Search squid archive

squid-3.4.7 may fix sec_error_extension_value_invalid error, but that's not enough

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 28/08/14 04:43, Amos Jeffries wrote:
>
> * Various SSL-bump certificate mimic errors
>
> These bugs show up most notably for users of Firefox complaining about
> a sec_error_inadequate_key_usage error. They are caused by Squid
> generating a fake certificate with the wrong X.509 version details for
> the TLS extensions being mimiced in that certificate.
>

Hi there, I've just upgraded from 3.4.6 to 3.4.7 and at first it didn't
seem to have fixed the sslbump problem

eg this link still generates the "sec_error_extension_value_invalid" error

https://ak2.boxcdn.net/cdn/farfuture/PNK_KmDsX8J309tUbroLqW_e5kVPMNIulZL8wrYh5Aw/mtime:1409288463/sites/default/files/cdn/css/http/css_mhGj6N2cEjI-irTOnjQDCNtP9tAGqNtYZcKU1SqKdYY.css

So I was about to put in a bug report when I realised something: I'd
still have the pre-existing "corrupt" Squid-generated cert in the
cache!  So I manually deleted all boxcdn.net certs I had, restarted
squid and it's all fixed ;-)

Just thought I'd share that - I probably won't be the only one who gets
that wrong ;-)

Other than wiping out the entire cert cache, is there any "openssl x509
..." command I could run to hunt down all similar broken certs - so I
only delete them?

Thanks!

-- 
Cheers

Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1





[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux