Hello, I am looking for a solution to a certificate checking failure from Squid to filter access to a web server. Here is what I got from the Openssl mailing list. "Possibly it is calling SSL_library_init() which doesn't add a complete set of digests. OpenSSL_add_all_algorithms() should be called as well." I looked into the Squid 3 RC11 and didn't find any occurrences of SSL_library_init. Would someone know how Openssl is called and loaded ? Thanks Raphael -----Message d'origine----- De : owner-openssl-users@xxxxxxxxxxx [mailto:owner-openssl-users@xxxxxxxxxxx] De la part de Dr. Stephen Henson Envoyé : vendredi 12 décembre 2008 16:39 À : openssl-users@xxxxxxxxxxx Objet : [Bulk] Re: TR: certificate verification with sha256 and squid On Fri, Dec 12, 2008, Raphael wrote: > Hi all, > > > > I am setting up a CA and a reverse proxy https with Squid filtering access > to the backend web site. > > I compiled from source Openssl 0.9.8i on the CA and Squid 2.7 (or 3) > servers. I manage to verify the sha256 protected certificate on both > computers using : > > > > openssl verify -CAFile /root/CAxxxx/cacert.pem -verbose /root/72571934AA.pem > > /root/72571934AA.pem: OK > > > > However when Squid checks client certificate it gives an error in log files > : > > > > SSL unknown certificate error 7 in /C=FR/O=xxxx/OU=Users/CN=72571934AA > > clientNegotiateSSL: Error negotiating SSL connection on FD 11:error : > > 0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown mesage digest > > algorithm (1/-1) > > > > So I think Squid doesn't understand the sha256 message digest so it cannot > verify the certificate ? > > Possibly it is calling SSL_library_init() which doesn't add a complete set of digests. OpenSSL_add_all_algorithms() should be called as well. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@xxxxxxxxxxx Automated List Manager majordomo@xxxxxxxxxxx
