From c97d832bc2142bb3d29ecd3bdab9f41c9b7a79bd Mon Sep 17 00:00:00 2001 From: Alex Rousskov Date: Wed, 5 Jan 2022 18:38:07 +0000 Subject: [PATCH] Bug 5177: clientca certificates sent to https_port clients (#955) When sending an https_port _server_ certificate chain to the client, Squid may send intermediate CA certificates found in clientca=... or tls-cafile=... client certificate bundles. This "leak" of client CAs surprises admins, may trigger traffic monitoring alarms, and might even break https_port certificate validation in some TLS clients. This surprising "leak" of client CAs is triggered by OpenSSL default behavior of auto-completing server certificate chains using whatever CA certificates happened to be in the TLS context certificate store. When client certificate authentication is enabled, that store may contain clientca CAs (or equivalent). OpenSSL CHANGES file acknowledges that this aggressive default behavior can be a problem and introduces SSL_MODE_NO_AUTO_CHAIN as a way to disable it. This fix breaks misconfigured Squid deployments that (usually unknowingly) rely on the OpenSSL clientca "leak" to build a complete https_port server certificate chain sent to TLS clients. Such deployments should add the right intermediate CA certificate(s) to their https_port tls-cert=... bundle (or equivalent). This is a Measurement Factory project. --- src/security/ServerOptions.cc | 1 + 1 file changed, 1 insertion(+) diff --git a/src/security/ServerOptions.cc b/src/security/ServerOptions.cc index 2613c279f2..722fba7d7c 100644 --- a/src/security/ServerOptions.cc +++ b/src/security/ServerOptions.cc @@ -410,6 +410,7 @@ Security::ServerOptions::updateContextConfig(Security::ContextPointer &ctx) updateContextClientCa(ctx); #if USE_OPENSSL + SSL_CTX_set_mode(ctx.get(), SSL_MODE_NO_AUTO_CHAIN); if (parsedFlags & SSL_FLAG_DONT_VERIFY_DOMAIN) SSL_CTX_set_ex_data(ctx.get(), ssl_ctx_ex_index_dont_verify_domain, (void *) -1); -- 2.47.3