Hi All, I am testing Squid as a reverse proxy https checking access with a brand new OpenCA install. All is working pretty well except one problem that I cannot get rid of, I'm not really sure the problem is coming from Squid itself. Here it is : My certificates generated with the Certificate Authority are using Sha256 as message digest algorithm. I read that Sha1 will go until 2010 and then Sha256 will do the job. The CA certificate will expire in 2036 so I think it is a good choice. When I check a client certificate together with my CA Openssl (0.8.9i = latest) manage to verify it. openssl verify -CAFile /root/CAxxxx/cacert.pem -verbose /root/72571934AA.pem /root/72571934AA.pem: OK When I use it as a CA in Squid (3.0 Stable 11 and older it is the same, as well as Debian stable and testing packages) there is a problem verifying the client certificate (wich is valid) and the connection is rejected. The problem seem to come from the Sha256 message digest algorithm. I am trying to connect with a windows XP SP3 client that should handle Sha256 and IE or Firefox gives an error. Firefox says ssl_error_decrypt_error_alert. On the Squid side I always get the same error : SSL unknown certificate error 7 in /C=FR/O=xxxx/OU=Users/CN=72571934AA clientNegotiateSSL: Error negotiating SSL connection on FD 11:error : 0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown mesage digest algorithm (1/-1) I also tried with a knoppix 5.3 dvd client with Iceweasel (Firefox) the error remains the same. Here is my squid.conf file : visible_hostname xxxx.fr https_port 192.168.200.10:443 cert=/root/CertificatSitexxxx/cat.pem defaultsite=cat.xxxx.fr vhost clientca=/root/CAxxxx/cacert.pem https_port 192.168.200.12:443 cert=/root/CertificatSitexxxx/cmd.pem defaultsite=cat.xxxx.fr vhost clientca=/root/CAxxxx/cacert.pem icp_port 0 htcp_port 0 cache_peer 10.10.10.11 parent 80 0 no-query originserver name=cat.xxxx.fr login=PASS cache_peer 10.10.10.12 parent 80 0 no-query originserver name=cmd.xxxx.fr login=PASS acl catalogue dstdomain cat.xxxx.fr acl commande dstdomain cmd.xxxx.fr cache_peer_access cat.xxxx.fr allow catalogue cache_peer_access cmd.xxxx.fr allow commande acl web port 443 http_access allow web acl webserver dst 10.10.10.11 10.10.10.12 http_access allow webserver cache-effective_user www-data hierarchy_stoplist cgi-bin \? cache deny QUERY acl apache rep_header Server ^Apache cache_dir ufs /var/spool/squid 100 16 256 access_log /var/log/squid/access.log squid misc_access allow all http_reply_access allow all icp_reply_access allow all cache_effective_group proxy coredump_dir /var/spool/squid I tried the prepackages Openssl Squid, then I recompiled the sources packages and then I recompiled them myself and the error is still there. Would somebody have any hint ? I don't know where to search now ! Thanks Raphaël
