1. Introduction
The SSL Certificate Chain Contains Unnecessary Certificates vulnerability means the server is sending more certificates than needed for clients to verify its identity. This can cause problems with some older systems, especially embedded devices, that struggle to process long certificate chains. It has a low impact on confidentiality and integrity but could lead to service unavailability if a client cannot establish a secure connection.
2. Technical Explanation
The issue occurs when the server’s configuration includes intermediate or root certificates that aren’t required for building a valid chain of trust back to a trusted Certificate Authority (CA). Clients only need enough certificates to reach a CA they already trust. Including extra certificates doesn’t improve security and can cause connection failures. There is no known CVE associated with this specific issue, but it relates to improper certificate handling as described in RFC 4346.
- Root cause: The server administrator has included unnecessary certificates in the SSL configuration bundle.
- Exploit mechanism: An attacker doesn’t directly exploit this vulnerability; instead, a client unable to process the full chain will fail to connect. This could be used for denial of service against systems relying on those clients. For example, an embedded device attempting to connect to a server with an overly long certificate chain may experience connection errors.
- Scope: Affected platforms are any using SSL/TLS where the configuration allows inclusion of unnecessary certificates. Common in older versions of web servers and embedded devices.
3. Detection and Assessment
You can check for this issue by examining the certificate chain presented during an SSL handshake. A thorough method involves decoding the entire chain and verifying each certificate’s purpose.
- Quick checks: Use `openssl s_client -connect {target_host}:{port}` and examine the output for multiple certificates beyond the server’s own certificate and a single intermediate CA certificate.
- Scanning: Qualys SSL Labs SSL Server Test (https://www.ssllabs.com/ssltest/) will report “Certificate chain contains unnecessary certificates” if found. This is an example only, and results should be verified manually.
- Logs and evidence: Server logs may not directly indicate this issue but can show connection attempts failing due to certificate errors. Look for TLS handshake failures or certificate validation errors.
openssl s_client -connect yourserver.example.com:4434. Solution / Remediation Steps
Remove unnecessary certificates from the server’s SSL configuration to ensure only essential certificates are included in the chain.
4.1 Preparation
- Ensure you have access to the correct server configuration files. A roll back plan is to restore the original SSL configuration files from the backup.
- A change window may be required depending on your organisation’s policies and the criticality of the service. Approval from a senior administrator might also be needed.
4.2 Implementation
- Step 1: Locate the server’s SSL configuration file (e.g., Apache httpd.conf, Nginx nginx.conf).
- Step 2: Open the configuration file in a text editor.
- Step 3: Identify the section containing the certificate chain definition (usually SSLCertificateFile and SSLCertificateChainFile for Apache or ssl_certificate and ssl_certificate_key for Nginx).
- Step 4: Remove any intermediate certificates that are not directly required to form a path back to the root CA. Keep only the server’s certificate and, if necessary, one immediate intermediate certificate.
- Step 5: Save the configuration file.
- Step 6: Restart the web service for the changes to take effect.
4.3 Config or Code Example
Before
SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateChainFile /etc/ssl/certs/intermediate1.crt
SSLCertificateChainFile /etc/ssl/certs/intermediate2.crt
After
SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateChainFile /etc/ssl/certs/intermediate1.crt
4.4 Security Practices Relevant to This Vulnerability
Several security practices can help prevent this issue.
- Practice 1: Least privilege – limit access to SSL configuration files to only authorised personnel, reducing the risk of incorrect modifications.
- Practice 2: Secure defaults – use a minimal and secure default SSL configuration provided by your web server vendor.
4.5 Automation (Optional)
Ansible example for updating Apache config:
---
- name: Remove unnecessary certificates from Apache SSL config
hosts: webservers
become: true
tasks:
- lineinfile:
path: /etc/apache2/sites-available/your_site.conf
regexp: '^SSLCertificateChainFile'
state: absent
notify: Restart Apache
handlers:
- name: Restart Apache
service:
name: apache2
state: restarted
5. Verification / Validation
Confirm the fix by re-examining the certificate chain presented during an SSL handshake.
- Post-fix check: Run `openssl s_client -connect {target_host}:{port}` again and verify that only the server’s certificate and one intermediate CA certificate are listed.
- Re-test: Re-run the Qualys SSL Labs SSL Server Test to confirm the “Certificate chain contains unnecessary certificates” warning is no longer present.
- Smoke test: Verify website functionality by browsing to key pages and submitting forms. Ensure all core services remain operational.
openssl s_client -connect yourserver.example.com:443 | grep 'certificate'6. Preventive Measures and Monitoring
Regularly review SSL configurations to prevent recurrence.
- Baselines: Update security baselines or policies to include a requirement for minimal certificate chains in SSL configurations, such as CIS benchmarks.
- Asset and patch process: Review SSL certificate configurations during regular asset inventory and vulnerability assessments. A quarterly review cycle is sensible.
7. Risks, Side Effects, and Roll Back
Removing the wrong certificate could cause connection failures.
- Risk or side effect 2: Restarting the web service may cause brief downtime. Mitigation: Schedule changes during off-peak hours and have a roll back plan in place.
- Roll back: Restore the original SSL configuration files from the backup taken in step 4.1, then restart the web service.
8. References and Resources
Links to relevant documentation.
- Vendor advisory or bulletin: Check your web server vendor’s documentation for best practices on SSL certificate configuration (e.g., Apache, Nginx).