Search squid archive

Re: sslbump - firefox sec_error_inadequate_key_usage

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Friday, 11 April 2014 4:46 PM, Amos wrote:


> On 11/04/2014 10:16 p.m., Amm wrote:
>> After this upgrade i.e. from 1.0.0 to 1.0.1, Firefox started giving
>> certificate error stating "sec_error_inadequate_key_usage".
>> 
>> This does not happen for all domains but looks like happening ONLY
>> for google servers. i.e. youtube, news.google.com
>> 
>> Certificate is issued for *.google.com with lots of alternate names.
>> 
>> Is it Firefox bug or squid bug?



> Hard to say.

> "key_usage" is an explicit restriction on what circumstances and
> actions the certificate can be used for.

> What the message you are seeing indicates one of two things:
> Either, the website owner has placed some limitations on how their
> website certificate can be used and your SSL-bumping is violating those
> restrictions.


As I said, its google domains. You can check
https://news.google.com OR https://www.youtube.com

Both have same ceritificate. *.google.com is primary and
youtube.com is one of the many alternate names.

It worked before I upgraded to OpenSSL 1.0.1.

The sslbump configuration was working till yesterday. Today
too it works for all other domains (Yahoo, hotmail etc.)

Infact https://www.google.com also works, because it has
specific certificate and not same *.google.com cerificate.


> Or, the creator of the certificate you are using to sign the generated
> SSL-bump certificates has restricted your signing certificate
> capabilities. (ie the main Trusted Authorities prohibit using certs they
> sign as secondary CA to generate fake certs like SSL-bump does).

> Either case is just as likely.

Did OpenSSL 1.0.0 not support key_usage? And hence squid did not
use it either?

I wonder why other Firefox+sslbump users are not complaining about this?

I see only few people complaining. That too was in November 2013.

I used the patch here:
http://www.squid-cache.org/mail-archive/squid-users/201311/att-0310/squid-3.3.9-remove-key-usage.patch

And it fixes the issue.

But I would prefer to do it without patch.

If I am the only one facing this, then what could be wrong?

Amm.





[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux