On 11/04/2014 10:16 p.m., Amm wrote:
> Hello,
>
> Yesterday I upgraded OpenSSL version. (Although I was using OpenSSL 1.0.0 - not affected by Heartbleed, but I upgraded none-the-less)
>
>
> I am using sslbump (squid 3.4.4). Using Firefox 28.0 (latest 64bit tar.bz2)
>
> After this upgrade i.e. from 1.0.0 to 1.0.1, Firefox started giving certificate error stating "sec_error_inadequate_key_usage".
>
> This does not happen for all domains but looks like happening ONLY for google servers. i.e. youtube, news.google.com
>
> Certificate is issued for *.google.com with lots of alternate names.
>
> I also recompiled squid (with new OpenSSL) just to be sure.
>
> I also cleared certificate store.
>
> But error still occurs.
>
>
> Google search gave me a patch for this for 3.3.9. But just wanted to make sure if there is any other way to resolve this issue? (Like some squid configuration directive)
>
> So please let me know, if patch is the only way OR this has been resolved?
>
> Is it Firefox bug or squid bug?
>
Hard to say.
Is software correctly verifying and rejecting invalid SSL certficates a
bug?
"key_usage" is an explicit restriction on what circumstances and actions
the certificate can be used for.
What the message you are seeing indicates one of two things:
Either, the website owner has placed some limitations on how their
website certificate can be used and your SSL-bumping is violating those
restrictions.
Or, the creator of the certificate you are using to sign the generated
SSL-bump certificates has restricted your signing certificate
capabilities. (ie the main Trusted Authorities prohibit using certs they
sign as secondary CA to generate fake certs like SSL-bump does).
Either case is just as likely.
Amos
Received on Fri Apr 11 2014 - 11:16:36 MDT
This archive was generated by hypermail 2.2.0 : Fri Apr 11 2014 - 12:00:04 MDT