Re: [squid-users] TR: [Bulk] Re: TR: certificate verification with sha256 and squid

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 16 Dec 2008 01:22:38 +1300

NP: This is a developer question. diverting the converation to squid-dev
mailing list.

Raphael wrote:
> Hello,
>
> I am looking for a solution to a certificate checking failure from Squid to
> filter access to a web server.
>
> Here is what I got from the Openssl mailing list.
>
> "Possibly it is calling SSL_library_init() which doesn't add a complete set
> of
> digests. OpenSSL_add_all_algorithms() should be called as well."
>
> I looked into the Squid 3 RC11 and didn't find any occurrences of
> SSL_library_init. Would someone know how Openssl is called and loaded ?

The code should be in src/ssl_support.*
function: ssl_initialize(void)

The init code is pretty much:
   SSL_load_error_strings();
   SSLeay_add_ssl_algorithms();

and also in functions sslCreateServerContext and sslCreateClientContext

>
> Thanks
>
> Raphael
>
> -----Message d'origine-----
> De : owner-openssl-users_at_openssl.org
> [mailto:owner-openssl-users_at_openssl.org] De la part de Dr. Stephen Henson
> Envoyé : vendredi 12 décembre 2008 16:39
> À : openssl-users_at_openssl.org
> Objet : [Bulk] Re: TR: certificate verification with sha256 and squid
>
> On Fri, Dec 12, 2008, Raphael wrote:
>
>> Hi all,
>>
>>
>>
>> I am setting up a CA and a reverse proxy https with Squid filtering access
>> to the backend web site.
>>
>> I compiled from source Openssl 0.9.8i on the CA and Squid 2.7 (or 3)
>> servers. I manage to verify the sha256 protected certificate on both
>> computers using :
>>
>>
>>
>> openssl verify -CAFile /root/CAxxxx/cacert.pem -verbose
> /root/72571934AA.pem
>> /root/72571934AA.pem: OK
>>
>>
>>
>> However when Squid checks client certificate it gives an error in log
> files
>> :
>>
>>
>>
>> SSL unknown certificate error 7 in /C=FR/O=xxxx/OU=Users/CN=72571934AA
>>
>> clientNegotiateSSL: Error negotiating SSL connection on FD 11:error :
>>
>> 0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown mesage digest
>>
>> algorithm (1/-1)
>>
>>
>>
>> So I think Squid doesn't understand the sha256 message digest so it cannot
>> verify the certificate ?
>>
>>
>
> Possibly it is calling SSL_library_init() which doesn't add a complete set
> of
> digests. OpenSSL_add_all_algorithms() should be called as well.
>
> Steve.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10
   Current Beta Squid 3.1.0.3 or 3.0.STABLE11-RC1
Received on Mon Dec 15 2008 - 12:22:41 MST

This archive was generated by hypermail 2.2.0 : Mon Dec 15 2008 - 12:00:01 MST