Certificate sha256

bcpereiraa

Dear,

I received an error in the browser due to Certificate squid be sha1. My certificate is sha256 and even then the squid is as sha1, there is a bug?

erro.png_thumb

KOM

Did you look up the cert chain to see exactly which certificate has SHA-1? How are you running squid, in transparent mode with a pfSense certificate installed in your web browser?

bcpereiraa

Thanks for answering,

I am using squid in transparent mode. the certificate is trusted in my certification authority.

KOM

One of your intermediary certs might using SHA-1. I had a similar issue last week where the Server CA given to me by my authority had an older cert. When I used their entire certificate bundle instead of just the server cert, it started working again.

bcpereiraa

Weird. Look how is my certificate after signing. *Attach

I checked in my CA root and everything with SHA256. the problem occurs when the squid uses. it would not be a limitation to enable or something?

cert.png_thumb

KOM

You have to check every certificate in the chain. See my image. Click on each certificate in the chain and check their details for SHA-1. In my example, the middle certificate was SHA-1 until I replaced that cert with an updated bundle cert.

cert.png_thumb

bcpereiraa

also checked and is sha256; :-\

bcpereiraa

Very strange!

When you open the site looks like is attach *sitecert.png
When I go in certification path attach * site-path

sitecert.png_thumb

site-path.png_thumb

doktornotor

@bcpereiraa:

also checked and is sha256; :-\

You need to check the topmost (root) one as well. Then go and get the updated cert bundle from them.

bcpereiraa

Everything is updated. The certificate is already signed as sha256 only when going pro squid it comes out as sha128. :'(

S. Kirschner

You could try the squid option "sslproxy_cert_sign_hash",

I dont know actually if squid 3.4.10 support sha256 or higher.

Maybe its possible with the squid version 3.5.3 or higher.

bcpereiraa

@S.:

You could try the squid option "sslproxy_cert_sign_hash",

I dont know actually if squid 3.4.10 support sha256 or higher.

Maybe its possible with the squid version 3.5.3 or higher.

It is fixed from Version: 3.5.0.1 (Squid)

You can update the squid pfsense?

bcpereiraa

I found the new version of squid in pfsense repository.

https://files.pfsense.org/packages/10/All/squid-3.5.3-amd64.pbi

How do I get the packages install this?

musicwizard

i only see
beta 0.2.8
platform: 2.2
how do i know which version of squid3 this is? And how do you see if there is a update for a package?

doktornotor

@musicwizard:

how do i know which version of squid3 this is?

https://github.com/pfsense/pfsense-packages/blob/master/pkg_config.10.xml#L1046

@musicwizard:

And how do you see if there is a update for a package?

System - Packages.

Regarding this "issue" - fascinating. You people break all encryption by the SSL bump brainfart, and then are concerned about SHA1. facepalm

Stop hijacking SSL and you won't have any such issue! ::) ::) ::)

S. Kirschner

Yes its the version 3.4.10 available in the public Package Repository.

If you would like to install the squid-3.5.3-… from the pfsense files then you have to "build" your own Custom Package Repository and manipulate the "pkg_config.10.xml".

But be carefull, dont try it in a live environment. Also please read about "peak and splice" on the squid homepage.

Here is the link to Creating a Custom Package Repository https://doc.pfsense.org/index.php/Creating_a_Custom_Package_Repository

edit:

BTW you could see the version of installed squid version by enabling ssh , and connect via ssh to your pfsense server and type squid -v. Then you see the build options and version number.