[squid-users] sslBump + signed proxy (hierarchical CA) cert

From: Sean Boran <sean_at_boran.com>
Date: Tue, 13 Dec 2011 13:50:04 +0100

Hi,

The problem:
after successful tests with a self-signed cert for sslbump, the idea
is to use a "real" cert signed by a CA know in common browsers. Such a
cert has a hierarchy "chain", i.e. the proxy cert is signed by a
official CA, which is signed by a CA who's keys is in browsers.

Support for such cert chaining was introduced in squid 3.2 I
understand, but I've not had luck in getting it running so far :-( .
See also http://bugs.squid-cache.org/show_bug.cgi?id=3426

Perhaps someone on squid-users has a few tips to help me understand if
the issue is with my config, or the sslbump code.

The Test environment:
-----------------------------
Running the recent squid-3.2.0.14 tarball, on Ubuntu 10.04
A few debug options to try and see useful logs:
  debug_options ALL,1 83,8 23,2 84,5
  sslcrtd_program /usr/local/squid/libexec/ssl_crtd -d -s
/var/lib/squid_ssl_db -M 4MB

The proxy's cert was generated by:
- openssl genrsa -out proxy.vptt.ch.key 2048
- send to CA and get back a .crt file
- create a file containing the private keys, signed public key, and
public keys of the CA chain:
cat proxy.cer proxy.pem proxy.key CA_1_pem.crt Root_CA_1_pem.crt > proxy.chain

http_port 80 ssl-bump cert=/etc/squid/ssl/proxy.chain
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

Before starting, wipe all cached certs:
  /etc/init.d/squid stop
  \rm -rf /var/lib/squid_ssl_db
  /usr/local/squid/libexec/ssl_crtd -c -s /var/lib/squid_ssl_db
  chown -R proxy /var/lib/squid_ssl_db
  /etc/init.d/squid start

Starting squid:
----------------
Having started squid, visit https://www.squid-cache.org,
the browser (FF 8.0.1 on Windows) complains "www.squid-cache.org" uses
an invalid security certificate"

Asking the browser to show the cert details, one sees that the
certificate hierarchy only has just one level, www.squid-cache.org
signed by the proxy (i.e. no sign of the intermediate CAs).

Analysis:
-----------
Details logs are listed below,
- sslbump is being activated, a new cert is generated for the
destination website, and signed. Two public certs are visible in the
logs:
  a) the proxy's cert, which when analysed (pasted to a file.crt and
viewed under windows) contains a correct hierarchy proxy > CA1
>root_CA
  b) a cert for www.squid-cache.org, which is issued by the proxy, but
does not contain hierarchy information.

- the browser replies finally with "unknown ca"

Any suggestions as to what I'm doing wrong, or what measures to take
to debug in more detail?

Thanks in advance,

Sean

------ snip logs ----

2011/12/13 13:08:55.564| Accepting SSL bumped HTTP Socket connections
at local=[::]:80 remote=[::] FD 22 flags=9
2011/12/13 13:08:56| storeLateRelease: released 0 objects
..
2011/12/13 13:09:06.961| client_side_request.cc(1469) doCallouts:
Doing calloutContext->hostHeaderVerify()
2011/12/13 13:09:06.962| client_side_request.cc(1476) doCallouts:
Doing calloutContext->clientAccessCheck()
2011/12/13 13:09:06.963| urlParse: URI has whitespace:
{icap://127.0.0.1:1344/squidclamav ICAP/1.0
}
2011/12/13 13:09:06.963| urlParse: URI has whitespace:
{icap://127.0.0.1:1344/squidclamav ICAP/1.0
}
2011/12/13 13:09:06.967| client_side_request.cc(1505) doCallouts:
Doing calloutContext->clientAccessCheck2()
2011/12/13 13:09:06.967| client_side_request.cc(1512) doCallouts:
Doing clientInterpretRequestHeaders()
2011/12/13 13:09:06.967| client_side_request.cc(1344) sslBumpNeeded:
sslBump required: Yes
2011/12/13 13:09:06.967| client_side_request.cc(1568) doCallouts:
calling processRequest()
2011/12/13 13:09:06.967| GetFirstAvailable: Running servers 5
2011/12/13 13:09:06.967| helperDispatch: Request sent to ssl_crtd #1, 3739 bytes
2011/12/13 13:09:06.967| helperSubmit: new_certificate 3717
host=www.squid-cache.org
-----BEGIN CERTIFICATE-----
<proxy public cert: deleted>
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
.<deleted>.
-----END RSA PRIVATE KEY-----
2011/12/13 13:09:07.034| helperHandleRead: 1885 bytes from ssl_crtd #1
2011/12/13 13:09:07.034| helperHandleRead: 'OK 1876
-----BEGIN CERTIFICATE-----
MIICrDCCAZQCBAdgtFYwDQYJKoZIhvcNAQEFBQAwgZoxCzAJBgNVBAYTAkNIMQ0w
CwYDVQQIEwRCZXJuMQ0wCwYDVQQHEwRCZXJuMRUwEwYDVQQKEwxTd2lzc2NvbSBM
dGQxITAfBgNVBAsTGFN0cmF0ZWd5IGFuZCBJbm5vdmF0aW9uczEWMBQGA1UEAxMN
cHJveHkudnB0dC5jaDEbMBkGCSqGSIb3DQEJARYMcm9vdEB2cHR0LmNoMB4XDTEx
MTIxMTEyMDkwN1oXDTE0MTEyMzEzMjIzM1owHjEcMBoGA1UEAxMTd3d3LnNxdWlk
LWNhY2hlLm9yZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAoNjuzSwl4Ri7
M1h7QiWAEWVGMUkPTxFP4Nl4+X6JvoZ6+dQ+Dprd/ng+o01j2ckq9Y7hKfjWpugd
MthuRDGAbkd4alzmQwfEcoXoXr5wAkofBkxonXAwgHtpVXeDDkBpRxnpgYkxc2Jk
Dkz0xvHRzxWTLZBM+LvTl9Yppyt9bUMCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEA
nGlozvURpAhxk6S6zYqCryq3MZqHR6uJufzB5YVQW1VIGKTkmwlp3nb5zB3D54S6
jNHJq6enPNzxd9XiNM8NIukmgwacYWKiyPaPILTofASM/FezszGbBpZe0fOPzl78
CHG7s6g7tv9oSgjRZJuzEjaXqmxxcVo99rApnjeBB75atCh1RTPtikC2Y/paeGzO
Dq1+ItQ9oVljd5D4DP13Kx9Tj/Y+OvVgAyOVyQcW7vi3pa9AKN1yOpieAe55AH71
hvCjlewZioAFJvFzX97ZsB9qi2gVsZin9BCmuUCeXHK91T8RvnXmpCF2W3qk4UHi
QJHkll9Yv+GwNnNoJcXNVw==
-----END CERTIFICATE-----
.<deleted>.
-----END RSA PRIVATE KEY-----
'
2011/12/13 13:09:07.034| helperHandleRead: end of reply found
2011/12/13 13:09:07.035| GetFirstAvailable: Running servers 5
2011/12/13 13:09:07.035| clientNegotiateSSL: Error negotiating SSL
connection on FD 10: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1
alert unknown ca (1/0)

------ snip ----
Received on Tue Dec 13 2011 - 12:50:10 MST

This archive was generated by hypermail 2.2.0 : Tue Dec 13 2011 - 12:00:03 MST