[squid-users] about Incorrect X509 server certificate valdidation
Amos Jeffries
squid3 at treenet.co.nz
Sun May 3 04:59:56 UTC 2015
On 3/05/2015 11:10 a.m., HackXBack wrote:
> You mention this part :
> Severity:
>
> The bug is important because it allows remote servers to bypass
> client certificate validation. Some attackers may also be able
> to use valid certificates for one domain signed by a global
> Certificate Authority to abuse an unrelated domain.
>
>
> you mean that there is a way to use certificate that signed by a global
> certificate authority (Trusted CA) ?
There was a possible way for some certificates which would also be
abusing this bug to pass the global CA checks they do before signing.
> if yes then we can use it and then no need to import our self certificate in
> client browser to force it as trusted ?
No. The vulnerability was attack traffic having the attackers
certificate removed and re-encrypted using *yours*. The clients always
have to trust your certificate.
You cannot use one of the attacker-type certificates in Squid because a)
they are not CA signing certificates, and b) they are "broken" in ways
that clients should already validate against. That is why server-first
mode is not vulnerable when client-first is. In server-first mode the
breakage gets mimic'd and the client rejects the certificate (not Squid).
Amos
More information about the squid-users
mailing list