Hello again, In case it helps, I manage to make the reverse proxy check and let access to the web site with the reverse-proxy Pound (which does not cache anything). I made another CA to test with sha256 and with 2048 bits certificates, and the error is still the same with Squid. Regards Raphael -----Message d'origine----- De : Amos Jeffries [mailto:squid3@xxxxxxxxxxxxx] Envoyé : lundi 15 décembre 2008 13:23 À : Raphael; Squid Developers Cc : squid-users@xxxxxxxxxxxxxxx Objet : [Bulk] Re: TR: [Bulk] Re: TR: certificate verification with sha256 and squid NP: This is a developer question. diverting the converation to squid-dev mailing list. Raphael wrote: > Hello, > > I am looking for a solution to a certificate checking failure from Squid to > filter access to a web server. > > Here is what I got from the Openssl mailing list. > > "Possibly it is calling SSL_library_init() which doesn't add a complete set > of > digests. OpenSSL_add_all_algorithms() should be called as well." > > I looked into the Squid 3 RC11 and didn't find any occurrences of > SSL_library_init. Would someone know how Openssl is called and loaded ? The code should be in src/ssl_support.* function: ssl_initialize(void) The init code is pretty much: SSL_load_error_strings(); SSLeay_add_ssl_algorithms(); and also in functions sslCreateServerContext and sslCreateClientContext > > Thanks > > Raphael > > -----Message d'origine----- > De : owner-openssl-users@xxxxxxxxxxx > [mailto:owner-openssl-users@xxxxxxxxxxx] De la part de Dr. Stephen Henson > Envoyé : vendredi 12 décembre 2008 16:39 > À : openssl-users@xxxxxxxxxxx > Objet : [Bulk] Re: TR: certificate verification with sha256 and squid > > On Fri, Dec 12, 2008, Raphael wrote: > >> Hi all, >> >> >> >> I am setting up a CA and a reverse proxy https with Squid filtering access >> to the backend web site. >> >> I compiled from source Openssl 0.9.8i on the CA and Squid 2.7 (or 3) >> servers. I manage to verify the sha256 protected certificate on both >> computers using : >> >> >> >> openssl verify -CAFile /root/CAxxxx/cacert.pem -verbose > /root/72571934AA.pem >> /root/72571934AA.pem: OK >> >> >> >> However when Squid checks client certificate it gives an error in log > files >> : >> >> >> >> SSL unknown certificate error 7 in /C=FR/O=xxxx/OU=Users/CN=72571934AA >> >> clientNegotiateSSL: Error negotiating SSL connection on FD 11:error : >> >> 0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown mesage digest >> >> algorithm (1/-1) >> >> >> >> So I think Squid doesn't understand the sha256 message digest so it cannot >> verify the certificate ? >> >> > > Possibly it is calling SSL_library_init() which doesn't add a complete set > of > digests. OpenSSL_add_all_algorithms() should be called as well. > > Steve. Amos -- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10 Current Beta Squid 3.1.0.3 or 3.0.STABLE11-RC1
