subject:"Re\: \[squid\-users\] Problem with certificates and SSLBump"

Re: [squid-users] Problem with certificates and SSLBump

2016-06-25 Thread Yuri Voinov


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 


25.06.2016 23:47, C. L. Martinez пишет:
> On Sun 26.Jun'16 at  5:22:31 +1200, Amos Jeffries wrote:
>> On 26/06/2016 4:46 a.m., C. L. Martinez wrote:
>>> On Sat 25.Jun'16 at 22:33:56 +0600, Yuri Voinov wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256
 
 Use search.

 Some days agi I've played around with ECDSA certs and drop it due to
 extremal incompatibility with clients. Here was this thread.


>>>
>>> Is this the thread:
http://marc.info/?l=squid-users=146625379320785=2?
>>>
>>
>> Thats the one that came to my mind when reading your problem description.
>>
>> Here is the solution he found to the cert content error:
>>  
>>
>> YMMV, on the bug 4497 issue. So far no-one has been able to replicate
>> the problem Yuri has. But if you do we would certainly like to know that
>> in the bug report.
>>
>> (Yuri: sorry, I just noticed the captures you provided a week ago. Not
>> sure how I missed that. I hope to have the time to look them over later
>> today and see if some progress can finally happen on that bug.)
>>
>> Amos
>>
>
> Thanks Amos. In my case, I am using LibreSSL from OpenBSD. I have used
the following commands to create the Root CA:
>
> openssl ecparam -out private/ec-secp384r1.pem -name secp384r1
> openssl req -config ../openssl.cnf -new -x509 -days 3652 -extensions
v3_ca -sha512 -newkey ec:ec-secp384r1.pem -keyout ec-ca.key -out
../certs/ec-ca.crt
>
>  And works without problems.
>
>  I have done another test: I have created a csr for squid's host
without using ECDSA, using the following commands:
>
> openssl genrsa -out server.key 4096
> openssl req -nodes -key server.key -new -out server.csr
>
>  .. with the same result: fails.
I've tried a bit different. Root CA without ECDSA (RSA4096+SHA256),
intermediate CA with ECDSA, signed by first root. This works on my
testing setups.
>
>
>
>  Arrived to this I don't know if it could be a best solution to deploy
another CA without ECDSA ...
>
"Compatibility is more important than performance." (c)

Experience has shown that the compatibility of these certificates is
very questionable and is not supported by all, without exception,
possible clients. That is, in turn, to problems in the support.
-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXbse5AAoJENNXIZxhPexGKegH/iMc7esyZ7ULeDF/ZQhiidd0
NV4JsIkIlwL5olbYgM3aDb1Il9ihkVfpcWuz4hPDPvAOz9xwxQbnjbvVeK7boiyE
pEHBomJhS0ZtHCYo3dH8B1AQj06bJCVjtb7gNFyakLVxs0GFF6qmbh/nzn/xG/ny
4inMclgurGcnBn1ejjm+x6l4q+0Tq5pKr3g7GHzcQUCfK06k09Nu35m9CkeDrda9
QBO2V8QT/B5QMVajwYVkGEHt6YQGtz2OmA8lWaR+HR8ftVm9QhgP4tpuSnmx3lRl
0CKzjhzbPZh4zj9ikrBH6TdlD7XTrIRodFhvhGO9xkrD3LaEQeTdx9NPdhlKvt0=
=K0na
-END PGP SIGNATURE-



0x613DEC46.asc
Description: application/pgp-keys
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem with certificates and SSLBump

2016-06-25 Thread C. L. Martinez

On Sun 26.Jun'16 at  5:22:31 +1200, Amos Jeffries wrote:
> On 26/06/2016 4:46 a.m., C. L. Martinez wrote:
> > On Sat 25.Jun'16 at 22:33:56 +0600, Yuri Voinov wrote:
> >>
> >> -BEGIN PGP SIGNED MESSAGE-
> >> Hash: SHA256
> >>  
> >> Use search.
> >>
> >> Some days agi I've played around with ECDSA certs and drop it due to
> >> extremal incompatibility with clients. Here was this thread.
> >>
> >>
> > 
> > Is this the thread: http://marc.info/?l=squid-users=146625379320785=2?
> > 
> 
> Thats the one that came to my mind when reading your problem description.
> 
> Here is the solution he found to the cert content error:
>  
> 
> YMMV, on the bug 4497 issue. So far no-one has been able to replicate
> the problem Yuri has. But if you do we would certainly like to know that
> in the bug report.
> 
> (Yuri: sorry, I just noticed the captures you provided a week ago. Not
> sure how I missed that. I hope to have the time to look them over later
> today and see if some progress can finally happen on that bug.)
> 
> Amos
> 

