UnNeccessary Appending of Certificate Chain With each new Connection Leads to Client Disconnection
Posted: Thu Feb 06, 2020 10:51 am
Hello All,
With the New SSL Related changes made in SafeSquid-SWG
which includes adding an Intermediate CA in between for Security Restrictions when deploying an Enterprise CA.
currently with the New Release SafeSquid will create an Intermediate CA and send the Certificate Chain when the client connects.
This is done because only Root CA will be installed on the CLient Machine and the Client Application should not Reject the server certificate created by the Intermediate.
If the SSL Certificate Chain is Complete and proper then the user need not worry about any SSL Changes.
But While I was accessing google.com VIA SafeSquid-SWG, I got the below problem, an SSL Error then I did a refresh and there was No SSL Problem
But I keep on getting this problem, but after the refresh, the problem is gone, it can be a Browser problem. because I was not able to replicate the scenario.
Then I did some debug using OpenSSL s_client
Where I found that the Certificate Chain Provided by SafeSquid contains the Unnecessary repetition of Intermediate CA & Root CA again & again
and it keeps on increasing if I connect again.
and as it keeps on increasing, it creates a situation where the client application cannot accept such large data in Server Hello and results in SSL Error and the client closes the connection.
I have attached the SSL Trace done using OpenSSL s_cleint
It contains both when the Connection was successful with Certificate Chain data
and when the Connection was closed due to increasing Certificate Chain data and Client Limit Size.
After that, that particular Context was removed and a new was created
Over here in the below OpenSSL trace, when I connect to google via SafeSquid-SWG
The Certificate Chain provided by SafeSquid-SWG is extremely long & Duplicate and keeps on increasing as i connect
-------------------- -------------------- -------------------- -------------------- -------------------- -------------------- -------------------- --------------------- --------------------
OpenSSL s_client SSL Trace Snippet [Error Extra Appending of SSL Certificate Chain ]
-------------------- -------------------- -------------------- -------------------- -------------------- -------------------- -------------------- --------------------- --------------------
Certificate chain
0 s:C = IN, ST = MH, L = Mumbai, O = SafeSquid Labs, OU = WebSecurity, CN = google.com
i:C = IN, ST = MH, L = Mumbai, O = SafeSquid Labs, OU = WebSecurity, CN = i7MsBzARSZ98vw2V
1 s:C = IN, ST = MH, L = Mumbai, O = SafeSquid Labs, OU = WebSecurity, CN = i7MsBzARSZ98vw2V
i:C = IN, ST = Maharashtra, L = Mumbai, O = OEIPL [SafeSquid Labs], OU = IT Security, CN = SafeSquid Enterprise CA, emailAddress = support@safesquid.net
2 s:C = IN, ST = Maharashtra, L = Mumbai, O = OEIPL [SafeSquid Labs], OU = IT Security, CN = SafeSquid Enterprise CA, emailAddress = support@safesquid.net
i:C = IN, ST = Maharashtra, L = Mumbai, O = OEIPL [SafeSquid Labs], OU = IT Security, CN = SafeSquid Enterprise CA, emailAddress = support@safesquid.net
3 s:C = IN, ST = MH, L = Mumbai, O = SafeSquid Labs, OU = WebSecurity, CN = i7MsBzARSZ98vw2V
i:C = IN, ST = Maharashtra, L = Mumbai, O = OEIPL [SafeSquid Labs], OU = IT Security, CN = SafeSquid Enterprise CA, emailAddress = support@safesquid.net
4 s:C = IN, ST = Maharashtra, L = Mumbai, O = OEIPL [SafeSquid Labs], OU = IT Security, CN = SafeSquid Enterprise CA, emailAddress = support@safesquid.net
i:C = IN, ST = Maharashtra, L = Mumbai, O = OEIPL [SafeSquid Labs], OU = IT Security, CN = SafeSquid Enterprise CA, emailAddress = support@safesquid.net
5 s:C = IN, ST = MH, L = Mumbai, O = SafeSquid Labs, OU = WebSecurity, CN = i7MsBzARSZ98vw2V
