I'm having an issue doing sslbumping with what seems to be isolated to CNAMEs where the certificate that is getting sent by squid (currently 3.3.9) back to the client has the CN field set to an IP address rather then a legit subject in the x509 certificate. An example of this behavior as seen by the client is:
# openssl s_client -connect autodiscover.domain.com:443
CONNECTED(00000003)
depth=1 C = US, ST = Virginia, L = Alexandria, O = North American Domain, OU = IT Group, CN = fwa.domain.com, emailAddress = it_at_domain.com
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
�0 s:/CN=157.56.236.89 � <-- This is causing the client browser/application to break because the subject doesn't match the site
� �i:/C=US/ST=Virginia/L=Alexandria/O=North American Domain/OU=IT Group/CN=fwa.domain.com/emailAddress=it_at_domain.com
�1 s:/C=US/ST=Virginia/L=Alexandria/O=North American Domain/OU=IT Group/CN=fwa.domain.com/emailAddress=it_at_domain.com
� �i:/C=US/ST=Virginia/L=Alexandria/O=North American Domain/OU=IT Group/CN=fwa.domain.com/emailAddress=it_at_domain.com
<snip>
# host autodiscover.domain.com
autodiscover.domain.com is an alias for autodiscover.outlook.com.
autodiscover.outlook.com is an alias for autodiscover.outlook.com.glbdns.microsoft.com.
autodiscover.outlook.com.glbdns.microsoft.com is an alias for autodiscover-nameast.outlook.com.
autodiscover-nameast.outlook.com has address 157.56.244.217
autodiscover-nameast.outlook.com has address 157.56.234.137
autodiscover-nameast.outlook.com has address 157.56.236.89
autodiscover-nameast.outlook.com has address 157.56.240.137
But trying a different site that has that level of CNAME nesting seems to return the correct results:
# openssl s_client -connect www.yahoo.com:443
CONNECTED(00000003)
depth=1 C = US, ST = Virginia, L = Alexandria, O = North American Domain, OU = IT Group, CN = fwa.domain.com, emailAddress = it_at_domain.com
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
�0 s:/serialNumber=2g8aO5wI1bKJ2ZD588UsLvDe3gTbg8DU/C=US/ST=California/L=Sunnyvale/O=Yahoo �Inc./CN=www.yahoo.com
� �i:/C=US/ST=Virginia/L=Alexandria/O=North American Domain/OU=IT Group/CN=fwa.domain.com/emailAddress=it_at_domain.com
�1 s:/C=US/ST=Virginia/L=Alexandria/O=North American Domain/OU=IT Group/CN=fwa.domain.com/emailAddress=it_at_domain.com
� �i:/C=US/ST=Virginia/L=Alexandria/O=North American Domain/OU=IT Group/CN=fwa.domain.com/emailAddress=it_at_domain.com
# host www.yahoo.com
www.yahoo.com is an alias for fd-fp3.wg1.b.yahoo.com.
fd-fp3.wg1.b.yahoo.com is an alias for ds-fp3.wg1.b.yahoo.com.
ds-fp3.wg1.b.yahoo.com is an alias for ds-any-fp3-lfb.wa1.b.yahoo.com.
ds-any-fp3-lfb.wa1.b.yahoo.com is an alias for ds-any-fp3-real.wa1.b.yahoo.com.
ds-any-fp3-real.wa1.b.yahoo.com has address 98.139.183.24
ds-any-fp3-real.wa1.b.yahoo.com has address 98.139.180.149
The relevant lines from the squid.conf on the gateway for the SSL proxy:
https_port 192.168.100.25:3129 intercept ssl-bump cert=/usr/local/etc/squid/ssl/server.crt key=/usr/local/etc/squid/ssl/server.key generate-host-certificates=on dynamic_cert_mem_cache_size=32MB
# For SSL proxy
always_direct allow all
ssl_bump server-first all
sslproxy_cafile /usr/local/share/certs/ca-root-nss.crt
sslproxy_cert_error deny all
sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /var/squid/lib/ssl_db -M 32MB
sslcrtd_children 10�
Verification that what the client sees as the signing CA matches what's in the squid cert config:
�# openssl x509 -in /usr/local/etc/squid/ssl/server.crt -noout -subject
subject= /C=US/ST=Virginia/L=Alexandria/O=North American Domain/OU=IT Group/CN=fwa.domain.com/emailAddress=it_at_domain.com
I haven't put my finger on exactly what level of nesting or what is special about the CNAME attribute that for some sites is causing the dynamic certificate the is being sent to have the CN set to just the IP address. Any help in this matter would be greatly appreciated.
--Matt
Received on Wed Sep 18 2013 - 02:03:02 MDT
This archive was generated by hypermail 2.2.0 : Wed Sep 18 2013 - 12:00:05 MDT