Thanks Amos. In my case, I am using LibreSSL from OpenBSD. I have used the 
following commands to create the Root CA:

openssl ecparam -out private/ec-secp384r1.pem -name secp384r1
openssl req -config ../openssl.cnf -new -x509 -days 3652 -extensions v3_ca 
-sha512 -newkey ec:ec-secp384r1.pem -keyout ec-ca.key -out ../certs/ec-ca.crt

 And works without problems.

 I have done another test: I have created a csr for squid's host without using 
ECDSA, using the following commands:

openssl genrsa -out server.key 4096
openssl req -nodes -key server.key -new -out server.csr

 .. with the same result: fails.


 Arrived to this I don't know if it could be a best solution to deploy another 
CA without ECDSA ...

-- 
Greetings,
C. L. Martinez
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem with certificates and SSLBump

2016-06-25 Thread Yuri Voinov


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 


25.06.2016 23:22, Amos Jeffries пишет:
> On 26/06/2016 4:46 a.m., C. L. Martinez wrote:
>> On Sat 25.Jun'16 at 22:33:56 +0600, Yuri Voinov wrote:
>>>
>>> -BEGIN PGP SIGNED MESSAGE-
>>> Hash: SHA256
>>> 
>>> Use search.
>>>
>>> Some days agi I've played around with ECDSA certs and drop it due to
>>> extremal incompatibility with clients. Here was this thread.
>>>
>>>
>>
>> Is this the thread:
http://marc.info/?l=squid-users=146625379320785=2?
>>
>
> Thats the one that came to my mind when reading your problem description.
>
> Here is the solution he found to the cert content error:
>  
>
> YMMV, on the bug 4497 issue. So far no-one has been able to replicate
> the problem Yuri has. But if you do we would certainly like to know that
> in the bug report.
We, in turn, did not find any apparent reason, no satisfactory theory to
explain this bug. It is still present in two of our infrastructures, and
we find more and more sites that can not be opened with a similar error.
The only common place for both problem infrastructures - they utilizes
ISP without IPv6 and haven't IPv6 support itself therefore.
>
>
> (Yuri: sorry, I just noticed the captures you provided a week ago. Not
> sure how I missed that. I hope to have the time to look them over later
> today and see if some progress can finally happen on that bug.)
No problem, Amos. We are continue our research also, I hope we can found
as the reason and solution. Together.
>
>
> Amos
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXbsIMAAoJENNXIZxhPexGQJ8H+gK+OAOZTD93LJxyIofSjWnc
QbemENAZPDeAqFx8EKBAfWzt+BBonUsu4OD+TPCIHk4e0UOdpIy4Ig4zhwXi3bbw
7diMhavM8jIThh9uLiBBzr1W0MxHbm+C8BErpw13kdsue4fm3wLVvwXoXzuH6jST
+u1QjNL8JeHeOU9qvL4PuvsnZn8rgkH/eIHfeoMx8VAC9hTAW0ye2x0F3kr+vKgc
teAja3pQT+0wf8gNlN2QZ7shGUyQI/FidI3vFvzxb2D/jwtA7umEhFvjaS0VueUU
BNin9I+VkLBPkmpnYkLc3I4rv6+d1n9L3YUCUcM9Ogti00M5P2FtdjsD/hceQNU=
=vB8W
-END PGP SIGNATURE-



0x613DEC46.asc
Description: application/pgp-keys
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem with certificates and SSLBump

2016-06-25 Thread Amos Jeffries

On 26/06/2016 4:46 a.m., C. L. Martinez wrote:
> On Sat 25.Jun'16 at 22:33:56 +0600, Yuri Voinov wrote:
>>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA256
>>  
>> Use search.
>>
>> Some days agi I've played around with ECDSA certs and drop it due to
>> extremal incompatibility with clients. Here was this thread.
>>
>>
> 
> Is this the thread: http://marc.info/?l=squid-users=146625379320785=2?
> 

Thats the one that came to my mind when reading your problem description.

