[squid-users] security.use_mozillapkix_verification and squid ssl bump

From: Amm <ammdispose-squid_at_yahoo.com>
Date: Sat, 02 Aug 2014 13:12:24 +0530

Hello,

Recent version of Firefox made some changes to certificate verification.

See here:
https://wiki.mozilla.org/SecurityEngineering/Certificate_Verification

After this many SSL bumped sites are showing verification error.

An error occurred during a connection to s-static.ak.facebook.com.
Certificate extension value is invalid.
(Error code: sec_error_extension_value_invalid)

Examples:
Facebook = https://s-static.ak.facebook.com/
Hotmail = https://sc.imp.live.com

Those sites work without SSL bumping.

Currently it can be fixed by changing:
security.use_mozillapkix_verification to false in Firefox.

As per Mozilla this will become always true from FF 33.

There is a bug report at Mozilla:
https://bugzilla.mozilla.org/show_bug.cgi?id=1045973

But I doubt this actually is bug but future security feature.

Can anything be done in squid to allow above?
i.e. allow it to work regardless of value of mozillapkix

Thanks and regards,

Amm
Received on Sat Aug 02 2014 - 07:42:36 MDT

This archive was generated by hypermail 2.2.0 : Sat Aug 02 2014 - 12:00:05 MDT