Hi all,
I am setting up a CA and a reverse proxy https with Squid filtering access to the backend web site. I compiled from source Openssl 0.9.8i on the CA and Squid 2.7 (or 3) servers. I manage to verify the sha256 protected certificate on both computers using : openssl verify -CAFile /root/CAxxxx/cacert.pem -verbose /root/72571934AA.pem /root/72571934AA.pem: OK However when Squid checks client certificate it gives an error in log files : SSL unknown certificate error 7 in /C=FR/O=xxxx/OU=Users/CN=72571934AA clientNegotiateSSL: Error negotiating SSL connection on FD 11:error : 0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown mesage digest algorithm (1/-1) So I think Squid doesn't understand the sha256 message digest so it cannot verify the certificate ? When I enter the command : openssl list-message-digest-commands : md2 md4 md5 rmd160 sha sha1 There's no sha256 but I don't know if this is normal ? (sha256 would be in sha entry ?) when I do "openssl speed" I see a sha256 speed calculation. I tried with multiple client browser (linux and windows) that should handle sha256 (debian unstable and Windows XP SP3) I tested multiple versions of Squid and Openssl and the error still show up. I posted a mail on the Squid mailing list and they asked if I had compiled Squid with Openssl support. I did and I don't know where the problem is. I could use sha1 but the CA will be more secure with sha256, as it is designed to last until 2030 :) Could someone give me a hint as I am lost ? Thanks Raphael BUQUET
