[zorp] Help with intermediate certificate

Balazs Scheidler bazsi at balabit.hu
Mon Aug 25 09:15:27 CEST 2008 

On Fri, 2008-08-22 at 12:12 -0400, David Yerger wrote:
> Doing a transparent http-to-https proxy:
> 
> I have client_ca_directory defined, with my CA's intermediate and root
> certs in there, but client devices without the intermediate cert can't
> connect, for example:
> 
> $ openssl s_client -connect owa.<deleted>.com:443 -showcerts < /dev/null
> CONNECTED(00000003)
> depth=0 /O=owa.<deleted>.com/OU=Domain Control
> Validated/CN=owa.<deleted>.com
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 /O=owa.<deleted>.com/OU=Domain Control
> Validated/CN=owa.<deleted>.com
> verify error:num=27:certificate not trusted
> verify return:1
> depth=0 /O=owa.<deleted>.com/OU=Domain Control
> Validated/CN=owa.<deleted>.com
> verify error:num=21:unable to verify the first certificate
> verify return:1
> ---
> Certificate chain
>  0 s:/O=owa.<deleted>.com/OU=Domain Control
> Validated/CN=owa.<deleted>.com
>    i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com,
> Inc./OU=http://certificates.go
> daddy.com/repository/CN=Go Daddy Secure Certification
> Authority/serialNumber=079
> 69287
> -----BEGIN CERTIFICATE-----
> MIIE8zCCA9ugAwIBAgIDRqHrMA0GCSqGSIb3DQEBBQUAMIHKMQswCQYDVQQGEwJV
> UzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEaMBgGA1UE
> ChMRR29EYWRkeS5jb20sIEluYy4xMzAxBgNVBAsTKmh0dHA6Ly9jZXJ0aWZpY2F0
> 
> <snip>
> 
> 3PGHYxjmpBFZKtaSFoI4QyAWywn0CXefB/hOPkc0IP7fiRlsFZj/JrknfpKo6qps
> uy+Df1AdPf+OXBSqwWWlDdSbFrx9wZc1i0oafe837YNiixVtJ9Sr955It7RL0FpD
> +iv15z3HwJ+U0Fuundwp8n/P1j18rtM=
> -----END CERTIFICATE-----
> ---
> Server certificate
> subject=/O=owa.<deleted>.com/OU=Domain Control
> Validated/CN=owa.<deleted>.com
> issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com,
> Inc./OU=http://certificates.
> godaddy.com/repository/CN=Go Daddy Secure Certification
> Authority/serialNumber=0
> 7969287
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 1433 bytes and written 316 bytes
> ---
> New, TLSv1/SSLv3, Cipher is AES256-SHA
> Server public key is 1024 bit
> Compression: NONE
> Expansion: NONE
> SSL-Session:
>     Protocol  : TLSv1
>     Cipher    : AES256-SHA
>     Session-ID:
> 4F0D7577C6C97C7D0E66C73C82896637E4866CFCF9CE371B0CD4DA34E4FD1777
> $
>     Session-ID-ctx:
>     Master-Key:
> 463D578F6593F1B7C634388F7A1FA90D3C832AEC9C68FF4598F921D9E6E84D2A
> E1EB996564D802FA159B46D10EF14785
>     Key-Arg   : None
>     Start Time: 1219420426
>     Timeout   : 300 (sec)
>     Verify return code: 21 (unable to verify the first certificate)
> ---
> DONE
> 
> It appears that it's not picking up the intermediate cert, any way
> around this?  Apache has a SSLCertificateChainFile directive, is
> something similar needed?
> 

I _think_ it should work if you put the intermediate certificate into
the trusted CA directory of the proxy.

e.g. put the intermediate CA certificates in the directory pointed to be
self.client_ca_directory, named by the hash value of their subject name
(openssl x509 -hash)

-- 
Bazsi

More information about the zorp mailing list