Bug#814333: squid3: SSL error "sec_error_inadequate_key_usage" in the browser

[Amos Jeffries]

Control: severity 814333 important
Control: tags 814333 - newcomer
Control: forwarded 814333 http://bugs.squid-cache.org/show_bug.cgi?id=4102
Control: notfound 814333 3.4.8-6+deb8u1
Control: fixed 814333 3.5.10-1


I am dowgrading this bug on grounds that the issue *does not occur in
any of the official Debian packages*.
Nor is fiddling with the security parameters and operation of TLS a bug
activity suitable for newcomers.


On Tue, 09 Feb 2016 22:51:43 -0200 Y wrote:
>
> I downloaded and compiled the squid through apt-build by adding the
following lines in "/var/cache/apt-build/build/squid3-3.4.8/debian/rules":
> --enable-ssl \
> --enable-ssl-CRTD \
> --with-openssl \
>
> Some https sites aprsentam as error the
"sec_error_inadequate_key_usage" message as error code.
> The errors appear when using Firefox and Iceweasel browsers.

As you noted this was a Mozilla issue (yes *was*). It was fixed in
current Firefox/Iceweasel releases, but several workarounds were also
added to recent Squid versions to not trigger it so easily. Those fixes
are not all suitable for backport IIRC, or they would definitely have
happened already.

Upstream policy is that TLS/SSL users should track the laest releases.
This is particularly important for TLS MITM users such as you (seen in
your choice of build options). There are known vulnerabilities in TLS
MITM for all Squid older than 3.5.10. The non-existence of TLS/SSL in
official Debian packages makes these irrelevant to the Debian security
team. Security issues in the custom additions are *your* problem to
track and fix. I highly recommend building from the Stretch package
instead of patching.


Amos Jeffries
(Squid upstream)

Bug#814333: squid3: SSL error "sec_error_inadequate_key_usage" in the browser

[Y]

Package: squid3
Version: 3.4.8-6+deb8u1+aptbuild1
Severity: grave
Tags: newcomer
Justification: renders package unusable

Dear Maintainer,

I downloaded and compiled the squid through apt-build by adding the following 
lines in "/var/cache/apt-build/build/squid3-3.4.8/debian/rules":
 --enable-ssl \
 --enable-ssl-CRTD \
 --with-openssl \

Some https sites aprsentam as error the "sec_error_inadequate_key_usage" 
message as error code.
The errors appear when using Firefox and Iceweasel browsers.
The same sites that feature error in Firefox-based browsers work perfectly in 
Chrome.
A website as an example is the https://pt.wikipedia.org/

I found a palliative in 
https://www.howtoforge.com/filtering-https-traffic-with-squid site that worked.
Apparently removing the line which has the code "NID_key_usage," the file 
/var/cache/apt-build/build/squid3-3.4.8/src/ssl/gadgets.cc solve, but do not 
know if this would imply some other problem .
Compiling the squid using the source of the project site, it does not occur 
this error.



-- System Information:
Debian Release: 8.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=pt_BR.UTF-8, LC_CTYPE=pt_BR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages squid3 depends on:
ii  adduser  3.113+nmu3
ii  libc62.19-18+deb8u2
ii  libcap2  1:2.24-8
ii  libcomerr2   1.42.12-1.1
ii  libdb5.3 5.3.28-9
ii  libecap2 0.2.0-3
ii  libexpat12.1.0-6+deb8u1
ii  libgcc1  1:4.9.2-10
ii  libgssapi-krb5-2 1.12.1+dfsg-19+deb8u2
ii  libk5crypto3 1.12.1+dfsg-19+deb8u2
ii  libkrb5-31.12.1+dfsg-19+deb8u2
ii  libldap-2.4-22.4.40+dfsg-1+deb8u2
ii  libltdl7 2.4.2-1.11
ii  libnetfilter-conntrack3  1.0.4-1
ii  libnettle4   2.7.1-5
ii  libpam0g 1.1.8-3.1+deb8u1
ii  libsasl2-2   2.1.26.dfsg1-13+deb8u1
ii  libssl1.0.0  1.0.1k-3+deb8u2
ii  libstdc++6   4.9.2-10
ii  libxml2  2.9.1+dfsg1-5+deb8u1
ii  logrotate3.8.7-1+b1
ii  lsb-base 4.1+Debian13+nmu1
ii  netbase  5.3
ii  squid3-common3.4.8-6+deb8u1+aptbuild1

squid3 recommends no packages.

Versions of packages squid3 suggests:
pn  resolvconf   
pn  smbclient
pn  squid-cgi
pn  squid-purge  
pn  squidclient  
pn  ufw  
pn  winbindd 

-- Configuration Files:
/etc/squid3/squid.conf changed:
acl SSL_ports port 443
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl sites_bloqueados dstdomain "/etc/squid3/empresa/sites-bloqueados"
acl localnet src 192.168.25.0/24
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access deny sites_bloqueados
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 3128 transparent
https_port 3129 transparent ssl-bump generate-host-certificates=on 
dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/certificado/empresa.pem
ssl_bump server-first all
sslcrtd_program /usr/lib/squid3/ssl_crtd -s /etc/squid3/certificado/ssl_db -M 
4MB
coredump_dir /var/spool/squid3
refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern .   0   20% 4320
always_direct allow all


-- no debconf information