I am using squid as a reverse proxy with client certificates and
everything was working fine for a month.
But after 02 MAR 2012 17:56 CET client certificates stopped working even
though my self signed ca and certificates are valid way longer.
I think it might be an openssl problem, but feel free to tell me to bother
the squid mailing list.
Maybe I shouldn't have created my certificate authority in February when
it is a leap year? (Since I am clueless, I am venturing into possibly
absurd territory.)
I tried it with Squid 2.7STABLE9 and Squid 3.1 and the error stayed the
same.
I tested it with pfSense 2.0.1 (FreeBSD 8.1-RELEASE-p6) openssl-1.0.0_2
and with Ubuntu 10.04.3 LTS kernel 2.6.32-36-generic-pae openssl
0.9.8k-7ubuntu8.6 (libssl.so.0.9.8) and the error was the same.
ca.crt validity
Not Before: Feb 2 16:51:56 2012 GMT
Not After : Jan 30 16:51:56 2022 GMT
client.crt validity
Not Before: Feb 2 16:54:29 2012 GMT
Not After : Jan 30 16:54:29 2022 GMT
Error Message after 02 MAR 2012 17:56 CET:
2012/03/04 17:43:42| SSL unknown certificate error 12 in
/C=DE/ST=NRW/L=Neuss/O=Profil/CN=xxx/emailAddress=xxx
2012/03/04 17:43:42| clientNegotiateSSL: Error negotiating SSL connection
on FD 10: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no
certificate returned (1/-1)
If I set the system date of the squid server to 02 MAR 2012 17:55 CET or
before, squid accepts the certificate again.
If I set the date before the CA became valid, I get the probably expected
error:
2012/01/15 10:40:14| SSL unknown certificate error 11 in
/C=DE/ST=NRW/L=Neuss/O=Profil/OU=ActiveSync/CN=xxx/emailAddress=xxx
2012/01/15 10:40:14| clientNegotiateSSL: Error negotiating SSL connection
on FD 14: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no
certificate returned (1/-1)
If I set the system date beyond the validity of the CA, I get the probably
expected error:
2025/02/05 14:44:19| SSL unknown certificate error 12 in
/C=DE/ST=NRW/L=Neuss/O=Profil/CN=xxx/emailAddress=xxx
2025/02/05 14:44:19| clientNegotiateSSL: Error negotiating SSL connection
on FD 14: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no
certificate returned (1/-1)
openssl verify tells me that the ca.crt and the client.crt are "OK" if the
system date is in the validity range of the certificates.
If I set up an new certificate authority I have no problems during the
whole validity period.
For my certificate needs I use easy-rsa from the openvpn package.
I am curious to know why this error occured....
Any help in elucidationg the reasons behind this problem would be
appreciated.
Cheers,
Marcus
ca.crt
-----BEGIN CERTIFICATE-----
MIIEoTCCA4mgAwIBAgIJALjDbduvXjUMMA0GCSqGSIb3DQEBBQUAMIGRMQswCQYD
VQQGEwJERTEMMAoGA1UECBMDTlJXMQ4wDAYDVQQHEwVOZXVzczEPMA0GA1UEChMG
UHJvZmlsMQwwCgYDVQQLEwNETVoxJjAkBgNVBAMTHVByb2ZpbCBUcmF2ZWxlciBB
Y3RpdmVTeW5jIENBMR0wGwYJKoZIhvcNAQkBFg5lZHZAcHJvZmlsLmNvbTAeFw0x
MjAyMDIxNjUxNTZaFw0yMjAxMzAxNjUxNTZaMIGRMQswCQYDVQQGEwJERTEMMAoG
A1UECBMDTlJXMQ4wDAYDVQQHEwVOZXVzczEPMA0GA1UEChMGUHJvZmlsMQwwCgYD
VQQLEwNETVoxJjAkBgNVBAMTHVByb2ZpbCBUcmF2ZWxlciBBY3RpdmVTeW5jIENB
