On Sun 26.Jun'16 at 5:22:31 +1200, Amos Jeffries wrote: > On 26/06/2016 4:46 a.m., C. L. Martinez wrote: > > On Sat 25.Jun'16 at 22:33:56 +0600, Yuri Voinov wrote: > >> > >> -----BEGIN PGP SIGNED MESSAGE----- > >> Hash: SHA256 > >> > >> Use search. > >> > >> Some days agi I've played around with ECDSA certs and drop it due to > >> extremal incompatibility with clients. Here was this thread. > >> > >> > > > > Is this the thread: http://marc.info/?l=squid-users&m=146625379320785&w=2? > > > > Thats the one that came to my mind when reading your problem description. > > Here is the solution he found to the cert content error: > <http://marc.info/?l=squid-users&m=146633146001650&w=2> > > YMMV, on the bug 4497 issue. So far no-one has been able to replicate > the problem Yuri has. But if you do we would certainly like to know that > in the bug report. > > (Yuri: sorry, I just noticed the captures you provided a week ago. Not > sure how I missed that. I hope to have the time to look them over later > today and see if some progress can finally happen on that bug.) > > Amos > Thanks Amos. In my case, I am using LibreSSL from OpenBSD. I have used the following commands to create the Root CA: openssl ecparam -out private/ec-secp384r1.pem -name secp384r1 openssl req -config ../openssl.cnf -new -x509 -days 3652 -extensions v3_ca -sha512 -newkey ec:ec-secp384r1.pem -keyout ec-ca.key -out ../certs/ec-ca.crt And works without problems. I have done another test: I have created a csr for squid's host without using ECDSA, using the following commands: openssl genrsa -out server.key 4096 openssl req -nodes -key server.key -new -out server.csr .. with the same result: fails. Arrived to this I don't know if it could be a best solution to deploy another CA without ECDSA ... -- Greetings, C. L. Martinez _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
