Project

General

Profile

Actions

Bug #7524

closed

Squid MITM/SSL-Bump broken with Chrome due to missing SAN in generated certificates

Added by Kill Bill over 7 years ago. Updated over 7 years ago.

Status:
Resolved
Priority:
Very High
Assignee:
Category:
Squid
Target version:
-
Start date:
05/06/2017
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
All
Affected Plus Version:
Affected Architecture:
All

Description

Upstream bug: http://bugs.squid-cache.org/show_bug.cgi?id=4711

Also, there were multiple other SSL-Bump fixes in 3.5.25 http://lists.squid-cache.org/pipermail/squid-announce/2017-April/000073.html so it'd be desirable to get the latest >=3.5.25 Squid into pfSense as soon as this issue gets fixed in FreeBSD.

Actions #1

Updated by Patricio Stegmann over 7 years ago

Kill Bill wrote:

Upstream bug: http://bugs.squid-cache.org/show_bug.cgi?id=4711

Also, there were multiple other SSL-Bump fixes in 3.5.25 http://lists.squid-cache.org/pipermail/squid-announce/2017-April/000073.html so it'd be desirable to get the latest >=3.5.25 Squid into pfSense as soon as this issue gets fixed in FreeBSD.

I can confirm the bug in pfSense 2.3.4 and the fix on squid issue tracker at http://bugs.squid-cache.org/show_bug.cgi?id=4711 working on >=3.5 ... Hope this gets applied to pfSense soon as it seems quite a simple fix.

Actions #2

Updated by Kill Bill over 7 years ago

Patricio Stegmann wrote:

I can confirm the bug in pfSense 2.3.4 and the fix on squid issue tracker at http://bugs.squid-cache.org/show_bug.cgi?id=4711 working on >=3.5 ... Hope this gets applied to pfSense soon as it seems quite a simple fix.

Perhaps file a bug at https://bugs.freebsd.org/ instead. Apparently noone cares there so there's nothing to apply on pfSense.

Actions #3

Updated by ryon m over 7 years ago

Looks like the Squid developers are getting ready to push v3.5.26, which appears to have a fix for bug 4711:

http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID_3_5_26.html

Just need to wait for this release to get to the FreeBSD ports.

Actions #4

Updated by Patricio Stegmann over 7 years ago

ryon m wrote:

Looks like the Squid developers are getting ready to push v3.5.26, which appears to have a fix for bug 4711:

http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID_3_5_26.html

Just need to wait for this release to get to the FreeBSD ports.

Done ! https://www.freshports.org/www/squid/ updated to 3.5.26 ! Hope it gets updated soon :)

Actions #5

Updated by Jim Pingle over 7 years ago

  • Assignee set to Renato Botelho

We should be able to pull that in unless there is something I'm not seeing. Assigning to Renato to check it over.

Actions #6

Updated by Kill Bill over 7 years ago

Jim Pingle wrote:

We should be able to pull that in unless there is something I'm not seeing. Assigning to Renato to check it over.

Thanks, would really help.

Actions #7

Updated by Jim Pingle over 7 years ago

  • Assignee changed from Renato Botelho to Jim Pingle

I'm getting 3.5.26 pulled into the package branches right now, should be building and up soon.

Actions #8

Updated by Jim Pingle over 7 years ago

  • Status changed from New to Feedback
Actions #9

Updated by Jim Pingle over 7 years ago

Packages are up for 2.4 and 2.3.4, 2.3.x snapshots will be up next time a snapshot runs. Test and let us know if it is working now.

Actions #10

Updated by Jim Pingle over 7 years ago

  • Status changed from Feedback to Resolved

This works for me now. I can browse secure sites through squid HTTPS MITM with Chrome and there are no certificate errors. Inspecting the certificate shows it has proper SANs filled in now, too.

Actions #11

Updated by Jim Pingle over 7 years ago

  • Target version deleted (2.3.4-p1)
Actions

Also available in: Atom PDF