[squid-users] SSL Bump and Certificate issue - RapidSSL Intermediate Cert

stylemessiah adrian.m.miller at gmail.com
Thu Mar 2 01:57:30 UTC 2017 

>That command you used does not send data through the proxy. So that
>confirms that the servers TLS is broken in a way unrelated to Squid.

As that may be, when i go direct (sans proxy) i get thumbnails...no issues
Toggle the proxy back on and no thumbnails, and opening an image link gives
the
error initially reported.

(71) Protocol error (TLS code:
 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)

SSL Certficate error: certificate issuer (CA) not known:
/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA

So both Ie and FF will just load anything from dl.xda-developers.com and not
register an issue, but squid will refuse to load the content and generate
the error

>You need to locate the root CA and/or intermediate CA certificates used
>to sign the domain servers certificate.

>You then need to identify *why* they are not being trusted by your OS
>library.

>Be sure to determine whether the CA which is missing is actually
>trustworthy before adding it to your trusted set. More than a few of the
>CA which are around are not trusted because they have been hacked or
>caught signing forged certificates they should not have.

I aalways learn something when youre silly enough to reply :)

When i ran dl.xda-developers.com through ssllabs (thanks google), it gave
me a less than glowing report, including
an incomplete cert chain (i say that like i understand it :) ) or as it put
it:

This server is vulnerable to the OpenSSL CCS vulnerability (CVE-2014-0224)
<https://community.qualys.com/blogs/securitylabs/2014/06/13/ssl-pulse-49-vulnerable-to-cve-2014-0224-14-exploitable>
and exploitable. Grade set to F.
This server is vulnerable to the OpenSSL Padding Oracle vulnerability
(CVE-2016-2107)
<https://blog.cloudflare.com/yet-another-padding-oracle-in-openssl-cbc-ciphersuites/>
and insecure. Grade set to F.
This server accepts RC4 cipher, but only with older browsers. Grade capped
to B.  MORE INFO ยป
<https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-broken-now-what>
This server's certificate chain is incomplete. Grade capped to B.

Full report here for the curious:
https://globalsign.ssllabs.com/analyze.html?d=dl.xda-developers.com&hideResults=on

For a few thumbnails im not going to torture myself, maybe ill send the
forum admin a note instead :)

>PS.  EECDH will not work unless you configure a curve name in the
>tls-dh= option. Just having dhparam.pem alone will only enable the less
>secure DH ciphers.

I did add a curve to the tls-dh param, im guessing tis correct, little info
on which one to use (grabbing the list from my local openssl had me going
what the hell)

tls-dh=prime256v1:/cygdrive/e/Squid/etc/ssl/dhparam.pem

Note: this made no difference whatsoever with my issue

Cheers,

Adrian Miller



On 2 March 2017 at 04:08, Adrian Miller <adrian.m.miller at gmail.com> wrote:

