[squid-users] sslbump dynamic certificates for CNAMEs issue

From: Matt Carey <cvstealth2000_at_yahoo.com>
Date: Tue, 17 Sep 2013 19:02:54 -0700 (PDT)

I'm having an issue doing sslbumping with what seems to be isolated to CNAMEs where the certificate that is getting sent by squid (currently 3.3.9) back to the client has the CN field set to an IP address rather then a legit subject in the x509 certificate. An example of this behavior as seen by the client is: # openssl s_client -connect autodiscover.domain.com:443 CONNECTED(00000003) depth=1 C = US, ST = Virginia, L = Alexandria, O = North American Domain, OU = IT Group, CN = fwa.domain.com, emailAddress = it_at_domain.com verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain �0 s:/CN=157.56.236.89 � <-- This is causing the client browser/application to break because the subject doesn't match the site � �i:/C=US/ST=Virginia/L=Alexandria/O=North American Domain/OU=IT Group/CN=fwa.domain.com/emailAddress=it_at_domain.com �1 s:/C=US/ST=Virginia/L=Alexandria/O=North American Domain/OU=IT Group/CN=fwa.domain.com/emailAddress=it_at_domain.com � �i:/C=US/ST=Virginia/L=Alexandria/O=North American Domain/OU=IT Group/CN=fwa.domain.com/emailAddress=it_at_domain.com <snip> # host autodiscover.domain.com autodiscover.domain.com is an alias for autodiscover.outlook.com. autodiscover.outlook.com is an alias for autodiscover.outlook.com.glbdns.microsoft.com. autodiscover.outlook.com.glbdns.microsoft.com is an alias for autodiscover-nameast.outlook.com. autodiscover-nameast.outlook.com has address 157.56.244.217 autodiscover-nameast.outlook.com has address 157.56.234.137 autodiscover-nameast.outlook.com has address 157.56.236.89 autodiscover-nameast.outlook.com has address 157.56.240.137 But trying a different site that has that level of CNAME nesting seems to return the correct results: # openssl s_client -connect www.yahoo.com:443 CONNECTED(00000003) depth=1 C = US, ST = Virginia, L = Alexandria, O = North American Domain, OU = IT Group, CN = fwa.domain.com, emailAddress = it_at_domain.com verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain �0 s:/serialNumber=2g8aO5wI1bKJ2ZD588UsLvDe3gTbg8DU/C=US/ST=California/L=Sunnyvale/O=Yahoo �Inc./CN=www.yahoo.com � �i:/C=US/ST=Virginia/L=Alexandria/O=North American Domain/OU=IT Group/CN=fwa.domain.com/emailAddress=it_at_domain.com �1 s:/C=US/ST=Virginia/L=Alexandria/O=North American Domain/OU=IT Group/CN=fwa.domain.com/emailAddress=it_at_domain.com � �i:/C=US/ST=Virginia/L=Alexandria/O=North American Domain/OU=IT Group/CN=fwa.domain.com/emailAddress=it_at_domain.com # host www.yahoo.com www.yahoo.com is an alias for fd-fp3.wg1.b.yahoo.com. fd-fp3.wg1.b.yahoo.com is an alias for ds-fp3.wg1.b.yahoo.com. ds-fp3.wg1.b.yahoo.com is an alias for ds-any-fp3-lfb.wa1.b.yahoo.com. ds-any-fp3-lfb.wa1.b.yahoo.com is an alias for ds-any-fp3-real.wa1.b.yahoo.com. ds-any-fp3-real.wa1.b.yahoo.com has address 98.139.183.24 ds-any-fp3-real.wa1.b.yahoo.com has address 98.139.180.149 The relevant lines from the squid.conf on the gateway for the SSL proxy: https_port 192.168.100.25:3129 intercept ssl-bump cert=/usr/local/etc/squid/ssl/server.crt key=/usr/local/etc/squid/ssl/server.key generate-host-certificates=on dynamic_cert_mem_cache_size=32MB # For SSL proxy always_direct allow all ssl_bump server-first all sslproxy_cafile /usr/local/share/certs/ca-root-nss.crt sslproxy_cert_error deny all sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /var/squid/lib/ssl_db -M 32MB sslcrtd_children 10� Verification that what the client sees as the signing CA matches what's in the squid cert config: �# openssl x509 -in /usr/local/etc/squid/ssl/server.crt -noout -subject subject= /C=US/ST=Virginia/L=Alexandria/O=North American Domain/OU=IT Group/CN=fwa.domain.com/emailAddress=it_at_domain.com I haven't put my finger on exactly what level of nesting or what is special about the CNAME attribute that for some sites is causing the dynamic certificate the is being sent to have the CN set to just the IP address. Any help in this matter would be greatly appreciated. --Matt
Received on Wed Sep 18 2013 - 02:03:02 MDT

This archive was generated by hypermail 2.2.0 : Wed Sep 18 2013 - 12:00:05 MDT