search cancel

After upgrade to SGOS 7.2 and newer the Proxy does not send intermediate CA or Root CA certificates during SSL intercept

book

Article ID: 243407

calendar_today

Updated On:

Products

ProxySG Software - SGOS ISG Proxy

Issue/Introduction

After the upgrade from SGOS 6.7 to 7.2 and newer the Proxy SG does not send Intermediate or Root CA certificates in the TLS handshake when SSL intercept is enabled.

Cause

The behavior difference between 6.7.5.x and 7.2.5.1 can be summarized below.

 

1.       The emulated server cert and the proxy resigning CA are always put on the wire for both versions;

2.       For 6.7.x, the CA chain up to the root CA (included) are sent during the TLS handshake if they are found in the CA list;

3.       For 7.2.x, the CA chain up to but not including the root CA are put on the wire if they are added to the issuer keyring, the root CA is never put into the TLS handshake;

It was determined that sending the Root CA certificate is a security breach and not RFC compliant.



 

Resolution

The Root CA certificate will never be put in the TLS handshake. The workaround for the Intermediate CA certificate to be send is to add it directly to the keyring used for SSL intercept