> Thanks Amos for the info, appreciate your tireless assistance for us
> numpties :)
>
> On 2 Mar. 2017 4:06 am, "Amos Jeffries [via Squid Web Proxy Cache]" <
> ml-node+s1019090n4681642h47 at n4.nabble.com> wrote:
>
>> On 1/03/2017 4:58 a.m., stylemessiah wrote:
>>
>> > This is driving me nuts, its the only issue ive found running ssl bump
>> on my
>> > home network for eons
>> >
>> > I cant see image thumbnails on xda-developers...
>> >
>> > When i access a thread with them, i get text links, not thumbnails, and
>> if i
>> > click on the links i get the following:
>> >
>> >
>> >     (71) Protocol error (TLS code:
>> > X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
>> >
>> >     SSL Certficate error: certificate issuer (CA) not known:
>> > /C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
>> >
>> > I figured out by googling how to (i hope) trace the problem certificate
>> via
>> > s_client:
>> >
>> >
>> > OpenSSL> s_client -showcerts -verify 32 -connect
>> dl.xda-developers.com:443
>> > verify depth is 32
>> > CONNECTED(0000012C)
>> > depth=0 CN = *.xda-developers.com
>> > verify error:num=20:unable to get local issuer certificate
>> > verify return:1
>> > depth=0 CN = *.xda-developers.com
>> > verify error:num=21:unable to verify the first certificate
>> > verify return:1
>>
>> That command you used does not send data through the proxy. So that
>> confirms that the servers TLS is broken in a way unrelated to Squid.
>>
>>
>>
>> > ---
>> > Certificate chain
>> >  0 s:/CN=*.xda-developers.com
>> >    i:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
>> ...
>>
>> > ---
>> > Server certificate
>> > subject=/CN=*.xda-developers.com
>> > issuer=/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
>> > ---
>> > No client certificate CA names sent
>> > Peer signing digest: SHA512
>> > Server Temp Key: ECDH, P-256, 256 bits
>> > ---
>> > SSL handshake has read 2067 bytes and written 302 bytes
>> > Verification error: unable to verify the first certificate
>>
>> >
>> > Ive found the intermediate bundle from RapidSS, and added it to my
>> existing
>> > pem bundle...no change
>>
>> You need to locate the root CA and/or intermediate CA certificates used
>> to sign the domain servers certificate.
>>
>> You then need to identify *why* they are not being trusted by your OS
>> library.
>>
>> Be sure to determine whether the CA which is missing is actually
>> trustworthy before adding it to your trusted set. More than a few of the
>> CA which are around are not trusted because they have been hacked or
>> caught signing forged certificates they should not have.
>>
>>
>> > Added as a separate pem i.e. sslproxy_foreign_intermediate_certs
>> > /cygdrive/e/Squid/etc/ssl/extra-intermediate-CA.pem...no change
>> >
>> > My sslbump related config lines are:
>> >
>> > http_port 127.0.0.1:3128 ssl-bump generate-host-certificates=on
>> > dynamic_cert_mem_cache_size=10MB cert=/cygdrive/e/Squid/etc/ssl/myCA.pem
>>
>> > capath=/cygdrive/e/Squid/etc/ssl
>> > cafile=/cygdrive/e/Squid/etc/ssl/extra-intermediate-CA.pem
>> > tls-dh=/cygdrive/e/Squid/etc/ssl/dhparam.pem
>> > options=NO_SSLv2,NO_SSLv3,SINGLE_ECDH_USE
>>
>> PS.  EECDH will not work unless you configure a curve name in the
>> tls-dh= option. Just having dhparam.pem alone will only enable the less
>> secure DH ciphers.
>>
>> Amos
>>
>> _______________________________________________
>> squid-users mailing list
>> [hidden email] <http:///user/SendEmail.jtp?type=node&node=4681642&i=0>
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>>
>> ------------------------------
>> If you reply to this email, your message will be added to the discussion
>> below:
>> http://squid-web-proxy-cache.1019090.n4.nabble.com/SSL-Bump-
>> and-Certificate-issue-RapidSSL-Intermediate-Cert-tp4681635p4681642.html
>> To unsubscribe from SSL Bump and Certificate issue - RapidSSL
>> Intermediate Cert, click here
>> <http://squid-web-proxy-cache.1019090.n4.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=4681635&code=YWRyaWFuLm0ubWlsbGVyQGdtYWlsLmNvbXw0NjgxNjM1fDE5ODY3MjIyMDI=>
>> .
>> NAML
>> <http://squid-web-proxy-cache.1019090.n4.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>>
>


-- 
I hate to advocate *drugs*, *alcohol*,* violence *or
*insanity* to anyone, *but* they've *always* worked for* me*

- Hunter S. Thompson




--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/SSL-Bump-and-Certificate-issue-RapidSSL-Intermediate-Cert-tp4681635p4681646.html
Sent from the Squid - Users mailing list archive at Nabble.com.

More information about the squid-users mailing list