I've been debugging an issue with some versions of Firefox failing to accept the forged certificate generated by squid when bumping some self signed certs. Firefox gives me the very generic error:
"Certificate extension value is invalid. (Error code: sec_error_extension_value_invalid)" No real indication about what its complaining about, so I've retrieved the certificates and compared them. The only differences to note are that the original certificate claims to be version 3 whilst the forged cert is version 1. They have X.509v3 extensions, which is a problem in a version 1 certificate. It appears that Squid simply isn't copying the version number across when generating the certificate. The attached patch copies the version from mimicCert and fixes my firefox problem. It looks like the version is specifically set when a subjectAltName is present - I suspect that can be removed, but I've left it for now since it won't do any harm. -- - Steve Hill Technical Director Opendium Limited http://www.opendium.com Direct contacts: Instant messager: xmpp:st...@opendium.com Email: st...@opendium.com Phone: sip:st...@opendium.com Sales / enquiries contacts: Email: sa...@opendium.com Phone: +44-844-9791439 / sip:sa...@opendium.com Support contacts: Email: supp...@opendium.com Phone: +44-844-4844916 / sip:supp...@opendium.com
Index: squid/trunk/source/src/ssl/gadgets.cc =================================================================== --- squid/trunk/source/src/ssl/gadgets.cc (revision 314) +++ squid/trunk/source/src/ssl/gadgets.cc (working copy) @@ -284,6 +284,9 @@ // X509_set_subject_name will call X509_dup for name X509_set_subject_name(cert.get(), name); } + + // Copy the X.509 version + X509_set_version(cert.get(), X509_get_version(properties.mimicCert.get())); } if (properties.setCommonName || !properties.mimicCert.get()) {