ProxySG 7.2.x or above does not send complete certificate chain.
search cancel

ProxySG 7.2.x or above does not send complete certificate chain.

book

Article ID: 250042

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

After upgrading to SGOS 7.x, ProxySG does not send complete certificate chain (including root certificate) to the client when doing SSL interception.

This causes issues in an environment, where Proxy is using certificate issued by a Subordinate CA and the client has only Root CA certificate in its trusted CA store.

Due to an incomplete chain (Only including SubCA certificate) the client machine is unable to trust the certificate chain presented by ProxySG.

This article applies to SSL interception environment where CSR on proxy is signed by a Subordinate CA (SubCA) which is not trusted by client machine (SubCA certificate not present in client's trusted store) where the SubCA and Root CA are from trusted domain however SubCA certificate cannot be installed on client trusted root store.

Environment

ProxySG running 7.x version

ProxySG is using a keyring for SSL interception which is issued / signed by SubCA.

Client machine does not have SubCA certificate in trusted root CA store and it cannot be added as well.

Cause

Earlier on 6.7 it was possible to construct the chain from the CCL being referenced.

However, from version 7.2.x onwards, ProxySG does not build & send a cert chain to the client when not included in the issuer keyring.

The change in behavior is according to RFC 5246 and restricts that the Intercept keyring's cert chain should be installed as part of the keyring.

Resolution

In order to make ProxySG send complete certificate chain (including SubCA and Root CA) the keyring used for SSL interception needs to be signed using the complete chain (Including Root CA).

Please refer to below article for instructions on how to sign a keyring - 

https://knowledge.broadcom.com/external/article/166338/steps-to-create-a-keyring-with-a-certifi.html