[squid-users] Problem with certificates and SSLBump

Yuri Voinov yvoinov at gmail.com
Sat Jun 25 18:04:41 UTC 2016

Hash: SHA256

25.06.2016 23:47, C. L. Martinez пишет:
> On Sun 26.Jun'16 at  5:22:31 +1200, Amos Jeffries wrote:
>> On 26/06/2016 4:46 a.m., C. L. Martinez wrote:
>>> On Sat 25.Jun'16 at 22:33:56 +0600, Yuri Voinov wrote:
>>>> Hash: SHA256
>>>> Use search.
>>>> Some days agi I've played around with ECDSA certs and drop it due to
>>>> extremal incompatibility with clients. Here was this thread.
>>> Is this the thread:
>> Thats the one that came to my mind when reading your problem description.
>> Here is the solution he found to the cert content error:
>>  <http://marc.info/?l=squid-users&m=146633146001650&w=2>
>> YMMV, on the bug 4497 issue. So far no-one has been able to replicate
>> the problem Yuri has. But if you do we would certainly like to know that
>> in the bug report.
>> (Yuri: sorry, I just noticed the captures you provided a week ago. Not
>> sure how I missed that. I hope to have the time to look them over later
>> today and see if some progress can finally happen on that bug.)
>> Amos
> Thanks Amos. In my case, I am using LibreSSL from OpenBSD. I have used
the following commands to create the Root CA:
> openssl ecparam -out private/ec-secp384r1.pem -name secp384r1
> openssl req -config ../openssl.cnf -new -x509 -days 3652 -extensions
v3_ca -sha512 -newkey ec:ec-secp384r1.pem -keyout ec-ca.key -out
>  And works without problems.
>  I have done another test: I have created a csr for squid's host
without using ECDSA, using the following commands:
> openssl genrsa -out server.key 4096
> openssl req -nodes -key server.key -new -out server.csr
>  .. with the same result: fails.
I've tried a bit different. Root CA without ECDSA (RSA4096+SHA256),
intermediate CA with ECDSA, signed by first root. This works on my
testing setups.
>  Arrived to this I don't know if it could be a best solution to deploy
another CA without ECDSA ...
"Compatibility is more important than performance." (c)

Experience has shown that the compatibility of these certificates is
very questionable and is not supported by all, without exception,
possible clients. That is, in turn, to problems in the support.
Version: GnuPG v2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x613DEC46.asc
Type: application/pgp-keys
Size: 2437 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160626/31da36eb/attachment.key>

More information about the squid-users mailing list