[LINUX] [https proxy with squid] Eliminate the error when accessing the web server that does not chain the intermediate CA certificate.

Introduction

I am operating an https proxy that intercepts ssl, and I have solved the problem, so I will record it. The environment to use is the following that was built last time. ** Create Proxy with Active Directory linkage and SSL interception with squid easily with docker **

What happened

An error occurs when trying to connect to the following site. https://learningnetwork.cisco.com/s/

It seems that an error has occurred because the issuer of the certificate is unknown. The chain may not be traced well. Screenshot from Gyazo

Research of cause

Log survey

Looking at the log, when squid receives the server certificate, it is DENIED trying to get the missing intermediate CA certificate. Because of that, it seems that the certificate cannot be verified (= the chain cannot be traced).

squid_access.log


 TCP_DENIED/407 4118 CONNECT learningnetwork.cisco.com:443 - HIER_NONE/- text/html
 TCP_DENIED/407 4488 CONNECT learningnetwork.cisco.com:443 - HIER_NONE/- text/html
 NONE/200 0 CONNECT learningnetwork.cisco.com:443 PROSPER2\\USERNAME HIER_NONE/- -
 TCP_DENIED/407 3616 GET http://trust.quovadisglobal.com/hydsslg2.crt - HIER_NONE/- text/html;charset=utf-8
 TCP_MISS/503 7165 GET https://learningnetwork.cisco.com/s/jp-cln PROSPER2\\USERNAME HIER_DIRECT/161.71.178.161 text/html

squid_cache.log


kid1| ALE missing IDENT
kid1| ERROR: negotiating TLS on FD 23: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (1/-1/0)

It seems that squid 4 or later has a function that automatically obtains an intermediate certificate. .. ..

Squid-4 is capable of downloading missing intermediate CA certificates, like popular browsers do.

Source: https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit#Missing_intermediate_certificates

As you can see from the log, it doesn't seem to work because it doesn't allow communication to the URL to get the certificate.

Try to get the certificate

For learningnetwork.cisco.com

When I got the certificate, it seems that the CA certificate is not attached so that the chain can follow.

#  openssl s_client -connect learningnetwork.cisco.com:443 -showcerts | grep [si]:
depth=0 C = US, ST = California, L = San Jose, O = "Cisco Systems, Inc.", CN = learningnetwork.cisco.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = California, L = San Jose, O = "Cisco Systems, Inc.", CN = learningnetwork.cisco.com
verify error:num=21:unable to verify the first certificate
verify return:1
 0 s:C = US, ST = California, L = San Jose, O = "Cisco Systems, Inc.", CN = learningnetwork.cisco.com
   i:C = US, O = HydrantID (Avalanche Cloud Corporation), CN = HydrantID SSL ICA G2

For cisco.com

On this side, the chain is properly traced. .. ..

#  openssl s_client -connect www.cisco.com:443 -showcerts | grep [si]:
depth=2 C = BM, O = QuoVadis Limited, CN = QuoVadis Root CA 2
verify return:1
depth=1 C = US, O = HydrantID (Avalanche Cloud Corporation), CN = HydrantID SSL ICA G2
verify return:1
depth=0 C = US, ST = California, L = San Jose, O = "Cisco Systems, Inc.", CN = www.cisco.com
verify return:1
 0 s:C = US, ST = California, L = San Jose, O = "Cisco Systems, Inc.", CN = www.cisco.com
   i:C = US, O = HydrantID (Avalanche Cloud Corporation), CN = HydrantID SSL ICA G2
 1 s:C = US, O = HydrantID (Avalanche Cloud Corporation), CN = HydrantID SSL ICA G2
   i:C = BM, O = QuoVadis Limited, CN = QuoVadis Root CA 2

Solution

In other words, it should be possible to obtain an intermediate CA certificate that could not be obtained.

Solution 1

Add the URL to get the intermediate certificate to the whitelist.

whitelist


^(https*://)*([^/][^/]*\.)*quovadisglobal\.com(:443|:80)*(/.*)*$

Solution 2

Store the intermediate CA certificate to be missing on the squid server, and specify the certificate as an external intermediate CA. Since the DER certificate cannot be used for squid (?), Store it as PEM.

# curl -L http://trust.quovadisglobal.com/hydsslg2.crt --output - | openssl x509 -inform DER > /etc/squid/certs/ca3rd/hydsslg2.crt

Specify the certificate obtained in squid.conf.

squid.conf


sslproxy_foreign_intermediate_certs /etc/squid/certs/ca3rd/hydsslg2.crt

Now you can see it well.

Screenshot from Gyazo

Source

I used it as a reference below. How to use the openssl command https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit

Recommended Posts

[https proxy with squid] Eliminate the error when accessing the web server that does not chain the intermediate CA certificate.
When you access the web server, L Chika (HTTPS compatible) with Arduino
Check when the version does not switch with pyenv
When you access the web server, L Chika with Arduino
When incrementing the value of a key that does not exist
An error that does not work as expected when calling the tkinter module in a text editor