Re: [squid-users] Re: ssl-bumping certificate validation (on OSX)

From: Alex Rousskov <rousskov_at_measurement-factory.com>
Date: Thu, 18 Apr 2013 13:28:11 -0600

On 04/18/2013 11:31 AM, jwarren wrote:
> lsof (no strace on OSX) doesn't indicate any certificate store files being
> opened either for the openssl command line tool, or for squid.

I do not know anything about lsof on OSX, but is not lsof a tool for
listing currently open files? You need a tool that traces what files an
executable opens, not a tool that tells you what files are opened right
now. A root certificate file may be open for just a few milliseconds so
catching Squid or openssl "in the act" would be difficult unless you can
trace them.

> I do notice
> that squid (or ssl_crtd) seems to be downloading root certs itself, this
> shows up in access.log whenever I browse to certain SSL sites:
>
> 1366295696.233 217 127.0.0.1 TCP_MISS/200 2586 GET
> http://crl.geotrust.com/crls/secureca.crl - HIER_DIRECT/199.7.55.190
> application/pkix-crl
>
> I assume this means ssl_crtd is downloading and storing the certificates
> into its own cache folder.

CRL files are not root certificates. Moreover, Squid (including
ssl_crtd) does not have the ability to load CRL files. Most likely, you
are watching your browser or HTTP client (including plugins, applets,
update managers, etc.) loading CRLs to validate the certificates of the
sites you visit.

> otool (no ldd on OSX) shows that the binary I have been building is not in
> fact linked statically:

I am not surprised, but I do not know how to fix that. Moreover, I do
not think that static linking is the [right] answer to your problems.

> There doesn't seem to be any difference in the runtime
> configurations for openssl (in fact I don't think openssl has a config file
> as such),

Openssl library does have a configuration file and does store root
certificates, CRL files, etc. For starting points, see config(5SSL)
manual page, /etc/ssl/openssl.cnf, or /usr/lib/ssl/openssl.cnf.

The locations and names may all be very different on OSX, but root
certificates and CRLs have to be stored somewhere. You need to find out
where they are on each host and compare them if you want to understand
why OpenSSL on one host trusts a site while OpenSSL on the other host
does not.

HTH,

Alex.
Received on Thu Apr 18 2013 - 19:28:18 MDT

This archive was generated by hypermail 2.2.0 : Fri Apr 19 2013 - 12:00:06 MDT