Search squid archive

Re: TR: [Bulk] Re: TR: certificate verification with sha256 and squid

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

NP: This is a developer question. diverting the converation to squid-dev mailing list. 

Raphael wrote:

Hello,

I am looking for a solution to a certificate checking failure from Squid to
filter access to a web server. 
Here is what I got from the Openssl mailing list.

"Possibly it is calling SSL_library_init() which doesn't add a complete set
of
digests. OpenSSL_add_all_algorithms() should be called as well."

I looked into the Squid 3 RC11 and didn't find any occurrences of
SSL_library_init. Would someone know how Openssl is called and loaded ?


The code should be in  src/ssl_support.*
function:  ssl_initialize(void)

The init code is pretty much:
  SSL_load_error_strings();
  SSLeay_add_ssl_algorithms();

and also in functions sslCreateServerContext and sslCreateClientContext



Thanks

Raphael

-----Message d'origine-----
De : owner-openssl-users@xxxxxxxxxxx
[mailto:owner-openssl-users@xxxxxxxxxxx] De la part de Dr. Stephen Henson
Envoyé : vendredi 12 décembre 2008 16:39
À : openssl-users@xxxxxxxxxxx
Objet : [Bulk] Re: TR: certificate verification with sha256 and squid

On Fri, Dec 12, 2008, Raphael wrote:


Hi all,


I am setting up a CA and a reverse proxy https with Squid filtering access
to the backend web site.

I compiled from source Openssl 0.9.8i on the CA and Squid 2.7 (or 3)
servers. I manage to verify the sha256 protected certificate on both
computers using :


openssl verify -CAFile /root/CAxxxx/cacert.pem -verbose

/root/72571934AA.pem

/root/72571934AA.pem: OK


However when Squid checks client certificate it gives an error in log

files

:


SSL unknown certificate error 7 in /C=FR/O=xxxx/OU=Users/CN=72571934AA

clientNegotiateSSL: Error negotiating SSL connection on FD 11:error :

0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown mesage digest

algorithm (1/-1)


So I think Squid doesn't understand the sha256 message digest so it cannot
verify the certificate ?




Possibly it is calling SSL_library_init() which doesn't add a complete set
of
digests. OpenSSL_add_all_algorithms() should be called as well.

Steve.


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10
  Current Beta Squid 3.1.0.3 or 3.0.STABLE11-RC1
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux