Hello Jason,
I did even rebuild my stock CentOS 7 Squid to see the error was not gone, silly me thanks a lot!
Raf
-----Original Message-----
From: Jason Haar [mailto:Jason_Haar_at_trimble.com]
Sent: Saturday, August 30, 2014 11:38 PM
To: squid-users_at_squid-cache.org
Subject: [squid-users] squid-3.4.7 may fix sec_error_extension_value_invalid error, but that's not enough
On 28/08/14 04:43, Amos Jeffries wrote:
>
> * Various SSL-bump certificate mimic errors
>
> These bugs show up most notably for users of Firefox complaining about
> a sec_error_inadequate_key_usage error. They are caused by Squid
> generating a fake certificate with the wrong X.509 version details for
> the TLS extensions being mimiced in that certificate.
>
Hi there, I've just upgraded from 3.4.6 to 3.4.7 and at first it didn't seem to have fixed the sslbump problem
eg this link still generates the "sec_error_extension_value_invalid" error
So I was about to put in a bug report when I realised something: I'd still have the pre-existing "corrupt" Squid-generated cert in the cache! So I manually deleted all boxcdn.net certs I had, restarted squid and it's all fixed ;-)
Just thought I'd share that - I probably won't be the only one who gets that wrong ;-)
Other than wiping out the entire cert cache, is there any "openssl x509 ..." command I could run to hunt down all similar broken certs - so I only delete them?
Thanks!
-- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1Received on Sat Aug 30 2014 - 22:31:38 MDT
This archive was generated by hypermail 2.2.0 : Sun Aug 31 2014 - 12:00:06 MDT