Here is the solution he found to the cert content error:

YMMV, on the bug 4497 issue. So far no-one has been able to replicate
the problem Yuri has. But if you do we would certainly like to know that
in the bug report.

(Yuri: sorry, I just noticed the captures you provided a week ago. Not
sure how I missed that. I hope to have the time to look them over later
today and see if some progress can finally happen on that bug.)

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem with certificates and SSLBump

2016-06-25 Thread C. L. Martinez

On Sat 25.Jun'16 at 22:33:56 +0600, Yuri Voinov wrote:
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>  
> Use search.
> 
> Some days agi I've played around with ECDSA certs and drop it due to
> extremal incompatibility with clients. Here was this thread.
> 
> 

Is this the thread: http://marc.info/?l=squid-users=146625379320785=2?

-- 
Greetings,
C. L. Martinez
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem with certificates and SSLBump

2016-06-25 Thread Yuri Voinov


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
Use search.

Some days agi I've played around with ECDSA certs and drop it due to
extremal incompatibility with clients. Here was this thread.


25.06.2016 22:10, C. L. Martinez пишет:
> Hi all,
>
>  I have some problems with my squid config when I use certificates
generated with my internal CA. First, my ssl-bump config:
>
> acl DiscoverSNIHost at_step SslBump1
> acl NoSSLIntercept ssl::server_name_regex -i
"/etc/squid/acls/domains.nobump"
> ssl_bump peek DiscoverSNIHost
> ssl_bump splice NoSSLIntercept
> ssl_bump bump all
>
>  With this config, all works as expected (I need to add some domains
to domains.nobump, but gmail or google works without problems) only when
I use a self-signed certificate in squid generated using the following
commands:
>
> openssl genrsa -out server.key 4096
> openssl req -new -key server.key -x509 -days 365 -out server.crt
>
>  But when I sign squid's request certificate with my internal CA
(based on OpenBSD's LibreSSL), nothing works: gmail fails, google fails,
startpage fails, etc ... My internal CA is configured to use elliptic
cryptographic curve (secp384r1 for CA and prime256v1 for host's
certifcates).
>
>  Maybe is this the problem? Why when I use self-signed certificate all
works ok and not when I sign squid's certificate with my Internal CA?
>
> Thanks.
>

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXbrJ0AAoJENNXIZxhPexGxwUH/R1KurnKCQEbat6YwHQOTo7K
TvuvOoYKPpcmN/xNVhbfWTDAOrTd9uotDOZc8HU6mS+9V9L4dhGiwiIKM6iI0J08
invXAYNlG/Jayfqie2owdrsT++qr/0mqG1Ciz/aPlKxJWhgDqecvSLM7+Uig1NRR
YgeNZloON6wZI7WBKHZQ1wo91F6AtyeNzuXz/WX4JbPjS5XCuF/SUXTR4Z1VQhy6
uIrWsoZgJF0nWkkb9fvOpv3gKTfPE9NEMmPvbXPT9Nbh9wfQlXIRVIl/g5G2j1eI
gNV0fRmbdHXxYV94FXW5nJd8gK5Rv3TnFw3hgR/tdUke4eFwwVpjbqseNOqydk4=
=vlsj
-END PGP SIGNATURE-



0x613DEC46.asc
Description: application/pgp-keys
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Problem with certificates and SSLBump

Re: [squid-users] Problem with certificates and SSLBump

Re: [squid-users] Problem with certificates and SSLBump

Re: [squid-users] Problem with certificates and SSLBump

Re: [squid-users] Problem with certificates and SSLBump

Re: [squid-users] Problem with certificates and SSLBump

6 matches

Site Navigation

Mail list logo

Footer information