i:C = IN, ST = Maharashtra, L = Mumbai, O = OEIPL [SafeSquid Labs], OU = IT Security, CN = SafeSquid Enterprise CA, emailAddress = support@safesquid.net
6 s:C = IN, ST = Maharashtra, L = Mumbai, O = OEIPL [SafeSquid Labs], OU = IT Security, CN = SafeSquid Enterprise CA, emailAddress = support@safesquid.net
i:C = IN, ST = Maharashtra, L = Mumbai, O = OEIPL [SafeSquid Labs], OU = IT Security, CN = SafeSquid Enterprise CA, emailAddress = support@safesquid.net
7 s:C = IN, ST = MH, L = Mumbai, O = SafeSquid Labs, OU = WebSecurity, CN = i7MsBzARSZ98vw2V
i:C = IN, ST = Maharashtra, L = Mumbai, O = OEIPL [SafeSquid Labs], OU = IT Security, CN = SafeSquid Enterprise CA, emailAddress = support@safesquid.net
8 s:C = IN, ST = Maharashtra, L = Mumbai, O = OEIPL [SafeSquid Labs], OU = IT Security, CN = SafeSquid Enterprise CA, emailAddress = support@safesquid.net
i:C = IN, ST = Maharashtra, L = Mumbai, O = OEIPL [SafeSquid Labs], OU = IT Security, CN = SafeSquid Enterprise CA, emailAddress = support@safesquid.net
9 s:C = IN, ST = MH, L = Mumbai, O = SafeSquid Labs, OU = WebSecurity, CN = i7MsBzARSZ98vw2V
i:C = IN, ST = Maharashtra, L = Mumbai, O = OEIPL [SafeSquid Labs], OU = IT Security, CN = SafeSquid Enterprise CA, emailAddress = support@safesquid.net
10 s:C = IN, ST = Maharashtra, L = Mumbai, O = OEIPL [SafeSquid Labs], OU = IT Security, CN = SafeSquid Enterprise CA, emailAddress = support@safesquid.net
i:C = IN, ST = Maharashtra, L = Mumbai, O = OEIPL [SafeSquid Labs], OU = IT Security, CN = SafeSquid Enterprise CA, emailAddress = support@safesquid.net
11 s:C = IN, ST = MH, L = Mumbai, O = SafeSquid Labs, OU = WebSecurity, CN = i7MsBzARSZ98vw2V
i:C = IN, ST = Maharashtra, L = Mumbai, O = OEIPL [SafeSquid Labs], OU = IT Security, CN = SafeSquid Enterprise CA, emailAddress = support@safesquid.net
12 s:C = IN, ST = Maharashtra, L = Mumbai, O = OEIPL [SafeSquid Labs], OU = IT Security, CN = SafeSquid Enterprise CA, emailAddress = support@safesquid.net
i:C = IN, ST = Maharashtra, L = Mumbai, O = OEIPL [SafeSquid Labs], OU = IT Security, CN = SafeSquid Enterprise CA, emailAddress = support@safesquid.net
13 s:C = IN, ST = MH, L = Mumbai, O = SafeSquid Labs, OU = WebSecurity, CN = i7MsBzARSZ98vw2V
i:C = IN, ST = Maharashtra, L = Mumbai, O = OEIPL [SafeSquid Labs], OU = IT Security, CN = SafeSquid Enterprise CA, emailAddress = support@safesquid.net
........................... Many More ..........
-------------------- -------------------- -------------------- -------------------- -------------------- -------------------- -------------------- --------------------- --------------------
As the Certificate Chain increases with each new Connection and as it keeps on increasing, it creates a situation where the client application cannot accept such large data in Server Hello and results in SSL Error and the client closes the connection.
-------------------- -------------------- -------------------- -------------------- -------------------- -------------------- -------------------- --------------------- --------------------
OpenSSL s_client SSL Trace Snippet [Error Client Disconnected the Connection Due to Unnecessary Extra Certificate Chain ]
-------------------- -------------------- -------------------- -------------------- -------------------- -------------------- -------------------- --------------------- --------------------
SSL_connect:SSLv3/TLS read server hello
>>> ??? [length 0005]
15 03 03 00 02
>>> TLS 1.2, Alert [length 0002], fatal illegal_parameter
02 2f
SSL3 alert write:fatal:illegal parameter
SSL_connect:error in error
140508579464256:error:14160098:SSL routines:read_state_machine:excessive message size:../ssl/statem/statem.c:603:
---------------------------------------------------------
The Below attached logs contain a more detailed explanation of the problem.
