I've been debugging an issue with some versions of Firefox failing to
accept the forged certificate generated by squid when bumping some self
signed certs. Firefox gives me the very generic error:
"Certificate extension value is invalid. (Error code:
sec_error_extension_value_invalid)"
No real indication about what its complaining about, so I've retrieved
the certificates and compared them. The only differences to note are
that the original certificate claims to be version 3 whilst the forged
cert is version 1. They have X.509v3 extensions, which is a problem in
a version 1 certificate.
It appears that Squid simply isn't copying the version number across
when generating the certificate. The attached patch copies the version
from mimicCert and fixes my firefox problem.
It looks like the version is specifically set when a subjectAltName is
present - I suspect that can be removed, but I've left it for now since
it won't do any harm.
-- - Steve Hill Technical Director Opendium Limited http://www.opendium.com Direct contacts: Instant messager: xmpp:steve_at_opendium.com Email: steve_at_opendium.com Phone: sip:steve_at_opendium.com Sales / enquiries contacts: Email: sales_at_opendium.com Phone: +44-844-9791439 / sip:sales_at_opendium.com Support contacts: Email: support_at_opendium.com Phone: +44-844-4844916 / sip:support_at_opendium.com
This archive was generated by hypermail 2.2.0 : Wed Aug 20 2014 - 12:00:14 MDT