On Fri, 2008-08-22 at 12:12 -0400, David Yerger wrote:
Doing a transparent http-to-https proxy:
I have client_ca_directory defined, with my CA's intermediate and root certs in there, but client devices without the intermediate cert can't connect, for example:
$ openssl s_client -connect owa.<deleted>.com:443 -showcerts < /dev/null CONNECTED(00000003) depth=0 /O=owa.<deleted>.com/OU=Domain Control Validated/CN=owa.<deleted>.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /O=owa.<deleted>.com/OU=Domain Control Validated/CN=owa.<deleted>.com verify error:num=27:certificate not trusted verify return:1 depth=0 /O=owa.<deleted>.com/OU=Domain Control Validated/CN=owa.<deleted>.com verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/O=owa.<deleted>.com/OU=Domain Control Validated/CN=owa.<deleted>.com i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.go daddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=079 69287 -----BEGIN CERTIFICATE----- MIIE8zCCA9ugAwIBAgIDRqHrMA0GCSqGSIb3DQEBBQUAMIHKMQswCQYDVQQGEwJV UzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEaMBgGA1UE ChMRR29EYWRkeS5jb20sIEluYy4xMzAxBgNVBAsTKmh0dHA6Ly9jZXJ0aWZpY2F0
<snip>
3PGHYxjmpBFZKtaSFoI4QyAWywn0CXefB/hOPkc0IP7fiRlsFZj/JrknfpKo6qps uy+Df1AdPf+OXBSqwWWlDdSbFrx9wZc1i0oafe837YNiixVtJ9Sr955It7RL0FpD +iv15z3HwJ+U0Fuundwp8n/P1j18rtM= -----END CERTIFICATE----- --- Server certificate subject=/O=owa.<deleted>.com/OU=Domain Control Validated/CN=owa.<deleted>.com issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates. godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=0 7969287 --- No client certificate CA names sent --- SSL handshake has read 1433 bytes and written 316 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: 4F0D7577C6C97C7D0E66C73C82896637E4866CFCF9CE371B0CD4DA34E4FD1777 $ Session-ID-ctx: Master-Key: 463D578F6593F1B7C634388F7A1FA90D3C832AEC9C68FF4598F921D9E6E84D2A E1EB996564D802FA159B46D10EF14785 Key-Arg : None Start Time: 1219420426 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) --- DONE
It appears that it's not picking up the intermediate cert, any way around this? Apache has a SSLCertificateChainFile directive, is something similar needed?
I _think_ it should work if you put the intermediate certificate into the trusted CA directory of the proxy. e.g. put the intermediate CA certificates in the directory pointed to be self.client_ca_directory, named by the hash value of their subject name (openssl x509 -hash) -- Bazsi