Control: severity 814333 important Control: tags 814333 - newcomer Control: forwarded 814333 http://bugs.squid-cache.org/show_bug.cgi?id=4102 Control: notfound 814333 3.4.8-6+deb8u1 Control: fixed 814333 3.5.10-1
I am dowgrading this bug on grounds that the issue *does not occur in any of the official Debian packages*. Nor is fiddling with the security parameters and operation of TLS a bug activity suitable for newcomers. On Tue, 09 Feb 2016 22:51:43 -0200 Y wrote: > > I downloaded and compiled the squid through apt-build by adding the following lines in "/var/cache/apt-build/build/squid3-3.4.8/debian/rules": > --enable-ssl \ > --enable-ssl-CRTD \ > --with-openssl \ > > Some https sites aprsentam as error the "sec_error_inadequate_key_usage" message as error code. > The errors appear when using Firefox and Iceweasel browsers. As you noted this was a Mozilla issue (yes *was*). It was fixed in current Firefox/Iceweasel releases, but several workarounds were also added to recent Squid versions to not trigger it so easily. Those fixes are not all suitable for backport IIRC, or they would definitely have happened already. Upstream policy is that TLS/SSL users should track the laest releases. This is particularly important for TLS MITM users such as you (seen in your choice of build options). There are known vulnerabilities in TLS MITM for all Squid older than 3.5.10. The non-existence of TLS/SSL in official Debian packages makes these irrelevant to the Debian security team. Security issues in the custom additions are *your* problem to track and fix. I highly recommend building from the Stretch package instead of patching. Amos Jeffries (Squid upstream)
