Ubuntu
squid3 package

squid 3.3.8 serves duplicate certificates

Bug #1744184 reported by Haw Loeung
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Squid
Unknown
Unknown
squid3 (Ubuntu)
Won't Fix
Undecided
Unassigned
Trusty
Won't Fix
Undecided
Unassigned

Bug Description

Hi,

It seems squid 3.3.8 packaged in Trusty has a bug that serves the certificate twice. This is shown below:

OpenSSL:

| [hloeung@dharkan tmp]$ echo "" | openssl s_client -connect assets.ubuntu.com:443 -CApath /etc/ssl -servername assets.ubuntu.com
| CONNECTED(00000003)
| depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
| verify return:1
| depth=1 C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
| verify return:1
| depth=0 C = GB, L = London, O = Canonical Group Ltd, OU = IS, CN = assets.ubuntu.com
| verify return:1
| ---
| Certificate chain
| 0 s:/C=GB/L=London/O=Canonical Group Ltd/OU=IS/CN=assets.ubuntu.com
| i:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
| 1 s:/C=GB/L=London/O=Canonical Group Ltd/OU=IS/CN=assets.ubuntu.com
| i:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
| 2 s:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
| i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
| ---

GnuTLS:

| [hloeung@dharkan tmp]$ gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt assets.ubuntu.com
| ...
| - Certificate[0] info:
| - subject `CN=assets.ubuntu.com,OU=IS,O=Canonical Group Ltd,L=London,C=GB', issuer `CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US', serial 0x027cadfb20a3e4c9b6371b023b0e8e35, ...
| - Certificate[1] info:
| - subject `CN=assets.ubuntu.com,OU=IS,O=Canonical Group Ltd,L=London,C=GB', issuer `CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US', serial 0x027cadfb20a3e4c9b6371b023b0e8e35, ...

This is fixed in upstream squid 3.3.9 per changelog[1] below:

Changes to squid-3.3.9 (11 Sep 2013):
 - Bug 3849: Duplicate certificate sent when using https_port

Any chance we could get this fix backported?

Thanks,

Haw

[1]http://www.squid-cache.org/Versions/v3/3.3/ChangeLog.txt

Revision history for this message
Haw Loeung (hloeung) wrote :

https://github.com/squid-cache/squid/commit/684bc9f288236828721498f919cb7bd719f96857

Revision history for this message
Amos Jeffries (yadi) wrote :

The official package in Trusty does not contain OpenSSL support. This bug can only happen in unofficial custom builds of Squid.

As noted in the ChangeLog upstream have a patch available such builds can use. And Trusty has been superceded by other Ubuntu versions containing that patch.

Also please be aware the OpenSSL related code in Squid has been very volatile since 3.2. Best practice for custom builds is to use the latest upstream code instead of rebuilding possibly outdated distro packages.

IMO this bug should be closed since it does not actually affect official Ubuntu packages.

Haw Loeung (hloeung)
Changed in squid3 (Ubuntu):
status: New → Won't Fix
Changed in squid3 (Ubuntu Trusty):
status: New → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.