Search squid archive

Re: Problem with certificates and SSLBump

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
 


25.06.2016 23:47, C. L. Martinez пишет:
> On Sun 26.Jun'16 at  5:22:31 +1200, Amos Jeffries wrote:
>> On 26/06/2016 4:46 a.m., C. L. Martinez wrote:
>>> On Sat 25.Jun'16 at 22:33:56 +0600, Yuri Voinov wrote:
>>>>
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA256
>>>> 
>>>> Use search.
>>>>
>>>> Some days agi I've played around with ECDSA certs and drop it due to
>>>> extremal incompatibility with clients. Here was this thread.
>>>>
>>>>
>>>
>>> Is this the thread:
http://marc.info/?l=squid-users&m=146625379320785&w=2?
>>>
>>
>> Thats the one that came to my mind when reading your problem description.
>>
>> Here is the solution he found to the cert content error:
>>  <http://marc.info/?l=squid-users&m=146633146001650&w=2>
>>
>> YMMV, on the bug 4497 issue. So far no-one has been able to replicate
>> the problem Yuri has. But if you do we would certainly like to know that
>> in the bug report.
>>
>> (Yuri: sorry, I just noticed the captures you provided a week ago. Not
>> sure how I missed that. I hope to have the time to look them over later
>> today and see if some progress can finally happen on that bug.)
>>
>> Amos
>>
>
> Thanks Amos. In my case, I am using LibreSSL from OpenBSD. I have used
the following commands to create the Root CA:
>
> openssl ecparam -out private/ec-secp384r1.pem -name secp384r1
> openssl req -config ../openssl.cnf -new -x509 -days 3652 -extensions
v3_ca -sha512 -newkey ec:ec-secp384r1.pem -keyout ec-ca.key -out
../certs/ec-ca.crt
>
>  And works without problems.
>
>  I have done another test: I have created a csr for squid's host
without using ECDSA, using the following commands:
>
> openssl genrsa -out server.key 4096
> openssl req -nodes -key server.key -new -out server.csr
>
>  .. with the same result: fails.
I've tried a bit different. Root CA without ECDSA (RSA4096+SHA256),
intermediate CA with ECDSA, signed by first root. This works on my
testing setups.
>
>
>
>  Arrived to this I don't know if it could be a best solution to deploy
another CA without ECDSA ...
>
"Compatibility is more important than performance." (c)

Experience has shown that the compatibility of these certificates is
very questionable and is not supported by all, without exception,
possible clients. That is, in turn, to problems in the support.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXbse5AAoJENNXIZxhPexGKegH/iMc7esyZ7ULeDF/ZQhiidd0
NV4JsIkIlwL5olbYgM3aDb1Il9ihkVfpcWuz4hPDPvAOz9xwxQbnjbvVeK7boiyE
pEHBomJhS0ZtHCYo3dH8B1AQj06bJCVjtb7gNFyakLVxs0GFF6qmbh/nzn/xG/ny
4inMclgurGcnBn1ejjm+x6l4q+0Tq5pKr3g7GHzcQUCfK06k09Nu35m9CkeDrda9
QBO2V8QT/B5QMVajwYVkGEHt6YQGtz2OmA8lWaR+HR8ftVm9QhgP4tpuSnmx3lRl
0CKzjhzbPZh4zj9ikrBH6TdlD7XTrIRodFhvhGO9xkrD3LaEQeTdx9NPdhlKvt0=
=K0na
-----END PGP SIGNATURE-----

Attachment: 0x613DEC46.asc
Description: application/pgp-keys

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux