[squid-users] TR: [Bulk] Re: TR: certificate verification with sha256 and squid from Raphael on 2008-12-15 (squid-users)

From: Raphael <jraph_at_jraph.com>
Date: Mon, 15 Dec 2008 12:28:23 +0100

Hello,

I am looking for a solution to a certificate checking failure from Squid to
filter access to a web server.

Here is what I got from the Openssl mailing list.

"Possibly it is calling SSL_library_init() which doesn't add a complete set
of
digests. OpenSSL_add_all_algorithms() should be called as well."

I looked into the Squid 3 RC11 and didn't find any occurrences of
SSL_library_init. Would someone know how Openssl is called and loaded ?

Thanks

Raphael

-----Message d'origine-----
De : owner-openssl-users_at_openssl.org
[mailto:owner-openssl-users_at_openssl.org] De la part de Dr. Stephen Henson
Envoyé : vendredi 12 décembre 2008 16:39
À : openssl-users_at_openssl.org
Objet : [Bulk] Re: TR: certificate verification with sha256 and squid

On Fri, Dec 12, 2008, Raphael wrote:

> Hi all,
>
>
>
> I am setting up a CA and a reverse proxy https with Squid filtering access
> to the backend web site.
>
> I compiled from source Openssl 0.9.8i on the CA and Squid 2.7 (or 3)
> servers. I manage to verify the sha256 protected certificate on both
> computers using :
>
>
>
> openssl verify -CAFile /root/CAxxxx/cacert.pem -verbose
/root/72571934AA.pem
>
> /root/72571934AA.pem: OK
>
>
>
> However when Squid checks client certificate it gives an error in log
files
> :
>
>
>
> SSL unknown certificate error 7 in /C=FR/O=xxxx/OU=Users/CN=72571934AA
>
> clientNegotiateSSL: Error negotiating SSL connection on FD 11:error :
>
> 0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown mesage digest
>
> algorithm (1/-1)
>
>
>
> So I think Squid doesn't understand the sha256 message digest so it cannot
> verify the certificate ?
>
>

Possibly it is calling SSL_library_init() which doesn't add a complete set
of
digests. OpenSSL_add_all_algorithms() should be called as well.

Steve.

--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users_at_openssl.org
Automated List Manager                           majordomo_at_openssl.org

Received on Mon Dec 15 2008 - 11:28:43 MST

This archive was generated by hypermail 2.2.0 : Mon Dec 15 2008 - 12:00:01 MST