From: Alex Rousskov Date: Wed, 5 Jan 2022 18:38:07 +0000 (+0000) Subject: Bug 5177: clientca certificates sent to https_port clients (#955) X-Git-Tag: SQUID_6_0_1~257 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c97d832bc2142bb3d29ecd3bdab9f41c9b7a79bd;p=thirdparty%2Fsquid.git Bug 5177: clientca certificates sent to https_port clients (#955) When sending an https_port _server_ certificate chain to the client, Squid may send intermediate CA certificates found in clientca=... or tls-cafile=... client certificate bundles. This "leak" of client CAs surprises admins, may trigger traffic monitoring alarms, and might even break https_port certificate validation in some TLS clients. This surprising "leak" of client CAs is triggered by OpenSSL default behavior of auto-completing server certificate chains using whatever CA certificates happened to be in the TLS context certificate store. When client certificate authentication is enabled, that store may contain clientca CAs (or equivalent). OpenSSL CHANGES file acknowledges that this aggressive default behavior can be a problem and introduces SSL_MODE_NO_AUTO_CHAIN as a way to disable it. This fix breaks misconfigured Squid deployments that (usually unknowingly) rely on the OpenSSL clientca "leak" to build a complete https_port server certificate chain sent to TLS clients. Such deployments should add the right intermediate CA certificate(s) to their https_port tls-cert=... bundle (or equivalent). This is a Measurement Factory project. --- diff --git a/src/security/ServerOptions.cc b/src/security/ServerOptions.cc index 2613c279f2..722fba7d7c 100644 --- a/src/security/ServerOptions.cc +++ b/src/security/ServerOptions.cc @@ -410,6 +410,7 @@ Security::ServerOptions::updateContextConfig(Security::ContextPointer &ctx) updateContextClientCa(ctx); #if USE_OPENSSL + SSL_CTX_set_mode(ctx.get(), SSL_MODE_NO_AUTO_CHAIN); if (parsedFlags & SSL_FLAG_DONT_VERIFY_DOMAIN) SSL_CTX_set_ex_data(ctx.get(), ssl_ctx_ex_index_dont_verify_domain, (void *) -1);