MR0wGwYJKoZIhvcNAQkBFg5lZHZAcHJvZmlsLmNvbTCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBALQqxhOWS1OyJA+JODZjm6oBLXLFzMRuTOAcF4+xGMZE
O/h8im5EWyQLzAgyw0InzIRDIS33sc47YIncwFLdL0lr6P2bmKBc4KmkqOB0/62E
RAdqkVrtTy5f74LbZEXd5cjDUuJQzzSgHVdNXHhsC7hwsopxxpeDwIhOXSs0A3Z5
ta+vrG8BAXh85DdJTZQk6unKYrhIi6GFo++NliwaLBk2H9tMl2mellcRyjsUJ90X
OTXdOPsSmlcg7ZbKkKokqKr0HewEkIDKXvBWywAfYwGs+36NjAeIhdmBTV0TiEqM
CYj8CAvJBMk00w7tLMmd51u+9Xg5+LJoQRkrpeGjFEMCAwEAAaOB+TCB9jAdBgNV
HQ4EFgQUbB4L3jlX/apEiFj01vqli+2QTgcwgcYGA1UdIwSBvjCBu4AUbB4L3jlX
/apEiFj01vqli+2QTgehgZekgZQwgZExCzAJBgNVBAYTAkRFMQwwCgYDVQQIEwNO
UlcxDjAMBgNVBAcTBU5ldXNzMQ8wDQYDVQQKEwZQcm9maWwxDDAKBgNVBAsTA0RN
WjEmMCQGA1UEAxMdUHJvZmlsIFRyYXZlbGVyIEFjdGl2ZVN5bmMgQ0ExHTAbBgkq
hkiG9w0BCQEWDmVkdkBwcm9maWwuY29tggkAuMNt269eNQwwDAYDVR0TBAUwAwEB
/zANBgkqhkiG9w0BAQUFAAOCAQEATAgK1mqcJyUAhS+V6twmfghVQSY5Z3CZRJmf
iN6MggvEAqCRSdatvfLWw0MbJYZjBHeW8ymlV/5QZjWJU+nL5pFBQVkCuVtIg4fM
OPVVKoloNCqx7Ue5uNXtUqkykB/GGYGNWwfUpC2A+SyqvLMpcZ0tNEosj8JGeqef
t16ui1KInJ6x/L1Sa1jKMHxG9sBCHGQ+VvpEq8xtc6UlU4MVw4yJhGmZg200YAUB
fNxZJ8Ibg/VkjuW/DWqzLxYUGp8YNzs6dULx7vv9+QktWngrd5GE4Uvwpuf+H/7i
Z54hQZ6R/MSJJrEtuq1w6oTg0RBSfHD6rJYDhkiBXthtFm0BTQ==
-----END CERTIFICATE-----
client.crt
-----BEGIN CERTIFICATE-----
MIIE4DCCA8igAwIBAgIBAzANBgkqhkiG9w0BAQUFADCBkTELMAkGA1UEBhMCREUx
DDAKBgNVBAgTA05SVzEOMAwGA1UEBxMFTmV1c3MxDzANBgNVBAoTBlByb2ZpbDEM
MAoGA1UECxMDRE1aMSYwJAYDVQQDEx1Qcm9maWwgVHJhdmVsZXIgQWN0aXZlU3lu
YyBDQTEdMBsGCSqGSIb3DQEJARYOZWR2QHByb2ZpbC5jb20wHhcNMTIwMjAyMTY1
NDI5WhcNMjIwMTMwMTY1NDI5WjCBiDELMAkGA1UEBhMCREUxDDAKBgNVBAgTA05S
VzEOMAwGA1UEBxMFTmV1c3MxDzANBgNVBAoTBlByb2ZpbDEhMB8GA1UEAxQYbWFy
Y3VzLmRhbmllbEBwcm9maWwuY29tMScwJQYJKoZIhvcNAQkBFhhtYXJjdXMuZGFu
aWVsQHByb2ZpbC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6
8I61jR5rAz+xoj+1zzgs4PD5MDuoDD1PMLubU86y1RpJiCt4g9TEVZOV5zOyHqlb
u6cE0aRgm7QRPJexngpHqV08gPHqS1t0D7sKnwPYEnh6uH+wWy0FMTPfz/HtFo4n
LoKSCGORw7BixG9URdlxOmfimZMPsbj5cU34v7Bh0UApH/JaImMdDGh2QFNnrXSr
0YFk1OGBkFkmRT+sU60cU1aKhr/7pTXjn02pJyffQ8WjlhIEMzc0EOIr9/U1yLn1
pYp5se0ky18ucLVO6nQtU1QHViqoJirZ0eKfat8eDMsQlIzEU1tP+t+Rzevmso39
Q0UOBfS7xRPsuqbNAQ2PAgMBAAGjggFIMIIBRDAJBgNVHRMEAjAAMC0GCWCGSAGG
+EIBDQQgFh5FYXN5LVJTQSBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYE
FOYBhh8Nv5GZAyjCAlUXH5j2rPSdMIHGBgNVHSMEgb4wgbuAFGweC945V/2qRIhY
9Nb6pYvtkE4HoYGXpIGUMIGRMQswCQYDVQQGEwJERTEMMAoGA1UECBMDTlJXMQ4w
DAYDVQQHEwVOZXVzczEPMA0GA1UEChMGUHJvZmlsMQwwCgYDVQQLEwNETVoxJjAk
BgNVBAMTHVByb2ZpbCBUcmF2ZWxlciBBY3RpdmVTeW5jIENBMR0wGwYJKoZIhvcN
AQkBFg5lZHZAcHJvZmlsLmNvbYIJALjDbduvXjUMMBMGA1UdJQQMMAoGCCsGAQUF
BwMCMAsGA1UdDwQEAwIHgDANBgkqhkiG9w0BAQUFAAOCAQEAQywLUJF2fjWu8az2
44tJI2pCSs4N0DLHYhIrUtw33LOPuU04mLgZx/1W7DcyDb7C134dfSLGnYSVBNRx
8rMAN1Ed8INURdKUMpUnIRTz9pc6Gsce7Ab4Z0cgHDan1WI5c7xne+iX0uOwHxcX
1HWKYgcLvDkfR2WEd3W2Uvprt2+VQFhamoIuQ0V4Zb/m29SUMYehnKDO7K7SzNEW
Bs6qWAyLOyBDPD8ET5RCYMtM20WmMCPDsHMzf1MM7zOuYVPCmkInPrqzNXTZzw7K
xiRCXGvKmmkzAC2rRdiYEDB9EQfYNa8ihnZs6UlngZNLpcQDpvWaIYY107SxRsWh
RJIisQ==
-----END CERTIFICATE-----
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
