RE: [squid-users] sslbump - firefox sec_error_inadequate_key_usage

From: Rafael Akchurin <rafael.akchurin_at_diladele.com>
Date: Fri, 11 Apr 2014 11:49:00 +0000

I also use this patch and would like if it is possible to somehow go on without it. May it be due to the fact squid caches the generated SSL certificates in the ssl_crtd store? So we need to clear the store when root CA certificate for SSL bump is regenerated? Raf ________________________________________ From: Amm <ammdispose-squid@yahoo.com> Sent: Friday, April 11, 2014 1:38 PM To: squid-users@squid-cache.org Subject: Re: [squid-users] sslbump - firefox sec_error_inadequate_key_usage On Friday, 11 April 2014 4:46 PM, Amos wrote: > On 11/04/2014 10:16 p.m., Amm wrote: >> After this upgrade i.e. from 1.0.0 to 1.0.1, Firefox started giving >> certificate error stating "sec_error_inadequate_key_usage". >> >> This does not happen for all domains but looks like happening ONLY >> for google servers. i.e. youtube, news.google.com >> >> Certificate is issued for *.google.com with lots of alternate names. >> >> Is it Firefox bug or squid bug? > Hard to say. > "key_usage" is an explicit restriction on what circumstances and > actions the certificate can be used for. > What the message you are seeing indicates one of two things: > Either, the website owner has placed some limitations on how their > website certificate can be used and your SSL-bumping is violating those > restrictions. As I said, its google domains. You can check https://news.google.com OR https://www.youtube.com Both have same ceritificate. *.google.com is primary and youtube.com is one of the many alternate names. It worked before I upgraded to OpenSSL 1.0.1. The sslbump configuration was working till yesterday. Today too it works for all other domains (Yahoo, hotmail etc.) Infact https://www.google.com also works, because it has specific certificate and not same *.google.com cerificate. > Or, the creator of the certificate you are using to sign the generated > SSL-bump certificates has restricted your signing certificate > capabilities. (ie the main Trusted Authorities prohibit using certs they > sign as secondary CA to generate fake certs like SSL-bump does). > Either case is just as likely. Did OpenSSL 1.0.0 not support key_usage? And hence squid did not use it either? I wonder why other Firefox+sslbump users are not complaining about this? I see only few people complaining. That too was in November 2013. I used the patch here: http://www.squid-cache.org/mail-archive/squid-users/201311/att-0310/squid-3.3.9-remove-key-usage.patch And it fixes the issue. But I would prefer to do it without patch. If I am the only one facing this, then what could be wrong? Amm.
Received on Fri Apr 11 2014 - 11:49:11 MDT

This archive was generated by hypermail 2.2.0 : Fri Apr 11 2014 - 12:00:04 MDT