[Privoxy-users] Why fail to open secure connection to the client incidentally, and what's the proper cleaning strategy for the generated certificates?

Mon Mar 15 14:56:19 UTC 2021

Miles Wen <miles.wy.1 at gmail.com> wrote on 2021-03-15:

> I'm using privoxy v3.0.32 on macosx v10.15.6 catalina. With https
> inspection on.
[...]
> I incidentally get some error logs like this:
> 
> > 2021-03-15 10:07:44.978 7f863fa1f700 Error: The TLS/SSL handshake with
> > the client failed: error:1408F09C:SSL routines:ssl3_get_record:http
> > request 2021-03-15 10:07:44.978 7f863fa1f700 Error: Failed to open a
> > secure connection with the client

> Anybody have ideas about this error msg?

Do you know which client is causing the messages?
Has the client been configured to accept Privoxy's CA certificate?

> As long as I'm using https inspection, I wrote a program to delete the
> generated certificate files older than 11 hours. But I don't know if this
> is the best cleaning strategy.

The best cleaning strategy depends on your goals.

How did you choose 11 hours?

> I also get some errors like this:
> 
> > 2021-03-15 10:10:07.260 7f86209e1700 Error: X509 subject name (code:
> > CN, val:
> > only-d-pmjr9f4mclevwwl2mwckreicm8k1afzk-1615774207025.nstool.netease.com)
> > error: error:0D07A097:asn1 encoding
> > routines:ASN1_mbstring_ncopy:string too long

> Are these errors related to my certificates cleaning? What's next I can
> do to try to fix it?

Thanks for the report.

Apparently OpenSSL does not accept common names longer than 64 characters.
This should be fixed in git master now:
https://www.privoxy.org/gitweb/?p=privoxy.git;a=commitdiff;h=7fb2856b4d81f1a6c63054cc8a002b9aa3a5fb69

Fabian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.privoxy.org/pipermail/privoxy-users/attachments/20210315/0915ea32/attachment.bin>