[squid-users] Problem with certificates and SSLBump
C. L. Martinez
carlopmart at gmail.com
Sat Jun 25 17:47:54 UTC 2016
On Sun 26.Jun'16 at 5:22:31 +1200, Amos Jeffries wrote:
> On 26/06/2016 4:46 a.m., C. L. Martinez wrote:
> > On Sat 25.Jun'16 at 22:33:56 +0600, Yuri Voinov wrote:
> >>
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA256
> >>
> >> Use search.
> >>
> >> Some days agi I've played around with ECDSA certs and drop it due to
> >> extremal incompatibility with clients. Here was this thread.
> >>
> >>
> >
> > Is this the thread: http://marc.info/?l=squid-users&m=146625379320785&w=2?
> >
>
> Thats the one that came to my mind when reading your problem description.
>
> Here is the solution he found to the cert content error:
> <http://marc.info/?l=squid-users&m=146633146001650&w=2>
>
> YMMV, on the bug 4497 issue. So far no-one has been able to replicate
> the problem Yuri has. But if you do we would certainly like to know that
> in the bug report.
>
> (Yuri: sorry, I just noticed the captures you provided a week ago. Not
> sure how I missed that. I hope to have the time to look them over later
> today and see if some progress can finally happen on that bug.)
>
> Amos
>
Thanks Amos. In my case, I am using LibreSSL from OpenBSD. I have used the following commands to create the Root CA:
openssl ecparam -out private/ec-secp384r1.pem -name secp384r1
openssl req -config ../openssl.cnf -new -x509 -days 3652 -extensions v3_ca -sha512 -newkey ec:ec-secp384r1.pem -keyout ec-ca.key -out ../certs/ec-ca.crt
And works without problems.
I have done another test: I have created a csr for squid's host without using ECDSA, using the following commands:
openssl genrsa -out server.key 4096
openssl req -nodes -key server.key -new -out server.csr
.. with the same result: fails.
Arrived to this I don't know if it could be a best solution to deploy another CA without ECDSA ...
--
Greetings,
C. L. Martinez
More information about the squid-users
mailing list