[squid-users] Trusted first verification regarding cross root cert

mikio.kishi at gmail.com mikio.kishi at gmail.com
Mon Jun 29 07:29:43 UTC 2020 

Hi Amos,

Thank you for your reply and I apologize for the missing information.
The following is the detailed one.

> * Squid version
* squid version 3.5.26 (probably, ver4.X also might have same issue)
* OpenSSL 1.0.2k

> * details of the chain being delivered to Squid
> * details of the expected cross-signing chain(s).

There are so many websites which are facing this issue.
For instance, "sbv.gov.vn:443".

# openssl s_client -connect sbv.gov.vn:443 -servername sbv.gov.vn
-showcerts -verify 5 -state
verify depth is 5
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=3 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
verify return:1
depth=2 OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
verify error:num=10:certificate has expired
notAfter=Mar 18 10:00:00 2019 GMT
verify return:1
depth=2 OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
notAfter=Mar 18 10:00:00 2019 GMT
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Extended Validation
CA - SHA256 - G3
notAfter=Sep 21 00:00:00 2026 GMT
verify return:1
depth=0 businessCategory = Government Entity, serialNumber = Government
Entity, jurisdictionC = VN, C = VN, ST = Ha Noi, L = Ha Noi, street =
"47-49 Ly Thai To, Hoan Kiem District", OU = Department of Information
Technology, O = The State Bank of Viet Nam, CN = www.sbv.gov.vn
notAfter=Nov  8 03:31:58 2020 GMT
verify return:1
... snip ...
    Verify return code: 10 (certificate has expired)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

The above verification was NG(certificate has expired))
On the other hand, the verification was OK if  the "-trusted_first" option
was given.

# openssl s_client -trusted_first -connect sbv.gov.vn:443 -servername
sbv.gov.vn -showcerts -verify 5 -state
verify depth is 5
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=2 OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Extended Validation
CA - SHA256 - G3
verify return:1
depth=0 businessCategory = Government Entity, serialNumber = Government
Entity, jurisdictionC = VN, C = VN, ST = Ha Noi, L = Ha Noi, street =
"47-49 Ly Thai To, Hoan Kiem District", OU = Department of Information
Technology, O = The State Bank of Viet Nam, CN = www.sbv.gov.vn
verify return:1
... snip ...
    Verify return code: 0 (ok)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^

In the "Cross-Signed Certificate" case, openssl failed to verify by default
even if  another signed root is available.
Squid's behavior seems to be also the same. That's why I needed the
"trusted_first" feature.
For your information, a major web browser(like chrome/firefox) could access
the site directly because of trusted first mode.

In my opinion, appending the following codes(in ssl/support.cc) will be
effective.

 X509_VERIFY_PARAM_set_flags(ctx->param, X509_V_FLAG_TRUSTED_FIRST);
 (The type of ctx is "X509_STORE_CTX *").

Could you please add the trusted_first option on squid ?

By the way, I think that the following topic is also the same issue.
 [squid-users] (92) Protocol error (TLS code: X509_V_ERR_CERT_HAS_EXPIRED)

Regards,
--
Mikio Kishi

On Sat, Jun 27, 2020 at 9:29 PM Amos Jeffries <squid3 at treenet.co.nz> wrote:

> On 27/06/20 7:07 pm, mikio.kishi wrote:
> > Hi all,
> >
> > I am currently using sslbump feature. Sometimes, squid failed to verify
> > a https web site with
> > cross root cert. On the other hand, the site is accessible directly from
> > major web browsers,
> > such as chrome and firefox. I am guessing that the cert verification
> > handling of the current
> > sslbump seems to be NOT trusted_first mode. Are there any solutions to
> > change to trusted_first
> > verification mode for squid ?
> >
>
> Solutions based purely on guesswork are unlikely to work.
>
>
> Missing information:
>
>  * Squid version
>
>  * details of the chain being delivered to Squid
>
>  * details of the expected cross-signing chain(s).
>
>  * by "trusted_first mode" do you mean TOFU or something else?
>
>
> Squid supports a helper, which can to do any type of validation -
> including none. BUT ... you first need to eliminate the guesses to see
> if it is a validation or something completely unexpected.
>
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20200629/a57d3e24/attachment-0001.html>

More information about the squid-users mailing list