Search squid archive

Re: ECDSA and SSL bump

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

That's just the point that everything was done according to the guidelines.

# First create EC parameters for selected curve
openssl ecparam -name secp384r1 -out secp384r1.pem
# Then generate dhparam with this EC params
openssl dhparam -in secp384r1.pem -outform PEM -out dhparam.pem 3072

# root CA 1
openssl ecparam -name secp384r1 -genkey -param_enc explicit -out rootCA.key
openssl req -new -x509 -sha256 -key rootCA.key -out rootCA.crt -days 10950

#Generate the CRL (both in PEM and DER):
openssl ca -config openssl.cfg -gencrl -keyfile rootCA.key -cert rootCA.crt -out rootCA.crl.pem 
openssl crl -inform PEM -in rootCA.crl.pem -outform DER -out rootCA.crl

# root CA 2
openssl ecparam -name secp384r1 -genkey -param_enc explicit -out rootCA2.key
openssl req -new -sha256 -key rootCA2.key -out rootCA2.csr
openssl ca -keyfile rootCA.key -cert rootCA.crt -in rootCA2.csr -out rootCA2.crt -config openssl.cfg -days 9125 

I do not see, where I could make a mistake so stupid.

19.06.2016 15:18, Amos Jeffries пишет:

On 19/06/2016 12:42 a.m., Yuri Voinov wrote:

Good weekend to all.

Gentlemen, somebody played with ECDSA-certificates and SSL bump with SQUID?

I have when trying to use ECDSA self-signed CA to bump, Squid (version
no matter) gives an error SSLv3 (for unknown reasons) and can not
establish a secure connection. With CIPHER/PROTOCOL negotiation error in
browser. Yea, latest Chrome.

Does this mean that Squid is not support ECDSA?


It means your certificate was not created with the flags indicating
which Curve it is to be used with.
  <https://wiki.openssl.org/index.php/Elliptic_Curve_Cryptography#Named_Curves>

I can't find any evidence of the flag being set on generated
certificates. So that may also be adding to the problem.

Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux