On Friday, 11 April 2014 4:46 PM, Amos wrote:
> On 11/04/2014 10:16 p.m., Amm wrote: >> After this upgrade i.e. from 1.0.0 to 1.0.1, Firefox started giving >> certificate error stating "sec_error_inadequate_key_usage". >> >> This does not happen for all domains but looks like happening ONLY >> for google servers. i.e. youtube, news.google.com >> >> Certificate is issued for *.google.com with lots of alternate names. >> >> Is it Firefox bug or squid bug? > Hard to say. > "key_usage" is an explicit restriction on what circumstances and > actions the certificate can be used for. > What the message you are seeing indicates one of two things: > Either, the website owner has placed some limitations on how their > website certificate can be used and your SSL-bumping is violating those > restrictions. As I said, its google domains. You can check https://news.google.com OR https://www.youtube.com Both have same ceritificate. *.google.com is primary and youtube.com is one of the many alternate names. It worked before I upgraded to OpenSSL 1.0.1. The sslbump configuration was working till yesterday. Today too it works for all other domains (Yahoo, hotmail etc.) Infact https://www.google.com also works, because it has specific certificate and not same *.google.com cerificate. > Or, the creator of the certificate you are using to sign the generated > SSL-bump certificates has restricted your signing certificate > capabilities. (ie the main Trusted Authorities prohibit using certs they > sign as secondary CA to generate fake certs like SSL-bump does). > Either case is just as likely. Did OpenSSL 1.0.0 not support key_usage? And hence squid did not use it either? I wonder why other Firefox+sslbump users are not complaining about this? I see only few people complaining. That too was in November 2013. I used the patch here: http://www.squid-cache.org/mail-archive/squid-users/201311/att-0310/squid-3.3.9-remove-key-usage.patch And it fixes the issue. But I would prefer to do it without patch. If I am the only one facing this, then what could be wrong? Amm.
