Hello Jason, I did even rebuild my stock CentOS 7 Squid to see the error was not gone, silly me thanks a lot! Raf -----Original Message----- From: Jason Haar [mailto:Jason_Haar@xxxxxxxxxxx] Sent: Saturday, August 30, 2014 11:38 PM To: squid-users@xxxxxxxxxxxxxxx Subject: squid-3.4.7 may fix sec_error_extension_value_invalid error, but that's not enough On 28/08/14 04:43, Amos Jeffries wrote: > > * Various SSL-bump certificate mimic errors > > These bugs show up most notably for users of Firefox complaining about > a sec_error_inadequate_key_usage error. They are caused by Squid > generating a fake certificate with the wrong X.509 version details for > the TLS extensions being mimiced in that certificate. > Hi there, I've just upgraded from 3.4.6 to 3.4.7 and at first it didn't seem to have fixed the sslbump problem eg this link still generates the "sec_error_extension_value_invalid" error https://ak2.boxcdn.net/cdn/farfuture/PNK_KmDsX8J309tUbroLqW_e5kVPMNIulZL8wrYh5Aw/mtime:1409288463/sites/default/files/cdn/css/http/css_mhGj6N2cEjI-irTOnjQDCNtP9tAGqNtYZcKU1SqKdYY.css So I was about to put in a bug report when I realised something: I'd still have the pre-existing "corrupt" Squid-generated cert in the cache! So I manually deleted all boxcdn.net certs I had, restarted squid and it's all fixed ;-) Just thought I'd share that - I probably won't be the only one who gets that wrong ;-) Other than wiping out the entire cert cache, is there any "openssl x509 ..." command I could run to hunt down all similar broken certs - so I only delete them? Thanks! -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
