[squid-users] Problem with certificates and SSLBump

C. L. Martinez carlopmart at gmail.com
Sat Jun 25 17:47:54 UTC 2016


On Sun 26.Jun'16 at  5:22:31 +1200, Amos Jeffries wrote:
> On 26/06/2016 4:46 a.m., C. L. Martinez wrote:
> > On Sat 25.Jun'16 at 22:33:56 +0600, Yuri Voinov wrote:
> >>
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA256
> >>  
> >> Use search.
> >>
> >> Some days agi I've played around with ECDSA certs and drop it due to
> >> extremal incompatibility with clients. Here was this thread.
> >>
> >>
> > 
> > Is this the thread: http://marc.info/?l=squid-users&m=146625379320785&w=2?
> > 
> 
> Thats the one that came to my mind when reading your problem description.
> 
> Here is the solution he found to the cert content error:
>  <http://marc.info/?l=squid-users&m=146633146001650&w=2>
> 
> YMMV, on the bug 4497 issue. So far no-one has been able to replicate
> the problem Yuri has. But if you do we would certainly like to know that
> in the bug report.
> 
> (Yuri: sorry, I just noticed the captures you provided a week ago. Not
> sure how I missed that. I hope to have the time to look them over later
> today and see if some progress can finally happen on that bug.)
> 
> Amos
> 

Thanks Amos. In my case, I am using LibreSSL from OpenBSD. I have used the following commands to create the Root CA:

openssl ecparam -out private/ec-secp384r1.pem -name secp384r1
openssl req -config ../openssl.cnf -new -x509 -days 3652 -extensions v3_ca -sha512 -newkey ec:ec-secp384r1.pem -keyout ec-ca.key -out ../certs/ec-ca.crt

 And works without problems.

 I have done another test: I have created a csr for squid's host without using ECDSA, using the following commands:

openssl genrsa -out server.key 4096
openssl req -nodes -key server.key -new -out server.csr

 .. with the same result: fails.


 Arrived to this I don't know if it could be a best solution to deploy another CA without ECDSA ...

-- 
Greetings,
C. L. Martinez


More information about the squid-users mailing list