Re: [squid-users] Need help on SSL bump and certificate chain

From: Alex Rousskov <rousskov_at_measurement-factory.com>
Date: Mon, 15 Apr 2013 12:08:39 -0600

On 04/14/2013 11:44 PM, Prasanna Venkateswaran wrote:

> Can someone please help me out here? In a nutshell, I am using a
> proper signed certificate(not self signed) to generate certificates.
> The chain is my certificate -> intermediate CA -> root CA.

The root certificate is still a "fake" self-signed certificate though,
right? All root certificates are self-signed, of course. I just want to
double check that you are not using a "true" certificate from a
well-known root CA in your chain because in 99.99% of SslBump cases we
see around here that would not work.

> I cannot
> make squid send the entire certificate chain to the clients and this
> is breaking many applications in our network.

FWIW, you do not really want to send the entire chain. The root
certificate needs to be installed by clients. Squid needs to send the
configured intermediate and the generated leaf certificates. There is no
point in sending the root certificate because a client would not be able
to validate it unless it already has that root certificate installed!

Does your Squid send the configured intermediate certificate with the
generated leaf one? We have added some code to make that work and that
code should be in v3.3 you are using. Here is the corresponding commit
message with more details about Squid logic used to send the
intermediate certificate:

> revno: 11820
> committer: Christos Tsantilas <chtsanti_at_users.sourceforge.net>
> branch nick: trunk
> timestamp: Thu 2011-10-27 18:27:25 +0300
> message:
> sslBump: Send intermediate CA
>
> SslBump code assumed that it is signing generated certificates with a root CA
> certificate. Root certificates are usually not sent along with the server
> certificates because clients must have them independently installed or
> built-in. Squid was not sending the signing certificate.
>
> In many environments, Squid signing certificate is intermediate (i.e., it
> belongs to a non-root CA). If Squid does not send that intermediate signing
> certificate with the generated one, the client will not be able to establish a
> complete chain of trust from the generated fake to the root CA certificate,
> leading to errors.
>
> With this change, Squid may send the signing certificate (along with the
> generated one) using the following rules:
>
> * If the configured signing certificate is self-signed,
> then just send the generated certificate alone.
> Note that root CA certificates are self-signed (by root CA).
>
> * Otherwise (i.e., if the configured signing certificate is an intermediate
> CA certificate), send both the intermediate CA and the generated fake
> certificate.
>
> * If Squid sends the intermediate CA certificate, Squid also sends
> all other certificates from the "cert=" file, Sending a chain with
> multiple intermediate CA certificates may be required when the Squid
> signing certificate was signed by another intermediate CA.
>
>
> This is a Measurement Factory Project

Is your configured signing certificate self-signed or intermediate? Does
Squid send it along with the generated fake certificate?

HTH,

Alex.

> On 4/11/13, Prasanna Venkateswaran <prascalls_at_gmail.com> wrote:
>> Hi Guy,
>> We want to be a man-in-the middle but we want to get the
>> approval from clients/end-users out of band by accepting the terms and
>> conditions. The self signed certificates is sort of ok with browsers.
>> But many other applications like dropbox sync, AV dat update, vpn ,
>> etc fail because of the untrusted certificate. On top of it we have
>> some headless devices in our network as well. Since we anyway have
>> this information in our terms and conditions we would like to move to
>> a trusted chain so that all the applications work as expected..
>>
>> Gentlemen,
>> I see some users have already asked help/reported bug about the
>> same thing like,
>> http://www.squid-cache.org/mail-archive/squid-users/201112/0197.html.
>>
>> I also see that changes have been done in squid to support this
>> behavior as well.
>> http://www.squid-cache.org/mail-archive/squid-dev/201110/0207.html
>>
>> I followed the steps from this thread for configuration and I
>> still dont see the chain information sent to the clients.
>> http://www.squid-cache.org/mail-archive/squid-users/201109/0037.html
>>
>> So has the behavior of squid changed in recent times? Or am I
>> missing something in my configuration. How to make squid send the
>> entire certificate chain to clients? Please help.
>>
>> Regards,
>> Prasanna
>>
Received on Mon Apr 15 2013 - 18:08:44 MDT

This archive was generated by hypermail 2.2.0 : Tue Apr 16 2013 - 12:00:04 MDT