[squid-users] SSL Bump and Certificate issue - RapidSSL Intermediate Cert

stylemessiah adrian.m.miller at gmail.com
Tue Feb 28 15:58:00 UTC 2017


This is driving me nuts, its the only issue ive found running ssl bump on my
home network for eons

I cant see image thumbnails on xda-developers...

When i access a thread with them, i get text links, not thumbnails, and if i
click on the links i get the following:


    (71) Protocol error (TLS code:
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)

    SSL Certficate error: certificate issuer (CA) not known:
/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA

I figured out by googling how to (i hope) trace the problem certificate via
s_client:


OpenSSL> s_client -showcerts -verify 32 -connect dl.xda-developers.com:443
verify depth is 32
CONNECTED(0000012C)
depth=0 CN = *.xda-developers.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = *.xda-developers.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/CN=*.xda-developers.com
   i:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
-----BEGIN CERTIFICATE-----
MIIFgTCCBGmgAwIBAgIQfA25Jbjbsyz/PbnaPlV5ozANBgkqhkiG9w0BAQsFADBC
MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UEAxMS
UmFwaWRTU0wgU0hBMjU2IENBMB4XDTE2MTAwNDAwMDAwMFoXDTE3MTIwMzIzNTk1
OVowHzEdMBsGA1UEAwwUKi54ZGEtZGV2ZWxvcGVycy5jb20wggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQCtz+7A2NWVYg04JZTLCLf8+UGiJEBQXHgJENZd
bzGJpp8ue+L3a1o00uAnBYKAXzdEYYJ0cCHE4G+87okgDbSU2IO6Vvm2xf79tId/
BtQ6E6EXy4dSLya37k+fwnVo+b0c7sCnv6KRPG/z5zEQZLstY0RmUf+uS8ufoEII
Xv7HQFTXJ8by6VbA2PXKPZY+4Ok8mWMdMZx7F6kl0l+AP/pOyg59HLfvirtUElok
nwBHj20QbMg0ZF5wVYZn+7za51Ac3/Mrq0jJzs4WlofokDQWuB9pr7MZawkn2oj3
r+Ty4zeRLC4X7QMdiQAdB4OV1Uvl7sTl13g7reZoYHFUNrJ/AgMBAAGjggKUMIIC
kDAzBgNVHREELDAqghQqLnhkYS1kZXZlbG9wZXJzLmNvbYISeGRhLWRldmVsb3Bl
cnMuY29tMAkGA1UdEwQCMAAwKwYDVR0fBCQwIjAgoB6gHIYaaHR0cDovL2dwLnN5
bWNiLmNvbS9ncC5jcmwwbwYDVR0gBGgwZjBkBgZngQwBAgEwWjAqBggrBgEFBQcC
ARYeaHR0cHM6Ly93d3cucmFwaWRzc2wuY29tL2xlZ2FsMCwGCCsGAQUFBwICMCAM
Hmh0dHBzOi8vd3d3LnJhcGlkc3NsLmNvbS9sZWdhbDAfBgNVHSMEGDAWgBSXwidQ
nsLJ7AyIMsh8reKmAU/abzAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYB
BQUHAwEGCCsGAQUFBwMCMFcGCCsGAQUFBwEBBEswSTAfBggrBgEFBQcwAYYTaHR0
cDovL2dwLnN5bWNkLmNvbTAmBggrBgEFBQcwAoYaaHR0cDovL2dwLnN5bWNiLmNv
bS9ncC5jcnQwggEFBgorBgEEAdZ5AgQCBIH2BIHzAPEAdwDd6x0reg1PpiCLga2B
aHB+Lo6dAdVciI09EcTNtuy+zAAAAVeRQGjoAAAEAwBIMEYCIQCGhvkj2j2G8/HS
+goN5+KUNcOo489VZB0yiuZ/i3O8EAIhAJarnN3GazZP/2MBfEK9bFaO+XTfnLSE
b+KC8+45pL65AHYAaPaY+B9kgr46jO65KB1M/HFRXWeT1ETRCmesu09P+8QAAAFX
kUBpCAAABAMARzBFAiB9Fc1GeA7oj/P31joQQbOTtlXr3v0Sy7wgg24WfcmcIQIh
ALjzk7c5ekv3D/TatIWhU249FMIOWeqs0HI9xXiC9ufwMA0GCSqGSIb3DQEBCwUA
A4IBAQCQTUYrtmdS+tgmIwnpSfufAnv4y1Zn+NuJFg9m3N1oFbNeEOoJ3C9LjzJC
jtzW5Z8HHZieT3jHAdEXGVe1uNqPX3jSQVOYNM+TXVb7rwqjUvaYYRuGp2cU4uis
pEHlsytWbMn1iGQVAr7cpJ4+wIby9c1sRXSHbFsPisR4mKzyAi2f0Dyb8CKIGLwN
6JuQw+a5k76p/ff9khjsRSdQIe6KroMrgIKltlmpqZiNaslY4YpPXMkT5Uj6RVci
JX81NejSjYGUbD1B0MXhuCzwSgjfuNKxTi73uoreQRgug1Tp3ObneM6pP/njp+sz
KI1VqiFrve2K2ebXvJ0EftQRclEi
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=*.xda-developers.com
issuer=/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2067 bytes and written 302 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID:
733B4D29302703E57D32AB496A42CC1AB24056B9973A56F297F0B7D9429DFE0C

