Hello Jason,

I did even rebuild my stock CentOS 7 Squid to see the error was not gone, silly 
me thanks a lot!


-----Original Message-----
From: Jason Haar [mailto:jason_h...@trimble.com] 
Sent: Saturday, August 30, 2014 11:38 PM
To: squid-users@squid-cache.org
Subject: [squid-users] squid-3.4.7 may fix sec_error_extension_value_invalid 
error, but that's not enough

On 28/08/14 04:43, Amos Jeffries wrote:
> * Various SSL-bump certificate mimic errors
> These bugs show up most notably for users of Firefox complaining about 
> a sec_error_inadequate_key_usage error. They are caused by Squid 
> generating a fake certificate with the wrong X.509 version details for 
> the TLS extensions being mimiced in that certificate.

Hi there, I've just upgraded from 3.4.6 to 3.4.7 and at first it didn't seem to 
have fixed the sslbump problem

eg this link still generates the "sec_error_extension_value_invalid" error


So I was about to put in a bug report when I realised something: I'd still have 
the pre-existing "corrupt" Squid-generated cert in the cache!  So I manually 
deleted all boxcdn.net certs I had, restarted squid and it's all fixed ;-)

Just thought I'd share that - I probably won't be the only one who gets that 
wrong ;-)

Other than wiping out the entire cert cache, is there any "openssl x509 ..." 
command I could run to hunt down all similar broken certs - so I only delete 



Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

Reply via email to