Is there a way to show the actual SSL CHAIN in a block page?
Example: in the SSL preset rules exists a rule for blocking untrusted certificate authorities.
I like to see the Cert Chain in the blockpage to verify the output (mainly the root-ca) against our predefined certificate authorities.
no, unfortunately not.
I think this also might become a little complicated:
For many blocks because of "untrusted certificate authorities" the problem is that there is a missing intermediate CA and the server is not sending the complete certificate chain but only the server certificate. In such a case you won't see the complete CA chain, but only the server certificate. From that you could extract the meta information for the issueing CA, but your chain would end here.
If you get the complete chain you would probably only see some meta information about the Root CA, such as the O, OU and CN attributes or similar. Those are not suitable to exactly find the matching CA in the list, since the lists in MWG also only reveal those attributes but nothing more helpful such as an SHA1 fingerprint.
I usually use some web based form where I enter the URL I am interested in and a script calls openssl and fetches the certificates. Then I can inspect the certificates from there and find out if we have it in the list. This also fails for cases where the chain is not sent, which ends in some manual work usually :-)
Is there a specific issue you have or are you just looking for some overall enhancements of the block pages?
There is no specific issue. I would like only to enhance the output of our block pages. This might help the customer to understand the blocking reasend and might helps us in case of problem solving