I also use this patch and would like if it is possible to somehow go on without it.
May it be due to the fact squid caches the generated SSL certificates in the ssl_crtd store? So we need to clear the store when root CA certificate for SSL bump is regenerated?
Raf
________________________________________
From: Amm <ammdispose-squid@yahoo.com>
Sent: Friday, April 11, 2014 1:38 PM
To: squid-users@squid-cache.org
Subject: Re: [squid-users] sslbump - firefox sec_error_inadequate_key_usage
On Friday, 11 April 2014 4:46 PM, Amos wrote:
> On 11/04/2014 10:16 p.m., Amm wrote:
>> After this upgrade i.e. from 1.0.0 to 1.0.1, Firefox started giving
>> certificate error stating "sec_error_inadequate_key_usage".
>>
>> This does not happen for all domains but looks like happening ONLY
>> for google servers. i.e. youtube, news.google.com
>>
>> Certificate is issued for *.google.com with lots of alternate names.
>>
>> Is it Firefox bug or squid bug?
> Hard to say.
> "key_usage" is an explicit restriction on what circumstances and
> actions the certificate can be used for.
> What the message you are seeing indicates one of two things:
> Either, the website owner has placed some limitations on how their
> website certificate can be used and your SSL-bumping is violating those
> restrictions.
As I said, its google domains. You can check
https://news.google.com OR https://www.youtube.com
Both have same ceritificate. *.google.com is primary and
youtube.com is one of the many alternate names.
It worked before I upgraded to OpenSSL 1.0.1.
The sslbump configuration was working till yesterday. Today
too it works for all other domains (Yahoo, hotmail etc.)
Infact https://www.google.com also works, because it has
specific certificate and not same *.google.com cerificate.
> Or, the creator of the certificate you are using to sign the generated
> SSL-bump certificates has restricted your signing certificate
> capabilities. (ie the main Trusted Authorities prohibit using certs they
> sign as secondary CA to generate fake certs like SSL-bump does).
> Either case is just as likely.
Did OpenSSL 1.0.0 not support key_usage? And hence squid did not
use it either?
I wonder why other Firefox+sslbump users are not complaining about this?
I see only few people complaining. That too was in November 2013.
I used the patch here:
http://www.squid-cache.org/mail-archive/squid-users/201311/att-0310/squid-3.3.9-remove-key-usage.patch
And it fixes the issue.
But I would prefer to do it without patch.
If I am the only one facing this, then what could be wrong?
Amm.
Received on Fri Apr 11 2014 - 11:49:11 MDT
This archive was generated by hypermail 2.2.0 : Fri Apr 11 2014 - 12:00:04 MDT