2 Proxy

Luciano Righetti edited this page 2022-03-16 11:02:29 +01:00

Table of Contents

• Using MISP behind a Proxy
• Proxy diagnostics
• Troubleshooting
• tls_process_server_certificate:certificate verify failed

Using MISP behind a Proxy

MISP is fully capable of working behind a proxy. To configure a proxy in your MISP instance go to Administration -> Server Settings & Maintenance -> Proxy Settings (https://misp_host/servers/serverSettings/Proxy)

Proxy diagnostics

You can check if your proxy configuration is working in the MISP diagnostics page, go to Administration -> Server Settings & Maintenance -> Diagnostics (https://MISP_HOST/servers/serverSettings/diagnostics)

Troubleshooting

The proxy is not working, I cannot fetch feeds or sync with external MISP instances.

When the diagnostics page shows the "Getting URL via proxy failed" the best is to check the MISP error logs (/var/www/MISP/app/tmp/logs/error.log) to get more details.

tls_process_server_certificate:certificate verify failed

Full error log:

2022-03-16 08:39:53 Warning: Warning (2): stream_socket_enable_crypto() [<a href='http://php.net/function.stream-socket-enable-crypto'>function.stream-socket-enable-crypto</a>]: SSL operation failed with code 1. OpenSSL Error messages:
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed in [/var/www/MISP/app/Lib/cakephp/lib/Cake/Network/CakeSocket.php, line 504]
Trace:
ErrorHandler::handleError() - APP/Lib/cakephp/lib/Cake/Error/ErrorHandler.php, line 230
stream_socket_enable_crypto - [internal], line ??
CakeSocket::enableCrypto() - APP/Lib/cakephp/lib/Cake/Network/CakeSocket.php, line 504
CakeSocket::connect() - APP/Lib/cakephp/lib/Cake/Network/CakeSocket.php, line 261
HttpSocketExtended::connect() - APP/Lib/Tools/HttpSocketExtended.php, line 147
CakeSocket::write() - APP/Lib/cakephp/lib/Cake/Network/CakeSocket.php, line 400
HttpSocket::request() - APP/Lib/cakephp/lib/Cake/Network/Http/HttpSocket.php, line 377
HttpSocketExtended::request() - APP/Lib/Tools/HttpSocketExtended.php, line 186
HttpSocket::get() - APP/Lib/cakephp/lib/Cake/Network/Http/HttpSocket.php, line 464
Server::proxyDiagnostics() - APP/Model/Server.php, line 3432
ServersController::serverSettings() - APP/Controller/ServersController.php, line 1160
ReflectionMethod::invokeArgs() - [internal], line ??
Controller::invokeAction() - APP/Lib/cakephp/lib/Cake/Controller/Controller.php, line 499
Dispatcher::_invoke() - APP/Lib/cakephp/lib/Cake/Routing/Dispatcher.php, line 193
Dispatcher::dispatch() - APP/Lib/cakephp/lib/Cake/Routing/Dispatcher.php, line 167
[main] - APP/webroot/index.php, line 99

This error means your proxy has a certificate that could not be verified with MISP internal CA bundle. To add your proxy certificate CA to the MISP CA bundle you need to do the following:

1. Export your proxy CA certificate in PEM format, if you only manage to export it in DER format, you can convert it to PEM with the following command:

   openssl x509 -inform der -in proxy-cacert.der -out proxy-cacert.pem

2. Copy the proxy CA certificate to your MISP instance.

3. Verify the proxy CA is valid, from the MISP server terminal, run:

   $ curl -I --proxy http://[PROXY_HOST]:[PROXY_PORT] \
       --cacert proxy-cacert.pem \
       --location https://github.com
   HTTP/1.0 200 Connection established
   
   HTTP/2 200 
   [...]
   

   If your proxy requires authentication, add the following option: --proxy-user username:password

   If the request goes through, follow with the next step. If you get an error such as the following it means the certificate is not valid, revise the previous steps.

   HTTP/1.0 200 Connection established
   
   curl: (60) SSL certificate problem: self signed certificate in certificate chain
   More details here: https://curl.haxx.se/docs/sslcerts.html
   
   curl failed to verify the legitimacy of the server and therefore could not
   establish a secure connection to it. To learn more about this situation and
   how to fix it, please visit the web page mentioned above.
   

4. If the curl request worked, add the proxy CA cert to the MISP internal CA bundle, from the MISP instance terminal, run:

   sudo cp /var/www/MISP/app/Lib/cakephp/lib/Cake/Config/cacert.pem /etc/ssl/certs/misp-ca-bundle.pem
   sudo echo "" >> /etc/ssl/certs/misp-ca-bundle.pem
   sudo echo "Company Proxy CA" >> /etc/ssl/certs/misp-ca-bundle.pem
   sudo echo "======================" >> /etc/ssl/certs/misp-ca-bundle.pem
   sudo cat proxy-cacert.pem >> /etc/ssl/certs/misp-ca-bundle.pem
   

   The contents for the /etc/ssl/certs/misp-ca-bundle.pem file should look similar to this:

   [...]
   
   bxJF0WddCajJFdr60qZfE2Efv4WstK2tBZQIgx51F9NxO5NQI1mg7TyRVJ12AMXDuDjb
   -----END CERTIFICATE-----
   
   Company Proxy CA
   ======================
   -----BEGIN CERTIFICATE-----
   MIIDpzCCAo+gAwIBAgIEcZkjuzANBgkqhkiG9w0BAQsFADCBijEUMBIGA1UEBhML
   UG9ydFN3aWdnZXIxFDASBgNVBAgTC1BvcnRTd2lnZ2VyMRQwEgYDVQQHEwtQb3J0
   U3dpZ2dlcjEUMBIGA1UEChMLUG9ydFN3aWdnZXIxFzAVBgNVBAsTDlBvcnRTd2ln
   Z2VyIENBMRcwFQYDVQQDEw5Qb3J0U3dpZ2dlciBDQTAeFw0xNDAxMDMxOTA4NDZa
   Fw0zMjAxMDMxOTA4NDZaMIGKMRQwEgYDVQQGEwtQb3J0U3dpZ2dlcjEUMBIGA1UE
   CBMLUG9ydFN3aWdnZXIxFDASBgNVBAcTC1BvcnRTd2lnZ2VyMRQwEgYDVQQKEwtQ
   b3J0U3dpZ2dlcjEXMBUGA1UECxMOUG9ydFN3aWdnZXIgQ0ExFzAVBgNVBAMTDlBv
   cnRTd2lnZ2VyIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy/O9
   [...]
   

5. Update the MISP.ca_path setting with the value /etc/ssl/certs/misp-ca-bundle.pem, run:

   sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting MISP.ca_path /etc/ssl/certs/misp-ca-bundle.pem
   Setting "MISP.ca_path" changed to "/etc/ssl/certs/misp-ca-bundle.pem"
   

6. Check the MISP diagnostics page, go to Administration -> Server Settings & Maintenance -> Diagnostics (https://MISP_HOST/servers/serverSettings/diagnostics).

   

NOTE: If you want to restore MISP original CA bundle file, replace the following file /var/www/MISP/app/Lib/cakephp/lib/Cake/Config/cacert.pem with this one this and replace