files.pfsense.org still returning an expired AddTrust intermediate certificate?

leres

I saw this thread about AddTrust External CA Root certificate has expired! but I did not and do not have that problem.

However this morning the /etc/rc.update_bogons.sh cron job failed with 400 verification errors. You can see the problem with:

fetch https://files.pfsense.org/lists/fullbogons-ipv4.txt

I dumped the certificates returned with:

openssl s_client -showcerts -connect files.pfsense.org:443

and the last of the three certificates returned expired on May 30th:

Serial Number:
            27:66:ee:56:eb:49:f3:8e:ab:d7:70:a2:fc:84:de:22
        Signature Algorithm: sha384WithRSAEncryption
        Issuer: C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN
= AddTrust External CA Root
        Validity
            Not Before: May 30 10:48:38 2000 GMT
            Not After : May 30 10:48:38 2020 GMT
        Subject: C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Lim
ited, CN = COMODO RSA Certification Authority

jimp

We are aware, it's already fixed on the server config, the IT crew is waiting for an opportune time to stop/start the web server process.

lalamper

Hi All,

This AddTrust certicate issue concerns transparent HTTPS squid proxy as well.
I have read that version before OpenSSL 1.1.1 also affected, pfSense 2.4.5 has OpenSSL 1.0.2.

Is there any solution for this?
Thanks

Gertjan

@lalamper said in files.pfsense.org still returning an expired AddTrust intermediate certificate?:

Is there any solution for this?

It's not an "OpenSSL" issue.
It's the list with local trusted root certificates and a old, not valid, root certificate return by a web server; files.pfsense.org in this case.
As @jimp said : they had to put in place the new root cert, and restart the (their) web server.

lalamper

I can not agree completely. There are many HTTPS sites (maybe with wrong config), that has the same cert chain issues (relies on the expired AddTrust cert). They work fine from any modern browsers, but squid (using OpenSSL 1.0.2) shows cert expiration issue and unable to generate cert for MITM proxy.

I have moved to pfsense development version (2.5.x) containing OpenSSL 1.1.1, now it runs great, however I do not sleep well having beta version on production.

I have also tried to remove expired root CAs from pfsense's store, it did not help.

Please check for OpenSSL based devices:
https://calnetweb.berkeley.edu/calnet-technologists/incommon-sectigo-certificate-service/addtrust-external-root-expiration-may-2020

Gertjan

I'm using a 'native' pfSense 2.4.5 :
With the :

OpenSSL 1.0.2u-freebsd  20 Dec 2019

I have no issues at all.
Most probably because the sites I visit have all removed the now outdated "ADDTrust External CA Root".

True is, that if a web site admin decided to maintain an expired certificate in it's web server's setup, troubles will happen.
The fact that OpenSSL 1.0.2 starts complaining because it can not "choose" between cert path A and B (as they explain in the article you sited) can be easily circumvented : just yell at the web server admin to do it's job and the issue is over.
The article does show some possible solutions, though. Although starting to "accept" expired certs is not an issue : a copi of an expired cert never should have been send to you in the first place.
IMHO : the fact that OpenSSL 1.0.2 doesn't dodge the situation is just a side effect.
Not a security issue neither, because things tend to stop and break here ;)

@lalamper said in files.pfsense.org still returning an expired AddTrust intermediate certificate?:

I have also tried to remove expired root CAs from pfsense's store, it did not help.

Removing an expired cert is not erally needed : the end-date in the cert prohibits it to be used anyway.

I'm not using squid myself, but I 'think' uses it's own - outdated - root cert list - check the files that the squid package installed ?

Note : I'm not a certificate expert, I'm just thinking out loud here.

lalamper

Yes, you are right, and this is a little bit complicated situation.
Our users complain that they can access sites with "wrong" web server setup directly, but behind squid proxy. And there are many sites (including goverment related), which are still wrong, but needed to be accessed.. on the other hand, nobody can force site admins to update to proper config. Here comes in OpenSSL 1.1.1, which is able to handle this situation. And yes, I do not want to allow accept expired certs in squid.
I assume that squid uses pfsense's cert store, but I could not find exact documentation.