[squid-users] ssl_bump with intermediate CA

Eliezer Croitoru eliezer at ngtech.co.il
Sat Jan 7 04:25:02 UTC 2017 

Hey Amos,

We can use the discussion section of the wiki to add some comments but the thing is that reality is almost the only answer to some questions.
IE a "cafile" in the normal world would be a certificate on the wall or in some database(back yard archive).
When in most places and cases one's diploma certificate is enough since not most of the world are certificate forgers.
Depends on the locality different measures to enforce the diploma validation are in place.
So if we would compare the real CA's world to the Computer Based one's there would be a big enough different.
Most web applications are more "aware" to these issues then any normal citizen would understand and know about.
The simple answer in most cases is that on the stage of validation there are  two things to validate:
- Authenticity
- Validity(expiration)

When a client probes for a connection it would first verify the chain in some places, but, let say I have a hospital and doctors inside, most clients of the hospital would not require validation of authenticity for the doctor diploma since the hospital is the proxy for this part of the connection and the client left alone to only present the request for care.

With the above real world "example" in hands we know that in the servers world we need to be able to inspect the certificate at-least once in period and we as sysadmins are required to present a full chain in order to meet the clients requests at-least once if not more.

I believe that a proxy should be required to be able to present the full chain certificates to be compatible with the way web applications themselves present their certificates.

And the simplest way to not open an "Edit" war is in most cases comments on the wiki discussion section..
But I do understand that there are wars which needs to be left alone.

All The Bests,
Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il


-----Original Message-----
From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Amos Jeffries
Sent: Friday, January 6, 2017 12:06 PM
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] ssl_bump with intermediate CA

On 2017-01-06 21:27, senor wrote:
> Thank you for the response but I think my question is still unanswered.
> Comments below:
> 
> On 1/5/2017 16:57, Bruce Rosenberg wrote:
>> The cafile option specifies the "chain" file squid should send back to
>> the client along with the cert, exactly as you would normally do with
>> Apache httpd or Nginx.
> (For clarity: I'm using 3.5.23. cafile was replaced in squid-4)
> This may be what cafile is used for but that does not match the
> directive description.
> http://www.squid-cache.org/Versions/v3/3.5/cfgman/http_port.html
> My suspicion is that the description is a confusion between the same
> option in openssl and web server options (Apache SSLCACertificateFile
> and similar).
> What's it really used for? Chain completion, client cert verification 
> or
> both?

It is used for chain completion. *which* chain is being completed 
depends on the traffic mode.

clientca= should be the one used *only* for client cert verification (I 
think). But neither was used consistently in Squid-3, so YMMV based on 
the traffic modes.

> 
>> In the example the generated server cert is depth 0, CA2 is depth 1 
>> and
>> CA1 is depth 2.
>> If the client has CA1 installed as a trust anchor then technically you
>> don't need to send CA1 as it is discarded by the client once the trust
>> relationship for CA2 is established.
>> It's good practice to send the full chain though as it makes
>> troubleshooting easier.
>> From a client perspective you can quickly grab the whole chain with
>> openssl s_client and check if CA1 is in the trust store.
> I have to disagree with this. The anchor (CA1) is discarded regardless.
> It cannot be used. If included it bloats the TLS handshake. Even 
> openssl
> will discard it and then look in the trusted CA store.
> 
> I see with a packet cap that the mimicked server cert and the signing
> cert are both included even without the cafile option specified.
> 
> So is it safe to say that the referenced wiki page has just become
> outdated? If cafile is used to fill in the cert chain it wouldn't be
> needed unless there were additional intermediate certs between the mitm
> cert and the trusted CA known to the client. (As in CA1 is trusted by
> clients, CA1 signs CA2 which signs CA3 which is used as MITM cert,
> cafile=CA2)

That wiki page was incorrect at the time of creation. But the author 
refuses to agree that root cert are discarded so I left it there instead 
of inciting an edit war. Saving the root CA into the file should be 
harmless anyway.

Amos

_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list