From ffcac5e865dff76c8d54b1fd0c870d4890a71f08 Mon Sep 17 00:00:00 2001 From: Christos Tsantilas Date: Wed, 5 Jan 2022 11:31:06 -0500 Subject: [PATCH] Bug 5177: clientca certificates sent to https_port clients When sending an https_port _server_ certificate chain to the client, Squid may send intermediate CA certificates found in clientca=... or tls-cafile=... client certificate bundles. This "leak" of client CAs surprises admins, may trigger traffic monitoring alarms, and might even break https_port certificate validation in some TLS clients. This surprising "leak" of client CAs is triggered by OpenSSL default behavior of auto-completing server certificate chains using whatever CA certificates happened to be in the TLS context certificate store. When client certificate authentication is enabled, that store may contain clientca CAs (or equivalent). OpenSSL CHANGES file acknowledges that this aggressive default behavior can be a problem and introduces SSL_MODE_NO_AUTO_CHAIN as a way to disable it. This fix breaks misconfigured Squid deployments that (usually unknowingly) rely on the OpenSSL clientca "leak" to build a complete https_port server certificate chain sent to TLS clients. Such deployments should add the right intermediate CA certificate(s) to their https_port tls-cert=... bundle (or equivalent). --- src/security/ServerOptions.cc | 1 + 1 file changed, 1 insertion(+) diff --git a/src/security/ServerOptions.cc b/src/security/ServerOptions.cc index 2613c279f2c..722fba7d7ce 100644 --- a/src/security/ServerOptions.cc +++ b/src/security/ServerOptions.cc @@ -410,6 +410,7 @@ Security::ServerOptions::updateContextConfig(Security::ContextPointer &ctx) updateContextClientCa(ctx); #if USE_OPENSSL + SSL_CTX_set_mode(ctx.get(), SSL_MODE_NO_AUTO_CHAIN); if (parsedFlags & SSL_FLAG_DONT_VERIFY_DOMAIN) SSL_CTX_set_ex_data(ctx.get(), ssl_ctx_ex_index_dont_verify_domain, (void *) -1);