    Session-ID-ctx:
    Master-Key:
6B679C5560D68A9409F80DCEE91985E458A3D949CF7840F47832D75325B8DA3E
5E00C3AF2A099E51D95AC1290D1EA8C0
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 4c b4 25 2c 68 1a c0 fc-8c e6 d7 9c 66 37 a0 ec  
L.%,h.......f7..
    0010 - fa 2c f6 7a 78 2b 3a b0-f9 14 53 0e ed 93 21 5e  
.,.zx+:...S...!^
    0020 - 5f e6 48 db aa d5 7f c7-30 dc fe b1 e8 0d ff a5  
_.H.....0.......
    0030 - ad 50 40 ab 97 49 d8 ad-27 dc c1 e6 88 db 15 8c  
.P at ..I..'.......
    0040 - ed f6 dd d1 3f c9 70 a3-14 df a5 d6 c0 0d e2 cf  
....?.p.........
    0050 - 8f 19 3e 0c da 14 02 f1-83 83 82 61 39 bc f2 52  
..>........a9..R
    0060 - c4 92 6f cb cb 9b 05 4d-ce 96 ef 64 86 cb cb 85  
..o....M...d....
    0070 - 2d 51 0e 99 9a fd 1d b0-98 07 4e 8f c5 f7 57 ec  
-Q........N...W.
    0080 - 70 f1 28 bb d2 6a c9 57-bc f0 6d d3 e1 f5 13 c0  
p.(..j.W..m.....
    0090 - 37 ff f7 47 96 94 df eb-6a c9 f1 89 be c8 77 8a  
7..G....j.....w.

    Start Time: 1488297409
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
    Extended master secret: no


Ive found the intermediate bundle from RapidSS, and added it to my existing
pem bundle...no change
Added as a separate pem i.e. sslproxy_foreign_intermediate_certs
/cygdrive/e/Squid/etc/ssl/extra-intermediate-CA.pem...no change

My sslbump related config lines are:

http_port 127.0.0.1:3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=10MB cert=/cygdrive/e/Squid/etc/ssl/myCA.pem
capath=/cygdrive/e/Squid/etc/ssl
cafile=/cygdrive/e/Squid/etc/ssl/extra-intermediate-CA.pem
tls-dh=/cygdrive/e/Squid/etc/ssl/dhparam.pem
options=NO_SSLv2,NO_SSLv3,SINGLE_ECDH_USE 

acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all


sslcrtd_program /cygdrive/e/Squid/lib/squid/ssl_crtd -s
/cygdrive/e/Squid/var/cache/squid_ssldb -M 4MB -b 2048
sslcrtd_children 10 startup=10 idle=1

sslproxy_cipher
EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS

Im at my wits end, its the only site that has a glitch

I tried all i could think of, and google, before posting, hopefully someone
has an idea/suggestion

cheers in advance



--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/SSL-Bump-and-Certificate-issue-RapidSSL-Intermediate-Cert-tp4681635.html
Sent from the Squid - Users mailing list archive at Nabble.com.


More information about the squid-users mailing list