Certificate sha256
-
Dear,
I received an error in the browser due to Certificate squid be sha1. My certificate is sha256 and even then the squid is as sha1, there is a bug?
-
Did you look up the cert chain to see exactly which certificate has SHA-1? How are you running squid, in transparent mode with a pfSense certificate installed in your web browser?
-
Thanks for answering,
I am using squid in transparent mode. the certificate is trusted in my certification authority.
-
One of your intermediary certs might using SHA-1. I had a similar issue last week where the Server CA given to me by my authority had an older cert. When I used their entire certificate bundle instead of just the server cert, it started working again.
-
Weird. Look how is my certificate after signing. *Attach
I checked in my CA root and everything with SHA256. the problem occurs when the squid uses. it would not be a limitation to enable or something?
-
You have to check every certificate in the chain. See my image. Click on each certificate in the chain and check their details for SHA-1. In my example, the middle certificate was SHA-1 until I replaced that cert with an updated bundle cert.
-
also checked and is sha256; :-\
-
Very strange!
When you open the site looks like is attach *sitecert.png
When I go in certification path attach * site-path
-
also checked and is sha256; :-\
You need to check the topmost (root) one as well. Then go and get the updated cert bundle from them.
-
Everything is updated. The certificate is already signed as sha256 only when going pro squid it comes out as sha128. :'(
-
You could try the squid option "sslproxy_cert_sign_hash",
I dont know actually if squid 3.4.10 support sha256 or higher.
Maybe its possible with the squid version 3.5.3 or higher.
-
@S.:
You could try the squid option "sslproxy_cert_sign_hash",
I dont know actually if squid 3.4.10 support sha256 or higher.
Maybe its possible with the squid version 3.5.3 or higher.
It is fixed from Version: 3.5.0.1 (Squid)
You can update the squid pfsense?
-
I found the new version of squid in pfsense repository.
https://files.pfsense.org/packages/10/All/squid-3.5.3-amd64.pbi
How do I get the packages install this?
-
i only see
beta 0.2.8
platform: 2.2
how do i know which version of squid3 this is? And how do you see if there is a update for a package? -
how do i know which version of squid3 this is?
https://github.com/pfsense/pfsense-packages/blob/master/pkg_config.10.xml#L1046
And how do you see if there is a update for a package?
System - Packages.
Regarding this "issue" - fascinating. You people break all encryption by the SSL bump brainfart, and then are concerned about SHA1. facepalm
Stop hijacking SSL and you won't have any such issue! ::) ::) ::)
-
Yes its the version 3.4.10 available in the public Package Repository.
If you would like to install the squid-3.5.3-… from the pfsense files then you have to "build" your own Custom Package Repository and manipulate the "pkg_config.10.xml".
But be carefull, dont try it in a live environment. Also please read about "peak and splice" on the squid homepage.
Here is the link to Creating a Custom Package Repository https://doc.pfsense.org/index.php/Creating_a_Custom_Package_Repository
edit:
BTW you could see the version of installed squid version by enabling ssh , and connect via ssh to your pfsense server and type squid -v. Then you see the build options and version number.