With the New SSL Related changes made in SafeSquid-SWG
which includes adding an Intermediate CA in between for Security Restrictions when deploying an Enterprise CA.
currently with the New Release SafeSquid will create an Intermediate CA and send the Certificate Chain when the client connects.
This is done because only Root CA will be installed on the CLient Machine and the Client Application should not Reject the server certificate created by the Intermediate.
If the SSL Certificate Chain is Complete and proper then the user need not worry about any SSL Changes.
But While I was accessing google.com VIA SafeSquid-SWG, I got the below problem, an SSL Error then I did a refresh and there was No SSL Problem
But I keep on getting this problem, but after the refresh, the problem is gone, it can be a Browser problem. because I was not able to replicate the scenario.
Then I did some debug using OpenSSL s_client
Where I found that the Certificate Chain Provided by SafeSquid contains the Unnecessary repetition of Intermediate CA & Root CA again & again
and it keeps on increasing if I connect again.
and as it keeps on increasing, it creates a situation where the client application cannot accept such large data in Server Hello and results in SSL Error and the client closes the connection.
I have attached the SSL Trace done using OpenSSL s_cleint
It contains both when the Connection was successful with Certificate Chain data
and when the Connection was closed due to increasing Certificate Chain data and Client Limit Size.
After that, that particular Context was removed and a new was created
Over here in the below OpenSSL trace, when I connect to google via SafeSquid-SWG
The Certificate Chain provided by SafeSquid-SWG is extremely long & Duplicate and keeps on increasing as i connect
-------------------- -------------------- -------------------- -------------------- -------------------- -------------------- -------------------- --------------------- --------------------
OpenSSL s_client SSL Trace Snippet [Error Extra Appending of SSL Certificate Chain ]
-------------------- -------------------- -------------------- -------------------- -------------------- -------------------- -------------------- --------------------- --------------------
Certificate chain
0 s:C = IN, ST = MH, L = Mumbai, O = SafeSquid Labs, OU = WebSecurity, CN = google.com
i:C = IN, ST = MH, L = Mumbai, O = SafeSquid Labs, OU = WebSecurity, CN = i7MsBzARSZ98vw2V
1 s:C = IN, ST = MH, L = Mumbai, O = SafeSquid Labs, OU = WebSecurity, CN = i7MsBzARSZ98vw2V
i:C = IN, ST = Maharashtra, L = Mumbai, O = OEIPL [SafeSquid Labs], OU = IT Security, CN = SafeSquid Enterprise CA, emailAddress = support@safesquid.net
2 s:C = IN, ST = Maharashtra, L = Mumbai, O = OEIPL [SafeSquid Labs], OU = IT Security, CN = SafeSquid Enterprise CA, emailAddress = support@safesquid.net
i:C = IN, ST = Maharashtra, L = Mumbai, O = OEIPL [SafeSquid Labs], OU = IT Security, CN = SafeSquid Enterprise CA, emailAddress = support@safesquid.net
3 s:C = IN, ST = MH, L = Mumbai, O = SafeSquid Labs, OU = WebSecurity, CN = i7MsBzARSZ98vw2V
i:C = IN, ST = Maharashtra, L = Mumbai, O = OEIPL [SafeSquid Labs], OU = IT Security, CN = SafeSquid Enterprise CA, emailAddress = support@safesquid.net
4 s:C = IN, ST = Maharashtra, L = Mumbai, O = OEIPL [SafeSquid Labs], OU = IT Security, CN = SafeSquid Enterprise CA, emailAddress = support@safesquid.net
i:C = IN, ST = Maharashtra, L = Mumbai, O = OEIPL [SafeSquid Labs], OU = IT Security, CN = SafeSquid Enterprise CA, emailAddress = support@safesquid.net
5 s:C = IN, ST = MH, L = Mumbai, O = SafeSquid Labs, OU = WebSecurity, CN = i7MsBzARSZ98vw2V
i:C = IN, ST = Maharashtra, L = Mumbai, O = OEIPL [SafeSquid Labs], OU = IT Security, CN = SafeSquid Enterprise CA, emailAddress = support@safesquid.net
