Re: [squid-users] sslbump dynamic certificates for CNAMEs issue

On Tue, Sep 17, 2013 at 7:02 PM, Matt Carey <cvstealth2000_at_yahoo.com> wrote:
> I'm having an issue doing sslbumping with what seems to be isolated to CNAMEs where the certificate that is getting sent by squid (currently 3.3.9) back to the client has the CN field set to an IP address rather then a legit subject in the x509 certificate. An example of this behavior as seen by the client is:
>
A well written client will refuse the connection.

> # openssl s_client -connect autodiscover.domain.com:443
> CONNECTED(00000003)
> depth=1 C = US, ST = Virginia, L = Alexandria, O = North American Domain, OU = IT Group, CN = fwa.domain.com, emailAddress = it_at_domain.com
> verify error:num=19:self signed certificate in certificate chain
> verify return:0
> ---
> Certificate chain
> 0 s:/CN=157.56.236.89 <-- This is causing the client browser/application to break because the subject doesn't match the site
> i:/C=US/ST=Virginia/L=Alexandria/O=North American Domain/OU=IT Group/CN=fwa.domain.com/emailAddress=it_at_domain.com
> 1 s:/C=US/ST=Virginia/L=Alexandria/O=North American Domain/OU=IT Group/CN=fwa.domain.com/emailAddress=it_at_domain.com
> i:/C=US/ST=Virginia/L=Alexandria/O=North American Domain/OU=IT Group/CN=fwa.domain.com/emailAddress=it_at_domain.com
> <snip>
Yeah, IPs be worrisome, especially if they are RFC 1918.
Littleblackbox (http://code.google.com/p/littleblackbox/) FTW!

> I haven't put my finger on exactly what level of nesting or what is special about the CNAME attribute that for some sites is causing the dynamic certificate the is being sent to have the CN set to just the IP address. Any help in this matter would be greatly appreciated.
>
If your clients are RFC 5280 compliant (such as a web browser), then
here are the guides:

Baseline: https://www.cabforum.org/Baseline_Requirements_V1_1_6.pdf
Extended Validation: https://www.cabforum.org/Guidelines_v1_4_3.pdf

Extended validation adds no additional technical controls. It simply
restores CA profit levels back to the 1990s. Don't drink the
kool-aide.

"Subject Common Name Field " is covered in the baseline guide.
"Authorization for an IP Address" is covered in the baseline guide.
Prohibition of RFC 1918 addresses is covered in the extended
validation guide.

Section 9.2.2 of the baseline guide also states: "if present, this
field [CN] MUST contain a single IP
address or Fully-Qualified Domain Name that is one of the values
contained in the Certificate’s subjectAltName extension". The SAN is
covered in section 9.2.1.

So the question becomes, is the IP address also listed in the SAN?

Jeff
Received on Wed Sep 18 2013 - 02:28:42 MDT