Bug #7524
closed
Squid MITM/SSL-Bump broken with Chrome due to missing SAN in generated certificates
0%
Description
Upstream bug: http://bugs.squid-cache.org/show_bug.cgi?id=4711
Also, there were multiple other SSL-Bump fixes in 3.5.25 http://lists.squid-cache.org/pipermail/squid-announce/2017-April/000073.html so it'd be desirable to get the latest >=3.5.25 Squid into pfSense as soon as this issue gets fixed in FreeBSD.
Updated by Patricio Stegmann almost 7 years ago
Kill Bill wrote:
Upstream bug: http://bugs.squid-cache.org/show_bug.cgi?id=4711
Also, there were multiple other SSL-Bump fixes in 3.5.25 http://lists.squid-cache.org/pipermail/squid-announce/2017-April/000073.html so it'd be desirable to get the latest >=3.5.25 Squid into pfSense as soon as this issue gets fixed in FreeBSD.
I can confirm the bug in pfSense 2.3.4 and the fix on squid issue tracker at http://bugs.squid-cache.org/show_bug.cgi?id=4711 working on >=3.5 ... Hope this gets applied to pfSense soon as it seems quite a simple fix.
Updated by Kill Bill almost 7 years ago
Patricio Stegmann wrote:
I can confirm the bug in pfSense 2.3.4 and the fix on squid issue tracker at http://bugs.squid-cache.org/show_bug.cgi?id=4711 working on >=3.5 ... Hope this gets applied to pfSense soon as it seems quite a simple fix.
Perhaps file a bug at https://bugs.freebsd.org/ instead. Apparently noone cares there so there's nothing to apply on pfSense.
Updated by ryon m almost 7 years ago
Looks like the Squid developers are getting ready to push v3.5.26, which appears to have a fix for bug 4711:
http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID_3_5_26.html
Just need to wait for this release to get to the FreeBSD ports.
Updated by Patricio Stegmann almost 7 years ago
ryon m wrote:
Looks like the Squid developers are getting ready to push v3.5.26, which appears to have a fix for bug 4711:
http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID_3_5_26.html
Just need to wait for this release to get to the FreeBSD ports.
Done ! https://www.freshports.org/www/squid/ updated to 3.5.26 ! Hope it gets updated soon :)
Updated by Jim Pingle almost 7 years ago
- Assignee set to Renato Botelho
We should be able to pull that in unless there is something I'm not seeing. Assigning to Renato to check it over.
Updated by Kill Bill almost 7 years ago
Jim Pingle wrote:
We should be able to pull that in unless there is something I'm not seeing. Assigning to Renato to check it over.
Thanks, would really help.
Updated by Jim Pingle almost 7 years ago
- Assignee changed from Renato Botelho to Jim Pingle
I'm getting 3.5.26 pulled into the package branches right now, should be building and up soon.
Updated by Jim Pingle almost 7 years ago
Packages are up for 2.4 and 2.3.4, 2.3.x snapshots will be up next time a snapshot runs. Test and let us know if it is working now.
Updated by Jim Pingle almost 7 years ago
- Status changed from Feedback to Resolved
This works for me now. I can browse secure sites through squid HTTPS MITM with Chrome and there are no certificate errors. Inspecting the certificate shows it has proper SANs filled in now, too.