On 11/04/2014 10:16 p.m., Amm wrote: > Hello, > > Yesterday I upgraded OpenSSL version. (Although I was using OpenSSL 1.0.0 - not affected by Heartbleed, but I upgraded none-the-less) > > > I am using sslbump (squid 3.4.4). Using Firefox 28.0 (latest 64bit tar.bz2) > > After this upgrade i.e. from 1.0.0 to 1.0.1, Firefox started giving certificate error stating "sec_error_inadequate_key_usage". > > This does not happen for all domains but looks like happening ONLY for google servers. i.e. youtube, news.google.com > > Certificate is issued for *.google.com with lots of alternate names. > > I also recompiled squid (with new OpenSSL) just to be sure. > > I also cleared certificate store. > > But error still occurs. > > > Google search gave me a patch for this for 3.3.9. But just wanted to make sure if there is any other way to resolve this issue? (Like some squid configuration directive) > > So please let me know, if patch is the only way OR this has been resolved? > > Is it Firefox bug or squid bug? > Hard to say. Is software correctly verifying and rejecting invalid SSL certficates a bug? "key_usage" is an explicit restriction on what circumstances and actions the certificate can be used for. What the message you are seeing indicates one of two things: Either, the website owner has placed some limitations on how their website certificate can be used and your SSL-bumping is violating those restrictions. Or, the creator of the certificate you are using to sign the generated SSL-bump certificates has restricted your signing certificate capabilities. (ie the main Trusted Authorities prohibit using certs they sign as secondary CA to generate fake certs like SSL-bump does). Either case is just as likely. Amos
