[squid-users] Problem with certificates and SSLBump

Yuri Voinov yvoinov at gmail.com
Sat Jun 25 18:04:41 UTC 2016


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
 


25.06.2016 23:47, C. L. Martinez пишет:
> On Sun 26.Jun'16 at  5:22:31 +1200, Amos Jeffries wrote:
>> On 26/06/2016 4:46 a.m., C. L. Martinez wrote:
>>> On Sat 25.Jun'16 at 22:33:56 +0600, Yuri Voinov wrote:
>>>>
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA256
>>>> 
>>>> Use search.
>>>>
>>>> Some days agi I've played around with ECDSA certs and drop it due to
>>>> extremal incompatibility with clients. Here was this thread.
>>>>
>>>>
>>>
>>> Is this the thread:
http://marc.info/?l=squid-users&m=146625379320785&w=2?
>>>
>>
>> Thats the one that came to my mind when reading your problem description.
>>
>> Here is the solution he found to the cert content error:
>>  <http://marc.info/?l=squid-users&m=146633146001650&w=2>
>>
>> YMMV, on the bug 4497 issue. So far no-one has been able to replicate
>> the problem Yuri has. But if you do we would certainly like to know that
>> in the bug report.
>>
>> (Yuri: sorry, I just noticed the captures you provided a week ago. Not
>> sure how I missed that. I hope to have the time to look them over later
>> today and see if some progress can finally happen on that bug.)
>>
>> Amos
>>
>
> Thanks Amos. In my case, I am using LibreSSL from OpenBSD. I have used
the following commands to create the Root CA:
>
> openssl ecparam -out private/ec-secp384r1.pem -name secp384r1
> openssl req -config ../openssl.cnf -new -x509 -days 3652 -extensions
v3_ca -sha512 -newkey ec:ec-secp384r1.pem -keyout ec-ca.key -out
../certs/ec-ca.crt
>
>  And works without problems.
>
>  I have done another test: I have created a csr for squid's host
without using ECDSA, using the following commands:
>
> openssl genrsa -out server.key 4096
> openssl req -nodes -key server.key -new -out server.csr
>
>  .. with the same result: fails.
I've tried a bit different. Root CA without ECDSA (RSA4096+SHA256),
intermediate CA with ECDSA, signed by first root. This works on my
testing setups.
>
>
>
>  Arrived to this I don't know if it could be a best solution to deploy
another CA without ECDSA ...
>
"Compatibility is more important than performance." (c)

Experience has shown that the compatibility of these certificates is
very questionable and is not supported by all, without exception,
possible clients. That is, in turn, to problems in the support.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXbse5AAoJENNXIZxhPexGKegH/iMc7esyZ7ULeDF/ZQhiidd0
NV4JsIkIlwL5olbYgM3aDb1Il9ihkVfpcWuz4hPDPvAOz9xwxQbnjbvVeK7boiyE
pEHBomJhS0ZtHCYo3dH8B1AQj06bJCVjtb7gNFyakLVxs0GFF6qmbh/nzn/xG/ny
4inMclgurGcnBn1ejjm+x6l4q+0Tq5pKr3g7GHzcQUCfK06k09Nu35m9CkeDrda9
QBO2V8QT/B5QMVajwYVkGEHt6YQGtz2OmA8lWaR+HR8ftVm9QhgP4tpuSnmx3lRl
0CKzjhzbPZh4zj9ikrBH6TdlD7XTrIRodFhvhGO9xkrD3LaEQeTdx9NPdhlKvt0=
=K0na
-----END PGP SIGNATURE-----

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x613DEC46.asc
Type: application/pgp-keys
Size: 2437 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160626/31da36eb/attachment.key>


More information about the squid-users mailing list