[squid-users] Certificate Validation problem due to Sha 256 message digest

From: Raphael <jraph_at_jraph.com>
Date: Fri, 5 Dec 2008 16:15:00 +0100

Hi All,

I am testing Squid as a reverse proxy https checking access with a brand new
OpenCA install.
All is working pretty well except one problem that I cannot get rid of, I'm
not really sure the problem is coming from Squid itself.

Here it is : My certificates generated with the Certificate Authority are
using Sha256 as message digest algorithm. I read that Sha1 will go until
2010 and then Sha256 will do the job. The CA certificate will expire in 2036
so I think it is a good choice.

When I check a client certificate together with my CA Openssl (0.8.9i =
latest) manage to verify it.

openssl verify -CAFile /root/CAxxxx/cacert.pem -verbose /root/72571934AA.pem
/root/72571934AA.pem: OK

When I use it as a CA in Squid (3.0 Stable 11 and older it is the same, as
well as Debian stable and testing packages) there is a problem verifying the
client certificate (wich is valid) and the connection is rejected. The
problem seem to come from the Sha256 message digest algorithm.

I am trying to connect with a windows XP SP3 client that should handle
Sha256 and IE or Firefox gives an error. Firefox says
ssl_error_decrypt_error_alert.
On the Squid side I always get the same error :

SSL unknown certificate error 7 in /C=FR/O=xxxx/OU=Users/CN=72571934AA
clientNegotiateSSL: Error negotiating SSL connection on FD 11:error :
0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown mesage digest
algorithm (1/-1)

I also tried with a knoppix 5.3 dvd client with Iceweasel (Firefox) the
error remains the same.

Here is my squid.conf file :

visible_hostname xxxx.fr
https_port 192.168.200.10:443 cert=/root/CertificatSitexxxx/cat.pem
defaultsite=cat.xxxx.fr vhost clientca=/root/CAxxxx/cacert.pem
https_port 192.168.200.12:443 cert=/root/CertificatSitexxxx/cmd.pem
defaultsite=cat.xxxx.fr vhost clientca=/root/CAxxxx/cacert.pem
icp_port 0
htcp_port 0
cache_peer 10.10.10.11 parent 80 0 no-query originserver name=cat.xxxx.fr
login=PASS
cache_peer 10.10.10.12 parent 80 0 no-query originserver name=cmd.xxxx.fr
login=PASS
acl catalogue dstdomain cat.xxxx.fr
acl commande dstdomain cmd.xxxx.fr
cache_peer_access cat.xxxx.fr allow catalogue
cache_peer_access cmd.xxxx.fr allow commande
acl web port 443
http_access allow web
acl webserver dst 10.10.10.11 10.10.10.12
http_access allow webserver
cache-effective_user www-data
hierarchy_stoplist cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
cache_dir ufs /var/spool/squid 100 16 256
access_log /var/log/squid/access.log squid
misc_access allow all
http_reply_access allow all
icp_reply_access allow all
cache_effective_group proxy
coredump_dir /var/spool/squid

I tried the prepackages Openssl Squid, then I recompiled the sources
packages and then I recompiled them myself and the error is still there.

Would somebody have any hint ? I don't know where to search now !

Thanks

Raphaël
Received on Fri Dec 05 2008 - 15:15:18 MST

This archive was generated by hypermail 2.2.0 : Sun Dec 07 2008 - 12:00:02 MST