[Patch] ssl_bump X.509 version mismatch

From: Steve Hill <steve_at_opendium.com>
Date: Wed, 20 Aug 2014 14:50:54 +0100

I've been debugging an issue with some versions of Firefox failing to
accept the forged certificate generated by squid when bumping some self
signed certs. Firefox gives me the very generic error:

"Certificate extension value is invalid. (Error code:
sec_error_extension_value_invalid)"

No real indication about what its complaining about, so I've retrieved
the certificates and compared them. The only differences to note are
that the original certificate claims to be version 3 whilst the forged
cert is version 1. They have X.509v3 extensions, which is a problem in
a version 1 certificate.

It appears that Squid simply isn't copying the version number across
when generating the certificate. The attached patch copies the version
from mimicCert and fixes my firefox problem.

It looks like the version is specifically set when a subjectAltName is
present - I suspect that can be removed, but I've left it for now since
it won't do any harm.

-- 
 - Steve Hill
   Technical Director
   Opendium Limited     http://www.opendium.com
Direct contacts:
   Instant messager: xmpp:steve_at_opendium.com
   Email:            steve_at_opendium.com
   Phone:            sip:steve_at_opendium.com
Sales / enquiries contacts:
   Email:            sales_at_opendium.com
   Phone:            +44-844-9791439 / sip:sales_at_opendium.com
Support contacts:
   Email:            support_at_opendium.com
   Phone:            +44-844-4844916 / sip:support_at_opendium.com

Received on Wed Aug 20 2014 - 13:51:04 MDT

This archive was generated by hypermail 2.2.0 : Wed Aug 20 2014 - 12:00:14 MDT