1354059 - OCSP check does not use the proxy as it should when a local website that is excluded from the proxy is accessed.

Status: RESOLVED INVALID

(Core :: Security, defect)

Description

[flashdown]

User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Build ID: 20170323105023

Steps to reproduce:

local proxy is configured for all protocols and ports in firefox.

Firefox has proxy exceptions for local website "something.internal.domain.com" because of the exception ".internal.domain.com".



Actual results:

When accessing an internal website, the traffic does not hit the proxy. So far so good, but the Certificate Verification check is not using the proxy, too. So the browsers certificate verification check fails because the traffic is sent direct and hits the firewall instead of the proxy server. The target domain used for the certificate check is not part of the proxy exception list.



Expected results:

The Certificate verification check should send it's request to the proxy unless the target domain is included into the proxy exceptions.

Accessing a public website that uses a cert from the same Authority works. Since this public website is not part of the proxy exceptions. So the request to the registrars domain is sent through the proxy as well. when now trying the internal website again, the validation is successfull, because it worked once when accessing the public website. 

So possible workarounds are: Permit traffic on the firewall or access once a public website that uses an SSL Cert from the same authority.

Comment 1

[flashdown]

Error code was: SEC_ERROR_UNKNOWN_ISSUER
Additional: Internal Website Certificate also provides Intermediate CA, as it should be.

Comment 2

[flashdown]

There where no attempts visible on the firewall..
I checked more and found out that apache2 did not supply given intermediate CA so this is where the issue was comming from.