[squid-users] ECDSA and SSL bump

[Yuri]

That's just the point that everything was done according to the guidelines.

# First create EC parameters for selected curve
openssl ecparam -name secp384r1 -out secp384r1.pem
# Then generate dhparam with this EC params
openssl dhparam -in secp384r1.pem -outform PEM -out dhparam.pem 3072

# root CA 1
openssl ecparam -name secp384r1 -genkey -param_enc explicit -out rootCA.key
openssl req -new -x509 -sha256 -key rootCA.key -out rootCA.crt -days 10950

#Generate the CRL (both in PEM and DER):
openssl ca -config openssl.cfg -gencrl -keyfile rootCA.key -cert 
rootCA.crt -out rootCA.crl.pem
openssl crl -inform PEM -in rootCA.crl.pem -outform DER -out rootCA.crl

# root CA 2
openssl ecparam -name secp384r1 -genkey -param_enc explicit -out rootCA2.key
openssl req -new -sha256 -key rootCA2.key -out rootCA2.csr
openssl ca -keyfile rootCA.key -cert rootCA.crt -in rootCA2.csr -out 
rootCA2.crt -config openssl.cfg -days 9125

I do not see, where I could make a mistake so stupid.

19.06.2016 15:18, Amos Jeffries пишет:
> On 19/06/2016 12:42 a.m., Yuri Voinov wrote:
>> Good weekend to all.
>>
>> Gentlemen, somebody played with ECDSA-certificates and SSL bump with SQUID?
>>
>> I have when trying to use ECDSA self-signed CA to bump, Squid (version
>> no matter) gives an error SSLv3 (for unknown reasons) and can not
>> establish a secure connection. With CIPHER/PROTOCOL negotiation error in
>> browser. Yea, latest Chrome.
>>
>> Does this mean that Squid is not support ECDSA?
>>
> It means your certificate was not created with the flags indicating
> which Curve it is to be used with.
>   <https://wiki.openssl.org/index.php/Elliptic_Curve_Cryptography#Named_Curves>
>
> I can't find any evidence of the flag being set on generated
> certificates. So that may also be adding to the problem.
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users