Дима Рубинштейн (dimrub) wrote in gotchas,
Дима Рубинштейн
dimrub
gotchas

Browser refuses to open an SSL session through a proxy

Problem:When browsing through a proxy, the browser (IE, both version 6 and 7) refuses to access HTTPS sites. No compelling explanation is provided (the generic "Internet Explorer cannot display the webpage" message is being shown). Firefox allows to surf after a security exception has been acknowledged, but shows only the server's certificate, although the signing certificate should also be present.

Analysis: The proxy acts as a man in the middle, intercepting the CONNECT requests, performing the handshake against the server while acting as a client, then resigning the server's certificate with it's own signing certificate and using the new certificate to perform the handshake against the client acting on behalf (and disguised as) the server. In order for this to work, the signing certificate installed on the proxy, or the certificate of its issuer should be recognized as trusted by the browser. In fact, the procedure is as follows:
1. Create the CSR on the proxy
2. Sign the CSR on the CA of the enterprise
3. Import the new signing certificate back into the proxy
Now the browser should consider the new "fake" certificate as trusted, but it doesn't just yet: all of the signing certificates should have the basic constraints X509v3 extension defined with the value of CA=true. This should be done during either one of stages 1,2 above. In order to make it so for a CSR created through openssl, the following should be added to the openssl.cnf file:

[ req ]
...
req_extensions = v3_req
...

[ v3_req ]
basicConstraints = CA:true

Apparently, the CA will sometimes override these settings defined in the CSR, so one has to make sure that the resulting certificate indeed defines this extension - e.g. by running

openssl x509 -in cert.pem -text -noout

and looking for the following lines:

X509v3 Basic Constraints: critical
CA:TRUE
Tags: ssl
  • Post a new comment

    Error

    Anonymous comments are disabled in this journal

    default userpic

    Your IP address will be recorded 

  • 0 comments