Hi All, I use Openssl 0.9.8i which manages to check the certificate. I am also able to get the sha256 digest of a file : openssl dgst -sha256 /root/openssl-0.9.8i.tar.gz is working and giving me the message digest. But I'm not sure as when I list the digests Algorithms I have: openssl list-message-digest-commands md2 md4 md5 rmd160 sha sha1 The same command on the certificate authority gives same entries. And the machine manages to generate certificates with sha256 message digest algorithms. To configure Squid 3 stable 11 RC1 (and other versions) I used : ./configure --bindir=/bin --sbindir=/sbin --enable-ssl --with-openssl=/root/openssl-0.9.8i With the sources of Openssl (that I compiled) being in /root/openssl-0.9.8i The configuration and compilation didn't generate any errors. When I do openssl speed in all the tests there is a sha256 calculation. I am posting another message on the Openssl mailing list to see if I miss something, I will post here any information. Thanks Raphaël -----Message d'origine----- De : Amos Jeffries [mailto:squid3@xxxxxxxxxxxxx] Envoyé : dimanche 7 décembre 2008 05:52 À : Raphael Cc : squid-users@xxxxxxxxxxxxxxx Objet : [Bulk] Re: Certificate Validation problem due to Sha 256 message digest Raphael wrote: > Hi All, > > I am testing Squid as a reverse proxy https checking access with a brand new > OpenCA install. > All is working pretty well except one problem that I cannot get rid of, I'm > not really sure the problem is coming from Squid itself. > > Here it is : My certificates generated with the Certificate Authority are > using Sha256 as message digest algorithm. I read that Sha1 will go until > 2010 and then Sha256 will do the job. The CA certificate will expire in 2036 > so I think it is a good choice. > > > When I check a client certificate together with my CA Openssl (0.8.9i = > latest) manage to verify it. > > openssl verify -CAFile /root/CAxxxx/cacert.pem -verbose /root/72571934AA.pem > /root/72571934AA.pem: OK > > When I use it as a CA in Squid (3.0 Stable 11 and older it is the same, as > well as Debian stable and testing packages) there is a problem verifying the > client certificate (wich is valid) and the connection is rejected. The > problem seem to come from the Sha256 message digest algorithm. > > I am trying to connect with a windows XP SP3 client that should handle > Sha256 and IE or Firefox gives an error. Firefox says > ssl_error_decrypt_error_alert. > On the Squid side I always get the same error : > > SSL unknown certificate error 7 in /C=FR/O=xxxx/OU=Users/CN=72571934AA > clientNegotiateSSL: Error negotiating SSL connection on FD 11:error : > 0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown mesage digest > algorithm (1/-1) Have you checked that your Squid has been built against an OpenSSL version which contains that particular algorithm decoder? That error message is received from the SSL library as-is "0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown mesage digest algorithm" Amos -- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10 Current Beta Squid 3.1.0.3 or 3.0.STABLE11-RC1