Pathfinder + openssl in big bad internet: a case study.

[ArkanoiD]

My test system is RedHat Enterprise Linux, and the application proxy
that uses pathfinder is http-gw (former squid-gw) from
openfwtk.sourceforge.net.

Before we start, we need workarounds for a couple of pathfinder
misfeatures:

number one- pathfinder does not accept root certificate bundles like
the one shipped in RHEL's /etc/pki/tls/certs/ca-bundle.crt. So we need
to split it as individual pem files (sorry i am no good in perl):
------
#!/usr/bin/perl

$cert_num = 0;

while (<>) {
if (/-----BEGIN CERTIFICATE-----/) {
open my $cert, '>', "root_$cert_num.pem" or die
"cannot open file for writing: $!";
$cert_num++;
until (/-----END CERTIFICATE-----/) {
print $cert $_; print "$cert_num $_";
$_=<>; }
print $cert $_;
close $cert;
}
}
------

now we have root_00.pem to root_98.pem. Let's place it into /etc/pki/
pathfinderd/trusted-store.

That's not all! We need second workaround: pathfinder cannot use trust
anchors without subject key id.
So we need to generate a custom ini file with another script:

------
#!/bin/sh
cat <<EOF
[Defaults]
Allow MD5 = 1
[Trusted directories]
Extra certs = /etc/pki/pathfinderd/trusted-store/
[CA Location]
EOF
for i in root_*.pem
do
openssl x509 -in $i -inform pem -text|
grep "X509v3 Subject Key Identifier" > /dev/null ||
openssl x509 -in $i -inform pem -noout -subject | (
echo `sed "s/^subject= //g
s/\//%2F/g
s/=/%3D/g
s/\n//g"` = /etc/pki/pathfinderd/trusted-store/$i )
done;
-------

(i know x509 utility is capable of builtin escaping, but i did not
manage to get proper result from it, so i just use sed).

Now we have pathfinderd.ini that works.

What else?

How do i verify certificates?

Quite simple: first i use openssl's builtin verification functions:

-----
if (((err = SSL_get_verify_result(ssl)) != X509_V_OK)
#ifdef PATHFINDER_SHLIB
/* Pathfinder may override these errors */
&& !(pathfinder_dbus &&
((err == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) ||
(err ==
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) ||
(err == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE)
||
(err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT)))
#endif
) {
if (buf)
snprintf(buf, 512 - 1, "SSL certificate does
not verify,
%s",
X509_verify_cert_error_string(err));
syslog (LLEV,"SSL certificate does not verify, %s",
X509_verify_cert_error_string(err));
return(err);
}
-----

So if i get OK or one of four errors listed here, i continue with
pathfinder: it may resolve some of the errors or
override OK status with revocations.
Is that all? No.

Unfortunately there are pathfinder errors we may need to hanlde
special way:

"Pathfinder certificate validation failed: No valid crl for
certificate.." - this may be just a bug and
"Couldn't find valid URI to get object needed to perform validation" -
this may be ok if openssl *does* verify the chain properly. Why?
Because pathfinder does not deal with the whole chain, it just
validates the server certificate. If there was an intermediate CA with
certificate provided in the chain by SSL connection, and there is no
known download URI, openssl does verify the chain and pathfinder fails
on this certificate.

Any comments? Is there a chance i can get rid of those workarounds?

And please.. if there a way to delete recent spam messages from the
discussion group?