Raphael wrote:
> Hi All,
>
> I am testing Squid as a reverse proxy https checking access with a brand new
> OpenCA install.
> All is working pretty well except one problem that I cannot get rid of, I'm
> not really sure the problem is coming from Squid itself.
>
> Here it is : My certificates generated with the Certificate Authority are
> using Sha256 as message digest algorithm. I read that Sha1 will go until
> 2010 and then Sha256 will do the job. The CA certificate will expire in 2036
> so I think it is a good choice.
>
>
> When I check a client certificate together with my CA Openssl (0.8.9i =
> latest) manage to verify it.
>
> openssl verify -CAFile /root/CAxxxx/cacert.pem -verbose /root/72571934AA.pem
> /root/72571934AA.pem: OK
>
> When I use it as a CA in Squid (3.0 Stable 11 and older it is the same, as
> well as Debian stable and testing packages) there is a problem verifying the
> client certificate (wich is valid) and the connection is rejected. The
> problem seem to come from the Sha256 message digest algorithm.
>
> I am trying to connect with a windows XP SP3 client that should handle
> Sha256 and IE or Firefox gives an error. Firefox says
> ssl_error_decrypt_error_alert.
> On the Squid side I always get the same error :
>
> SSL unknown certificate error 7 in /C=FR/O=xxxx/OU=Users/CN=72571934AA
> clientNegotiateSSL: Error negotiating SSL connection on FD 11:error :
> 0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown mesage digest
> algorithm (1/-1)
Have you checked that your Squid has been built against an OpenSSL
version which contains that particular algorithm decoder?
That error message is received from the SSL library as-is "0D0C50A1:asn1
encoding routines:ASN1_item_verify:unknown mesage digest algorithm"
Amos
-- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10 Current Beta Squid 3.1.0.3 or 3.0.STABLE11-RC1Received on Sun Dec 07 2008 - 04:51:41 MST
This archive was generated by hypermail 2.2.0 : Sun Dec 07 2008 - 12:00:02 MST