[squid-users] Re: SSL-bump certificate issue?

From: V�ctor Fern�ndez Mart�nez <vfernandez_at_barracuda.com>
Date: Wed, 20 Nov 2013 11:28:02 +0100

Hi Eliezer,

I think it's a SSL Bump issue. I've also had the same problem: youtube.com,
gmail.com and other Google sites caused Firefox to display a
sec_error_inadequate_key_usage error when ssl-bumped.

In my case, I managed to fix the issue with the attached patch for Squid 3.3.9.
It prevents Squid from mimicking the Key Usage extension when creating a
certificate. Firefox seems to reject the certificate because it doesn't accept
the key usage, but with the patch it accepts the certificates without problems.
This patch does not modify the behaviour regarding the Extended Key Usage
extension, so it is mimicked as usual. If you use it, make sure you remove all
certificates in the certificate cache so Squid has to generate them again.

I hope it helps. I will ask in the devel list about this issue.

Victor

On Friday 18 October 2013 00:13:47 Eliezer Croitoru wrote:
> I am trying to run some tests around these issues so If you do have any
>
> tests that should be done I would be very happy to test the issues.
>
> And I searched couple other things and it is not clear yet what is the
>
> reason for all but the next firefox extention helps a lot:
> https://addons.mozilla.org/en-US/firefox/addon/skip-cert-error/
>
> It has an option to aviod Specific certs which are trusted if the rootCA
>
> certificate was not compromosied yet... as a fact.
> This is one reason to renew the certs every once in a while.
>
> Eliezer
>
> On 10/16/2013 08:11 AM, Eliezer Croitoru wrote:
> > I have two servers on two different networks which use ssl-bump.
> > They have different root-CA that was created on two different machines.
> > Both of them was installed into FIREFOX and now I am getting a warning
> > about the certificate but only on one machine while.. using The other
> > works fine.
> > So I am not sure what the source of the problem and how to solve it.
> > How would I start debuggin it at all?
> >
> > the error message details from firefox:
> > #START
> > This Connection is Untrusted
> >
> > You have asked Firefox to connect securely to mail.google.com, but we
> > can't confirm that your connection is secure.
> >
> > Normally, when you try to connect securely, sites will present trusted
> > identification to prove that you are going to the right place. However,
> > this site's identity can't be verified.
> > What Should I Do?
> >
> > If you usually connect to this site without problems, this error could
> > mean that someone is trying to impersonate the site, and you shouldn't
> > continue.
> >
> > mail.google.com uses an invalid security certificate. The certificate is
> > not trusted because it was issued by an invalid CA certificate. (Error
> > code: sec_error_inadequate_key_usage)
> >
> > If you understand what's going on, you can tell Firefox to start
> > trusting this site's identification. Even if you trust the site, this
> > error could mean that someone is tampering with your connection.
> >
> > Don't add an exception unless you know there's a good reason why this
> > site doesn't use trusted identification.
> > ##END
> >
> > Thanks,
> > Eliezer

RSVP: "State of the Backup Appliance Market" webinar featuring leading analyst firm IDC. Tuesday, November 19, 10am PST. Register at http://www.barracuda.com/idcwebinar.

Received on Wed Nov 20 2013 - 10:28:23 MST

This archive was generated by hypermail 2.2.0 : Wed Nov 20 2013 - 12:00:04 MST