I've been debugging an issue with some versions of Firefox failing to
accept the forged certificate generated by squid when bumping some self
signed certs. Firefox gives me the very generic error:
"Certificate extension value is invalid. (Error code:
sec_error_extension_value_invalid)"
No real indication about what its complaining about, so I've retrieved
the certificates and compared them. The only differences to note are
that the original certificate claims to be version 3 whilst the forged
cert is version 1. They have X.509v3 extensions, which is a problem in
a version 1 certificate.
It appears that Squid simply isn't copying the version number across
when generating the certificate. The attached patch copies the version
from mimicCert and fixes my firefox problem.
It looks like the version is specifically set when a subjectAltName is
present - I suspect that can be removed, but I've left it for now since
it won't do any harm.
--
- Steve Hill
Technical Director
Opendium Limited http://www.opendium.com
Direct contacts:
Instant messager: xmpp:[email protected]
Email: [email protected]
Phone: sip:[email protected]
Sales / enquiries contacts:
Email: [email protected]
Phone: +44-844-9791439 / sip:[email protected]
Support contacts:
Email: [email protected]
Phone: +44-844-4844916 / sip:[email protected]
Index: squid/trunk/source/src/ssl/gadgets.cc
===================================================================
--- squid/trunk/source/src/ssl/gadgets.cc (revision 314)
+++ squid/trunk/source/src/ssl/gadgets.cc (working copy)
@@ -284,6 +284,9 @@
// X509_set_subject_name will call X509_dup for name
X509_set_subject_name(cert.get(), name);
}
+
+ // Copy the X.509 version
+ X509_set_version(cert.get(), X509_get_version(properties.mimicCert.get()));
}
if (properties.setCommonName || !properties.mimicCert.get()) {