6 s:C = IN, ST = Maharashtra, L = Mumbai, O = OEIPL [SafeSquid Labs], OU = IT Security, CN = SafeSquid Enterprise CA, emailAddress = support@safesquid.net
i:C = IN, ST = Maharashtra, L = Mumbai, O = OEIPL [SafeSquid Labs], OU = IT Security, CN = SafeSquid Enterprise CA, emailAddress = support@safesquid.net
7 s:C = IN, ST = MH, L = Mumbai, O = SafeSquid Labs, OU = WebSecurity, CN = i7MsBzARSZ98vw2V
i:C = IN, ST = Maharashtra, L = Mumbai, O = OEIPL [SafeSquid Labs], OU = IT Security, CN = SafeSquid Enterprise CA, emailAddress = support@safesquid.net
8 s:C = IN, ST = Maharashtra, L = Mumbai, O = OEIPL [SafeSquid Labs], OU = IT Security, CN = SafeSquid Enterprise CA, emailAddress = support@safesquid.net
i:C = IN, ST = Maharashtra, L = Mumbai, O = OEIPL [SafeSquid Labs], OU = IT Security, CN = SafeSquid Enterprise CA, emailAddress = support@safesquid.net
9 s:C = IN, ST = MH, L = Mumbai, O = SafeSquid Labs, OU = WebSecurity, CN = i7MsBzARSZ98vw2V
i:C = IN, ST = Maharashtra, L = Mumbai, O = OEIPL [SafeSquid Labs], OU = IT Security, CN = SafeSquid Enterprise CA, emailAddress = support@safesquid.net
10 s:C = IN, ST = Maharashtra, L = Mumbai, O = OEIPL [SafeSquid Labs], OU = IT Security, CN = SafeSquid Enterprise CA, emailAddress = support@safesquid.net
i:C = IN, ST = Maharashtra, L = Mumbai, O = OEIPL [SafeSquid Labs], OU = IT Security, CN = SafeSquid Enterprise CA, emailAddress = support@safesquid.net
11 s:C = IN, ST = MH, L = Mumbai, O = SafeSquid Labs, OU = WebSecurity, CN = i7MsBzARSZ98vw2V
i:C = IN, ST = Maharashtra, L = Mumbai, O = OEIPL [SafeSquid Labs], OU = IT Security, CN = SafeSquid Enterprise CA, emailAddress = support@safesquid.net
12 s:C = IN, ST = Maharashtra, L = Mumbai, O = OEIPL [SafeSquid Labs], OU = IT Security, CN = SafeSquid Enterprise CA, emailAddress = support@safesquid.net
i:C = IN, ST = Maharashtra, L = Mumbai, O = OEIPL [SafeSquid Labs], OU = IT Security, CN = SafeSquid Enterprise CA, emailAddress = support@safesquid.net
13 s:C = IN, ST = MH, L = Mumbai, O = SafeSquid Labs, OU = WebSecurity, CN = i7MsBzARSZ98vw2V
i:C = IN, ST = Maharashtra, L = Mumbai, O = OEIPL [SafeSquid Labs], OU = IT Security, CN = SafeSquid Enterprise CA, emailAddress = support@safesquid.net
........................... Many More ..........
-------------------- -------------------- -------------------- -------------------- -------------------- -------------------- -------------------- --------------------- --------------------
As the Certificate Chain increases with each new Connection and as it keeps on increasing, it creates a situation where the client application cannot accept such large data in Server Hello and results in SSL Error and the client closes the connection.
-------------------- -------------------- -------------------- -------------------- -------------------- -------------------- -------------------- --------------------- --------------------
OpenSSL s_client SSL Trace Snippet [Error Client Disconnected the Connection Due to Unnecessary Extra Certificate Chain ]
-------------------- -------------------- -------------------- -------------------- -------------------- -------------------- -------------------- --------------------- --------------------
SSL_connect:SSLv3/TLS read server hello
>>> ??? [length 0005]
15 03 03 00 02
>>> TLS 1.2, Alert [length 0002], fatal illegal_parameter
02 2f
SSL3 alert write:fatal:illegal parameter
SSL_connect:error in error
140508579464256:error:14160098:SSL routines:read_state_machine:excessive message size:../ssl/statem/statem.c:603:
---------------------------------------------------------
The Below attached logs contain a more detailed explanation of the problem.