the intermediate certificate and returns X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY

In my eyes the certificate of mycase.cloudapps.cisco.com contains an AiA
record.

output of openssl on certificate of mycase.cloudapps.cisco.com
--snip--
            Authority Information Access:
                CA Issuers - URI:http://trust.quovadisglobal.com/hydsslg2.crt
                OCSP - URI:http://ocsp.quovadisglobal.com
--snip--

so does anybody see what's the reason, why squid doesn't download the
intermediate certificate for mycase.cloudapps.cisco.com ?


--
Regards

  Dieter Bloms

--
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
From field.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: squid doesn't fetch the intermediate certificate for some sites

Matus UHLAR - fantomas
On 21.07.20 09:41, Dieter Bloms wrote:

>we use the sslbump feature and it works very well.
>But some sites can't be reached because of missing intermediate
>certificate.
>
>In squid.conf we have configured the following parameters:
>
>--snip--
># allow fetching of missing intermediate certificates
>acl fetch_intermediate_certificate transaction_initiator certificate-fetching
>http_access allow fetch_intermediate_certificate
>cache allow fetch_intermediate_certificate
>cache deny all
>--snip--
>
>and fetching the intermediate certificate works for sites like: https://incomplete-chain.badssl.com/
>
>but for some sites like https://mycase.cloudapps.cisco.com/
>squid doesn't fetch the intermediate certificate and returns X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
>
>In my eyes the certificate of mycase.cloudapps.cisco.com contains an AiA
>record.
>
>output of openssl on certificate of mycase.cloudapps.cisco.com
>--snip--
>            Authority Information Access:
>                CA Issuers - URI:http://trust.quovadisglobal.com/hydsslg2.crt
>                OCSP - URI:http://ocsp.quovadisglobal.com
>--snip--
>
>so does anybody see what's the reason, why squid doesn't download the
>intermediate certificate for mycase.cloudapps.cisco.com ?

squid can't download certificates other than the website provides.
if a website does not provide valid certificate chain, it's up to the client
to produce an error. With browser, you can allow the certificate explicitly.

It is also possible that browser has the intermediace certificate
remembered.

testing certificate for mycase.cloudapps.cisco.com shows only one
certificate I can see:

Certificate chain
 0 s:C = US, ST = California, L = San Jose, O = "Cisco Systems, Inc.", CN = mycase.cloudapps.cisco.com
   i:C = US, O = HydrantID (Avalanche Cloud Corporation), CN = HydrantID SSL ICA G2

the HydrantID SSL ICA G2 certificate seems to be missing here.



--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Windows 2000: 640 MB ought to be enough for anybody
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: squid doesn't fetch the intermediate certificate for some sites

Dieter Bloms-3
Hello Matus,

thank you for your answer.

On Tue, Jul 21, Matus UHLAR - fantomas wrote:

> On 21.07.20 09:41, Dieter Bloms wrote:
> > we use the sslbump feature and it works very well.
> > But some sites can't be reached because of missing intermediate
> > certificate.
> >
> > In squid.conf we have configured the following parameters:
> >
> > --snip--
> > # allow fetching of missing intermediate certificates
> > acl fetch_intermediate_certificate transaction_initiator certificate-fetching
> > http_access allow fetch_intermediate_certificate
> > cache allow fetch_intermediate_certificate
> > cache deny all
> > --snip--
> >
> > and fetching the intermediate certificate works for sites like: https://incomplete-chain.badssl.com/
> >
> > but for some sites like https://mycase.cloudapps.cisco.com/
> > squid doesn't fetch the intermediate certificate and returns X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
> >
> > In my eyes the certificate of mycase.cloudapps.cisco.com contains an AiA
> > record.
> >
> > output of openssl on certificate of mycase.cloudapps.cisco.com
> > --snip--
> >            Authority Information Access:
> >                CA Issuers - URI:http://trust.quovadisglobal.com/hydsslg2.crt
> >                OCSP - URI:http://ocsp.quovadisglobal.com
> > --snip--
> >
> > so does anybody see what's the reason, why squid doesn't download the
> > intermediate certificate for mycase.cloudapps.cisco.com ?
>
> squid can't download certificates other than the website provides.

that's not true:

from site: https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
"Squid-4 is capable of downloading missing intermediate CA certificates,
like popular browsers do."

> if a website does not provide valid certificate chain, it's up to the client
> to produce an error. With browser, you can allow the certificate explicitly.

with ssbump the browser doesn't see the origin webserver certificate,
but sees the squid created one.

> It is also possible that browser has the intermediace certificate
> remembered.

as I already wrote, we use sslbump.

> testing certificate for mycase.cloudapps.cisco.com shows only one
> certificate I can see:
>
> Certificate chain
> 0 s:C = US, ST = California, L = San Jose, O = "Cisco Systems, Inc.", CN = mycase.cloudapps.cisco.com
>   i:C = US, O = HydrantID (Avalanche Cloud Corporation), CN = HydrantID SSL ICA G2
>
> the HydrantID SSL ICA G2 certificate seems to be missing here.
>
>
>
> --
> Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> Windows 2000: 640 MB ought to be enough for anybody
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users

--
Gruß

  Dieter

--
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
From field.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: squid doesn't fetch the intermediate certificate for some sites

Alex Rousskov
In reply to this post by Dieter Bloms-3
On 7/21/20 3:41 AM, Dieter Bloms wrote:

> for some sites like https://mycase.cloudapps.cisco.com/
> squid doesn't fetch the intermediate certificate and returns X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY

The underlying problem is not specific to SslBump AFAICT. The
combination of unfortunate OpenSSL design decisions and TLS v1.3 secrecy
creates a serious problem for Squid. For details, please see

  https://bugs.squid-cache.org/show_bug.cgi?id=5067#c2

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users