SRX

 View Only
last person joined: 6 days ago 

Ask questions and share experiences about the SRX Series.
  • 1.  Juniper SSL Proxy with servers using letsenrypt

    Posted 11-30-2022 09:13
    I have a setup using ssl proxy. It works fine so far, https traffic gets analyzed, Juniper signs the content with its own certificate. With one exception however: All sites using Letsencrypt certificates lead to a SSL-PROXY:DUMMY_CERT:GENERATED DUE TO SRVR AUTH FAILURE error. Other sites work fine.
    I have both the R3 intermediate certificate (until Mon, 15 Sep 2025 16:00:00 GMT) and the IWSG X1 certificate  (until Mon, 04 Jun 2035 11:04:38 GMT) installed as ca-profiles (trusted-ca all). So the Let's encrypt certificates should be verifiable.

    Any idea?


    ------------------------------
    CARSTEN GRAMMES
    ------------------------------


  • 2.  RE: Juniper SSL Proxy with servers using letsenrypt

    Posted 12-01-2022 09:55
    This is a reverse transparent ssl proxy configuration?

    ------------------------------
    Jamie Graham
    ------------------------------



  • 3.  RE: Juniper SSL Proxy with servers using letsenrypt

    Posted 12-02-2022 04:20

    No, it's a forward transparent ssl proxy configuration. Breaks up https sessions from internal network to the internet.

    Carsten



    ------------------------------
    CARSTEN
    ------------------------------



  • 4.  RE: Juniper SSL Proxy with servers using letsenrypt

    Posted 12-02-2022 09:59
    That's interesting, I also run forward transparent proxy, but have not found a solution that will run on IoT devices or any device I cannot import CA certificate on.  If you could share the TLS certificate setup and how it works, it would be appreciated.  On the LetsEncrypt, I would update the CAs on the SRX.

    ------------------------------
    Jamie Graham
    ------------------------------



  • 5.  RE: Juniper SSL Proxy with servers using letsenrypt

    Posted 12-02-2022 10:31

    I have a self-signed CA certificate with key that is trusted at all our clients. I imported it to the SRX:

    request security pki local-certificate load certificate-id CA2031 filename /var/tmp/ca2031.pem key /var/tmp/ca2031.key passphrase xxxxxxxxx

    It's important that the validity is not too far in future.

    Then my config looks like this:

    # show services ssl proxy
    profile ssl-inspect-profile {
    trusted-ca all;
    root-ca CA2031;
    actions {
    ignore-server-auth-failure;
    }
    }

    and a security policy for outgoing traffic

    match {
    source-address [ <internal IPs> ];
    destination-address any;
    application [ junos-http junos-https ];
    }
    then {
    permit {
    application-services {
    ssl-proxy {
    profile-name ssl-inspect-profile;
    }
    icap-redirect icap-pf1;
    }
    }
    }

    It's important to load all default trusted CAs in a CA-profile-group as indicated in Step 2 under https://www.juniper.net/documentation/us/en/software/junos/application-identification/topics/topic-map/managing-keys-certificates-ssl-proxy.html. I loaded all Juniper default certificates plus those from Firefox root certificate store. Letsencrypt (R3 and ISRG X1) certificates are part of it and they are newest version.



    ------------------------------
    CARSTEN
    ------------------------------



  • 6.  RE: Juniper SSL Proxy with servers using letsenrypt

    Posted 12-02-2022 21:56
    Next step would be to see SSL_PROXY errors in the log files.  If you're logging to external syslog server, grep SSL or SSL_PROXY if recall.  If not, then you will need to enable tracing for SSL_PROXY and view errors.  Once you see what's happening, I would then enable/disable SSL_PROXY different features in your configuration.

    SSL Proxy Logs | Junos OS | Juniper Networks

    ssl (Services) | Junos OS | Juniper Networks

    ------------------------------
    Jamie Graham
    ------------------------------



  • 7.  RE: Juniper SSL Proxy with servers using letsenrypt

    Posted 12-13-2022 10:22

    Problem is solved, here is a summary:
    - web sites using Letsencrypt most always deliver a certificate chain of 3 certificates:

    1. the Letsencrypt cert, valid max 3 months, signed by R3 Intermediate CA
    2. R3 cert, signed by ISRG X1 root CA
    3. ISRG X1 root CA self-signed cert

    As Letsencrypt states, this is due to Android having problems with the certs otherwise. See https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ for details. As they state, this certificate chain however does not get validated correctly by OpenSSL 1.0.x and lower.
    JUNOS 20.x uses OpenSSL v1.0.2u as you can easily verify calling openssl and version from a command shell. This is exactly the reason why Proxy SSL cert validation fails.

    I had to upgrade to JUNOS 21.x which incorporates OpenSSL 1.1.x to avoid this misbehavior. No other means necessary.

    I wonder why this did not get remarked by someone else before, as Letsencrypt certs are really common now.



    ------------------------------
    CARSTEN
    ------------------------------