Quantcast
Channel: All SRX Services Gateway posts
Viewing all articles
Browse latest Browse all 17645

Re: SRX1500 SSL Proxy Signing hash

$
0
0

Hi All,

 

SOLUTION FOUND!!

 

The only thing that is preventing SSL forward proxy from working seemlessly with the major browsers is as you report the SRX when doing SSL-T-SSL  (generating the certificate between the firewall and the client), the SRX generates the certificate with SHA1, even though your root certificate may be signed in SHA-256

 

IE & Firefox are OK with SHA1 signed certs as of April 2017, however google Chrome puts up the errors

 

there is a solution to this!!

 

1.  download the Google chrome Group Policy templates:  https://www.chromium.org/administrators/policy-templates

2.  Load the ADM or ADMX group policy template under Computer Configuration > Administrative Templates

3.  Under Administrative Templates you will see settings to adjust google Chrome (see screenshot)

4.  set the group policy object called "Whether SHA-1 signed certificates issued by local trust anchor" to ENABLED

5.  close and restart chrome

 

ssl forward proxy now works across all domain computers with google chrome

 

chrome-sha1-work-around.PNG

 

 

## cso simple walk through

 

request security pki generate-key-pair certificate-id self-cert2017 size 2048 type rsa

 

request security pki local-certificate generate-self-signed add-ca-constraint certificate-id self-cert2017 subject "DC=whatever, DC=test, CN=whatever.test, OU=ITC,O=whatever, SN=20170422" domain-name whatever.test email test@yourdomain.com.au digest sha-256

show security pki local-certificate

 

request security pki ca-certificate ca-profile-group load ca-group-name cag2017 filename default

## from config menu:
set services ssl traceoptions file ssl-proxy
set services ssl traceoptions flag all
set services ssl proxy profile test-sslp trusted-ca cag2017
set services ssl proxy profile test-sslp root-ca self-cert2017
set services ssl proxy profile test-sslp actions ignore-server-auth-failure
set services ssl proxy profile test-sslp actions log all
set services ssl proxy profile test-sslp actions log errors

set security policies from-zone trust to-zone untrust policy outbound-ssl match source-address any
set security policies from-zone trust to-zone untrust policy outbound-ssl match destination-address any
set security policies from-zone trust to-zone untrust policy outbound-ssl match application junos-https
set security policies from-zone trust to-zone untrust policy outbound-ssl then permit application-services ssl-proxy profile-name test-sslp

commit



## Now export the certificate from the firewall for import into Windows (for ie and chrome) and Firefox
request security pki local-certificate export certificate-id self-cert2017 type pem filename /cf/var/db/certs/common/local/srx-root-ca2017.pem   <--- physical
request security pki local-certificate export certificate-id self-cert2017 type pem filename /cf/var/db/certs/srx-root-ca2017.pem          <--- vSRX

## SCP into the firewall and grab the .pem file and rename it to .crt
## import the .crt file into machine TRUSTED ROOT CERTIFICATE AUTHORITIES

 

 

chrome-sha1-work-around-2.PNG

 


Viewing all articles
Browse latest Browse all 17645

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>