On Fri, Dec 12, 2008, Raphael wrote: > Hi all, > > > > I am setting up a CA and a reverse proxy https with Squid filtering access > to the backend web site. > > I compiled from source Openssl 0.9.8i on the CA and Squid 2.7 (or 3) > servers. I manage to verify the sha256 protected certificate on both > computers using : > > > > openssl verify -CAFile /root/CAxxxx/cacert.pem -verbose /root/72571934AA.pem > > /root/72571934AA.pem: OK > > > > However when Squid checks client certificate it gives an error in log files > : > > > > SSL unknown certificate error 7 in /C=FR/O=xxxx/OU=Users/CN=72571934AA > > clientNegotiateSSL: Error negotiating SSL connection on FD 11:error : > > 0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown mesage digest > > algorithm (1/-1) > > > > So I think Squid doesn't understand the sha256 message digest so it cannot > verify the certificate ? > >
Possibly it is calling SSL_library_init() which doesn't add a complete set of digests. OpenSSL_add_all_algorithms() should be called as well. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
