SRX

 View Only
last person joined: 15 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

SSL Reverse Proxy using wildcard certificate

  • 1.  SSL Reverse Proxy using wildcard certificate

    Posted 09-27-2023 15:46

    I am trying to setup an SSL reverse proxy using wildcard certificate (issued by GoDaddy) which is previously loaded using:

    request security pki local-certificate load certificate-id FIREWALL key certificate.key filename certificate.pem

    SSL Proxy configuration:

    enable-flow-tracing;
    protocol-version all;
    preferred-ciphers strong;
    server-certificate FIREWALL;
    actions {
        log {
            all;
            errors;
        }
        renegotiation allow;
    }

    which is applied to a policy:

    from-zone untrust to-zone trust {
        policy LDAP {
            match {
                source-address LDAP-SOURCE;
                destination-address [ DC01 DC02 ];
                application [ LDAP-636 junos-ldap LDAP-3269 ];
            }
            then {
                permit {
                    application-services {
                        ssl-proxy {
                            profile-name PUBLIC-SSL-PROXY;
                        }
                    }
                }
                log {
                    session-init;
                    session-close;
                }
            }
        }
    }

    basically I am trying to proxy incoming LDAPS requests (terminate on the firewall) and hit the local ldap server.

    The issue that I am running into is that the wildcard certificate is never presented:

    openssl s_client -connect ldap.domain.com:3269
    CONNECTED(00000003)
    write:errno=0
    ---
    no peer certificate available
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 99 bytes and written 679 bytes
    Verification: OK
    ---
    New, (NONE), Cipher is (NONE)
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    Early data was not sent
    Verify return code: 0 (ok)

    traceoptions from the ssl service:

    Sep 27 13:58:31 13:58:31.167154:CID-0:RT:junos-ssl-term jssl_config_tbl_init_ssl_ctx[1694]: Setting up proxy mode for the profile PUBLIC-SSL-PROXY_65537_proxy_t
    Sep 27 13:58:37 13:58:37.083571:CID-0:RT:[junos-ssl-term: 65537: 137438979461 ][jssl_run_handshake: 10966]: Handshake started.SSL state 0x2e, flags 0x20c0400010a4444, reneg count 0
    Sep 27 13:58:37 13:58:37.083571:CID-0:RT:[junos-ssl-term: 65537: 137438979461 ][jssl_run_handshake: 11005]: Out of handshake. Return -1, error code 1, state 0x2e, flags 0x20c0400010a4544, log cat 
    Sep 27 13:58:37 13:58:37.162308:CID-0:RT:[junos-ssl-term: 65537: 137438979461 ][jssl_run_handshake: 11005]: Out of handshake. Return -50, error code 11, state 0x33, flags 0x20c0400010a4544, log ca
    Sep 27 13:58:37 13:58:37.211725:CID-0:RT:[junos-ssl-term: 65537: 137438979461 ][jssl_serv_pkey_table_lookup: 463]: failed to retrive server cert info ~ 
    Sep 27 13:58:37 13:58:37.211725:CID-0:RT:[junos-ssl-term: 65537: 137438979461 ][jssl_get_server_priv_key: 504]: failed to retrive server cert info from hash table
    Sep 27 13:58:37 13:58:37.211725:CID-0:RT:[junos-ssl-term: 65537: 137438979461 ][jssl_proxy_recv_srvr_auth_info_evt: 5913]: Could not find  server private key
    Sep 27 13:58:37 13:58:37.212199:CID-0:RT:[junos-ssl-term: 65537: 137438979461 ][jssl_run_handshake: 11005]: Out of handshake. Return -51, error code 12, state 0x33, flags 0x1c0400011a4544, log cat
    Sep 27 13:58:37 13:58:37.212199:CID-0:RT:[junos-ssl-term: 65537: 137438979461 ][jssl_run_handshake: 11195]: Handshake aborted. result=12
    Sep 27 13:58:37 13:58:37.212199:CID-0:RT:[junos-ssl-term: 65537: 137438979461 ][jssl_black_hole: 12189]: In jssl_black_hole, session 32
    Sep 27 13:58:37 13:58:37.212199:CID-0:RT:[junos-ssl-term: 65537: 137438979461 ][jssl_shutdown: 12117]: Calling SSL_shutdown for sessionid 32, dir 25989
    Sep 27 13:58:37 13:58:37.281600:CID-0:RT:[junos-ssl-term: 65537: 137438979461 ][jssl_black_hole: 12189]: In jssl_black_hole, session 32
    Sep 27 13:58:37 13:58:37.281600:CID-0:RT:[junos-ssl-term: 65537: 137438979461 ][jssl_black_hole: 12193]: In jssl_black_hole, ctrl buf session 32
    Sep 27 13:58:37 13:58:37.281600:CID-0:RT:[junos-ssl-term: 65537: 137438979461 ][jssl_black_hole: 12189]: In jssl_black_hole, session 32
    Sep 27 13:58:37 13:58:37.285616:CID-0:RT:[junos-ssl-term: 65537: 137438979461 ][jssl_black_hole: 12189]: In jssl_black_hole, session 32
    Sep 27 13:58:37 13:58:37.285616:CID-0:RT:[junos-ssl-term: 65537: 137438979461 ][jssl_black_hole: 12193]: In jssl_black_hole, ctrl buf session 32
    Sep 27 13:58:37 13:58:37.285689:CID-0:RT:[junos-ssl-term: 65537: 137438979461 ][jssl_black_hole: 12189]: In jssl_black_hole, session 32
    Sep 27 13:58:40 13:58:40.815557:CID-0:RT:[junos-ssl-term: 65537: 137438979461 ][jssl_handle_session_destroy: 13332]: Session destroy: SSL state 0x74999738, ref count 1 sessionid 32

    The certificate is clearly loaded in the system:

    show security pki local-certificate certificate-id FIREWALL   
    LSYS: root-logical-system
    Certificate identifier: FIREWALL
      Issued to: *.domain.com, Issued by: C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
      Validity:
        Not before: 04-24-2023 20:23 UTC
        Not after: 05-25-2024 20:23 UTC
      Public key algorithm: rsaEncryption(2048 bits)
      Keypair Location: Keypair generated locally

    GoDaddy's CA and CRL are also loaded:

    show security pki ca-certificate ca-profile GoDaddy 
    LSYS: root-logical-system
      CA profile: GoDaddy
    Certificate identifier: GoDaddy
      Issued to: Go Daddy Secure Certificate Authority - G2, Issued by: C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
      Validity:
        Not before: 05- 3-2011 07:00 UTC
        Not after: 05- 3-2031 07:00 UTC
      Public key algorithm: rsaEncryption(2048 bits)
      Keypair Location: Keypair generated locally

    CA profile: GoDaddy
      CRL version: V2 (0x1)
      CRL issuer: C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
      Effective date: 09-25-2023 20:46 UTC
      Next update: 10- 2-2023 20:46 UTC
      Last-Download: 09-27-2023 17:00:07 UTC

    • Why is the SSL Service reporting that it can not find server key ?
    • Is there a limitation that I am using a wildcard cert in this situation ?
    • NAT is in order, i.e. if is already tested with tcp/389 and works fine so I can pin point the issue with the SSL Reverse Proxy.

    thanks!