Hi Amos,
Thank you for your reply and I apologize for the missing information.
The following is the detailed one.
> * Squid version
* squid version 3.5.26 (probably, ver4.X also might have same issue)
* OpenSSL 1.0.2k
> * details of the chain being delivered to Squid
> * details of the expected cross-signing chain(s).
There are so many websites which are facing this issue.
For instance, "sbv.gov.vn:443".
# openssl s_client -connect sbv.gov.vn:443 -servername sbv.gov.vn -showcerts -verify 5 -state
verify depth is 5
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=3 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
verify return:1
depth=2 OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
verify error:num=10:certificate has expired
notAfter=Mar 18 10:00:00 2019 GMT
verify return:1
depth=2 OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
notAfter=Mar 18 10:00:00 2019 GMT
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Extended Validation CA - SHA256 - G3
notAfter=Sep 21 00:00:00 2026 GMT
verify return:1
depth=0 businessCategory = Government Entity, serialNumber = Government Entity, jurisdictionC = VN, C = VN, ST = Ha Noi, L = Ha Noi, street = "47-49 Ly Thai To, Hoan Kiem District", OU = Department of Information Technology, O = The State Bank of Viet Nam, CN = www.sbv.gov.vn
notAfter=Nov 8 03:31:58 2020 GMT
verify return:1
... snip ...
Verify return code: 10 (certificate has expired)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
The above verification was NG(certificate has expired))
On the other hand, the verification was OK if the "-trusted_first" option was given.
# openssl s_client -trusted_first -connect sbv.gov.vn:443 -servername sbv.gov.vn -showcerts -verify 5 -state
verify depth is 5
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=2 OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Extended Validation CA - SHA256 - G3
verify return:1
depth=0 businessCategory = Government Entity, serialNumber = Government Entity, jurisdictionC = VN, C = VN, ST = Ha Noi, L = Ha Noi, street = "47-49 Ly Thai To, Hoan Kiem District", OU = Department of Information Technology, O = The State Bank of Viet Nam, CN = www.sbv.gov.vn
verify return:1
... snip ...
Verify return code: 0 (ok)
^^^^^^^^^^^^^^^^^^^^^^^^^^
In the "Cross-Signed Certificate" case, openssl failed to verify by default even if another signed root is available.
Squid's behavior seems to be also the same. That's why I needed the "trusted_first" feature.
For your information, a major web browser(like chrome/firefox) could access the site directly because of trusted first mode.
In my opinion, appending the following codes(in ssl/support.cc) will be effective.
X509_VERIFY_PARAM_set_flags(ctx->param, X509_V_FLAG_TRUSTED_FIRST);
(The type of ctx is "X509_STORE_CTX *").
Could you please add the trusted_first option on squid ?
By the way, I think that the following topic is also the same issue.
(92) Protocol error (TLS code: X509_V_ERR_CERT_HAS_EXPIRED)
Regards,
--
Mikio Kishi
Thank you for your reply and I apologize for the missing information.
The following is the detailed one.
> * Squid version
* squid version 3.5.26 (probably, ver4.X also might have same issue)
* OpenSSL 1.0.2k
> * details of the chain being delivered to Squid
> * details of the expected cross-signing chain(s).
There are so many websites which are facing this issue.
For instance, "sbv.gov.vn:443".
# openssl s_client -connect sbv.gov.vn:443 -servername sbv.gov.vn -showcerts -verify 5 -state
verify depth is 5
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=3 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
verify return:1
depth=2 OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
verify error:num=10:certificate has expired
notAfter=Mar 18 10:00:00 2019 GMT
verify return:1
depth=2 OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
notAfter=Mar 18 10:00:00 2019 GMT
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Extended Validation CA - SHA256 - G3
notAfter=Sep 21 00:00:00 2026 GMT
verify return:1
depth=0 businessCategory = Government Entity, serialNumber = Government Entity, jurisdictionC = VN, C = VN, ST = Ha Noi, L = Ha Noi, street = "47-49 Ly Thai To, Hoan Kiem District", OU = Department of Information Technology, O = The State Bank of Viet Nam, CN = www.sbv.gov.vn
notAfter=Nov 8 03:31:58 2020 GMT
verify return:1
... snip ...
Verify return code: 10 (certificate has expired)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
The above verification was NG(certificate has expired))
On the other hand, the verification was OK if the "-trusted_first" option was given.
# openssl s_client -trusted_first -connect sbv.gov.vn:443 -servername sbv.gov.vn -showcerts -verify 5 -state
verify depth is 5
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=2 OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Extended Validation CA - SHA256 - G3
verify return:1
depth=0 businessCategory = Government Entity, serialNumber = Government Entity, jurisdictionC = VN, C = VN, ST = Ha Noi, L = Ha Noi, street = "47-49 Ly Thai To, Hoan Kiem District", OU = Department of Information Technology, O = The State Bank of Viet Nam, CN = www.sbv.gov.vn
verify return:1
... snip ...
Verify return code: 0 (ok)
^^^^^^^^^^^^^^^^^^^^^^^^^^
In the "Cross-Signed Certificate" case, openssl failed to verify by default even if another signed root is available.
Squid's behavior seems to be also the same. That's why I needed the "trusted_first" feature.
For your information, a major web browser(like chrome/firefox) could access the site directly because of trusted first mode.
In my opinion, appending the following codes(in ssl/support.cc) will be effective.
X509_VERIFY_PARAM_set_flags(ctx->param, X509_V_FLAG_TRUSTED_FIRST);
(The type of ctx is "X509_STORE_CTX *").
Could you please add the trusted_first option on squid ?
By the way, I think that the following topic is also the same issue.
(92) Protocol error (TLS code: X509_V_ERR_CERT_HAS_EXPIRED)
Regards,
--
Mikio Kishi
On Sat, Jun 27, 2020 at 9:29 PM Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
On 27/06/20 7:07 pm, mikio.kishi wrote:
> Hi all,
>
> I am currently using sslbump feature. Sometimes, squid failed to verify
> a https web site with
> cross root cert. On the other hand, the site is accessible directly from
> major web browsers,
> such as chrome and firefox. I am guessing that the cert verification
> handling of the current
> sslbump seems to be NOT trusted_first mode. Are there any solutions to
> change to trusted_first
> verification mode for squid ?
>
Solutions based purely on guesswork are unlikely to work.
Missing information:
* Squid version
* details of the chain being delivered to Squid
* details of the expected cross-signing chain(s).
* by "trusted_first mode" do you mean TOFU or something else?
Squid supports a helper, which can to do any type of validation -
including none. BUT ... you first need to eliminate the guesses to see
if it is a validation or something completely unexpected.
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
