Linux/Custom SSL Certificate

From Omnia
Jump to navigation Jump to search

Man in the Middle SSL Firewall Snooping

If your work uses a Custom SSL Certificate for the firewall to inspect traffic, several Linux applications will encounter issues with this.

Check

Look for CN that is not google's: 

echo ":: Looking for Required Decryptor Cert..."
curl -Ikv --max-time 10 https://www.google.com 2>&1 | grep "CN=decrypt.example.com"
if [ $? -eq 0 ] ; then
    echo ":: Yes, Cert Required"
else
    echo ":: No, Cert Not Required"
fi

Normal Google: (notice issuer line) 

* Server certificate:
*  subject: CN=www.google.com
*  start date: May 19 08:43:37 2025 GMT
*  expire date: Aug 11 08:43:36 2025 GMT
*  subjectAltName: host "www.google.com" matched cert's "www.google.com"
*  issuer: C=US; O=Google Trust Services; CN=WR2
*  SSL certificate verify ok.

Example Man in the middle SSL: (notice issuer line) 

* Server certificate:
*  subject: CN=www.google.com
*  start date: May 19 08:43:37 2025 GMT
*  expire date: Aug 11 08:43:36 2025 GMT
*  subjectAltName: host "www.google.com" matched cert's "www.google.com"
*  issuer: C=US; O=Example Company; CN=decrypt.example.com
*  SSL certificate verify ok.

General

curl, get, etc

Most tools like curl, wget, etc will use the system SSL store, so import:

Debian

sudo curl -s http://internal.example.com/install/cert/cert_CUSTOM_CA.crt -o /usr/local/share/ca-certificates/cert_CUSTOM_CA.crt
sudo update-ca-certificates

Redhat

curl -s http://internal.example.com/install/cert/cert_CUSTOM_CA.crt -o /etc/pki/ca-trust/source/anchors/cert_CUSTOM_CA.crt
sudo update-ca-trust

Python

Have python libraries use 

echo 'export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt' >> $HOME/.bashrc
echo 'export CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt' >> $HOME/.bashrc

touch /etc/environment
echo 'REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt' >> /etc/environment
echo 'CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt' >> /etc/environment

CA=$(python3 -c 'import ssl;print(ssl.get_default_verify_paths().openssl_cafile)')
if [ ! -e $CA ] ; then
  ln -s /etc/ssl/certs/ca-certificates.crt $CA
fi

ref: https://manuals.gfi.com/en/kerio/connect/content/server-configuration/ssl-certificates/adding-trusted-root-certificates-to-the-server-1605.html


Pip

If your PIP repo is being mirrored internally, but something like Artifactory, and blocked by the firewall: 

cp /etc/pip.conf /etc/pip.conf.bak

cat > /etc/pip.conf << "EOF"
[global]
index-url = https://artifactory.example.com/artifactory/api/pypi/pypi-remote/sim
ple/
cert = /etc/ssl/certs/ca-certificates.crt
EOF

Snap

Configure Snap: [1] 

snap set system store-certs.cert1="$(cat /path/to/mycert)"

Example: 

curl -s https://internal.example.com/install/cert/cert_CUSTOM_CA.crt -o /etc/ssl/cert_CUSTOM_CA.crt
snap set system store-certs.cert1="`cat /etc/ssl/cert_CUSTOM_CA.crt

Remove with: 

snap unset system store-certs.cert1

Firefox

Certificate Management in Firefox
https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/7/html/system-level_authentication_guide/using_the_certificates_on_the_token_for_ssl_

Set up Certificate Authorities (CAs) in Firefox - Linux
https://support.mozilla.org/en-US/kb/setting-certificate-authorities-firefox#w_linux

keywords

  1. https://forum.snapcraft.io/t/custom-ssl-certs-for-snapd-to-the-snap-store-communication/17446
Retrieved from "https://aznot.com/index.php?title=Linux/Custom_SSL_Certificate&oldid=8824"