[Privoxy-users] https inspection using intermediate CA

Mon Aug 8 11:35:28 UTC 2022

Here is the patch I used to allows me to sign Privoxy CA with an intermediate CA and have the browser not complain about unknown issuer.


Chakib,



On August 8, 2022 12:02:45 PM GMT+02:00, Fabian Keil <fk at fabiankeil.de> wrote:
>Chakib Benziane <contact at sp4ke.xyz> wrote on 2022-08-07 at 22:27:37:
>
>> I am tring to use https inspection using a CA that is an intermediate
>> not Root and the TLS handshake is failing between client and privoxy. 
>> 
>> I tracked down the problem to the generation of host certificates which
>> sets the "Issuer" of the cert the same as the Issuer of the provided CA
>> file. This works well when the provided CA the Root but in my case I
>> want to use an Intermediate CA which is the only CA I deploy on my
>> machines.
>
>Thanks for tracking down the issue and letting us know.
> 
>> Is there a reason why you are copying the Issuer field from the CA to
>> the host certificate ? 
>
>I haven't had time to look at the code yet, but often things are
>done because they seem to work for the tested use cases.
>
>> Why not set the Issuer of the generated certificate as the Subject of the CA
>> file ? (see openssl.c L1984 - privoxy-3.0.33-stable)
>
>Can you submit a patch so we can test if your proposed change
>still works with other use cases?
>
>Fabian

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
-------------- next part --------------

diff --git a/openssl.c b/openssl.c
index a57cb32..2109382 100644
--- a/openssl.c
+++ b/openssl.c
@@ -1981,7 +1981,7 @@ static int generate_host_certificate(struct client_state *csp)
       goto exit;
    }
 
-   issuer_name = X509_get_issuer_name(issuer_cert);
+   issuer_name = X509_get_subject_name(issuer_cert);
 
    /*
     * Loading keys from file or from buffer
