Search squid archive

Re: sslbump - firefox sec_error_inadequate_key_usage

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 11/04/2014 10:16 p.m., Amm wrote:
> Hello,
> 
> Yesterday I upgraded OpenSSL version. (Although I was using OpenSSL 1.0.0 - not affected by Heartbleed, but I upgraded none-the-less)
> 
> 
> I am using sslbump (squid 3.4.4). Using Firefox 28.0 (latest 64bit tar.bz2)
> 
> After this upgrade i.e. from 1.0.0 to 1.0.1, Firefox started giving certificate error stating "sec_error_inadequate_key_usage".
> 
> This does not happen for all domains but looks like happening ONLY for google servers. i.e. youtube, news.google.com
> 
> Certificate is issued for *.google.com with lots of alternate names.
> 
> I also recompiled squid (with new OpenSSL) just to be sure.
> 
> I also cleared certificate store.
> 
> But error still occurs.
> 
> 
> Google search gave me a patch for this for 3.3.9. But just wanted to make sure if there is any other way to resolve this issue? (Like some squid configuration directive)
> 
> So please let me know, if patch is the only way OR this has been resolved?
> 
> Is it Firefox bug or squid bug?
> 

Hard to say.
 Is software correctly verifying and rejecting invalid SSL certficates a
bug?

"key_usage" is an explicit restriction on what circumstances and actions
the certificate can be used for.

What the message you are seeing indicates one of two things:
Either, the website owner has placed some limitations on how their
website certificate can be used and your SSL-bumping is violating those
restrictions.

Or, the creator of the certificate you are using to sign the generated
SSL-bump certificates has restricted your signing certificate
capabilities. (ie the main Trusted Authorities prohibit using certs they
sign as secondary CA to generate fake certs like SSL-bump does).

Either case is just as likely.

Amos




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux