Raphael wrote:
Hi All,
I am testing Squid as a reverse proxy https checking access with a brand new
OpenCA install.
All is working pretty well except one problem that I cannot get rid of, I'm
not really sure the problem is coming from Squid itself.
Here it is : My certificates generated with the Certificate Authority are
using Sha256 as message digest algorithm. I read that Sha1 will go until
2010 and then Sha256 will do the job. The CA certificate will expire in 2036
so I think it is a good choice.
When I check a client certificate together with my CA Openssl (0.8.9i =
latest) manage to verify it.
openssl verify -CAFile /root/CAxxxx/cacert.pem -verbose /root/72571934AA.pem
/root/72571934AA.pem: OK
When I use it as a CA in Squid (3.0 Stable 11 and older it is the same, as
well as Debian stable and testing packages) there is a problem verifying the
client certificate (wich is valid) and the connection is rejected. The
problem seem to come from the Sha256 message digest algorithm.
I am trying to connect with a windows XP SP3 client that should handle
Sha256 and IE or Firefox gives an error. Firefox says
ssl_error_decrypt_error_alert.
On the Squid side I always get the same error :
SSL unknown certificate error 7 in /C=FR/O=xxxx/OU=Users/CN=72571934AA
clientNegotiateSSL: Error negotiating SSL connection on FD 11:error :
0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown mesage digest
algorithm (1/-1)
Have you checked that your Squid has been built against an OpenSSL
version which contains that particular algorithm decoder?
That error message is received from the SSL library as-is "0D0C50A1:asn1
encoding routines:ASN1_item_verify:unknown mesage digest algorithm"
Amos
--
Please be using
Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10
Current Beta Squid 3.1.0.3 or 3.0.STABLE11-RC1
