[Privoxy-users] Why fail to open secure connection to the client incidentally, and what's the proper cleaning strategy for the generated certificates?

[Wen Yue]

hi Fabian,

Do you know which client is causing the messages?
> Has the client been configured to accept Privoxy's CA certificate?
>

 I'm using google chrome v89.0.4389.82 (x86_64) on macosx v10.15.6 catalina.
The browser is configured to running in '--ignore-certificate-errors' mode
so it accepts all the certs generated by privoxy.

I re-checked these log msg today, there's nothing severe about the client
connection but this one:

2021-03-16 22:36:07.730 7f45887d0700 Error: X509 PEM cert len 16694 is
> larger than buffer len 16383
> 2021-03-16 22:36:19.148 7f47bbfff700 Error: X509 PEM cert len 16694 is
> larger than buffer len 16383
>

I've no idea what happened.

and this one:

>  2021-03-16 22:35:39.682 7f459e7fc700 Error: A website key already exists
> but there's no matching certificate. Removing
> /tmp/privoxyTmp/certGen/3094d58afb18197cbc2b403c036290ea.pem before
> creating a new key and certificate.


is this message related to my certificate-cleaning strategy? Looks like
something is deleted when required.

The best cleaning strategy depends on your goals.
>
> How did you choose 11 hours?
>

The 11 hours strategy is arbitrary, I just 'feel' that would be okey. Could
you tell me any aspects need to consider when define the cleaning strategy?
thank you.


On Mon, Mar 15, 2021 at 10:57 PM Fabian Keil <fk at fabiankeil.de> wrote:

> Miles Wen <miles.wy.1 at gmail.com> wrote on 2021-03-15:
>
> > I'm using privoxy v3.0.32 on macosx v10.15.6 catalina. With https
> > inspection on.
> [...]
> > I incidentally get some error logs like this:
> >
> > > 2021-03-15 10:07:44.978 7f863fa1f700 Error: The TLS/SSL handshake with
> > > the client failed: error:1408F09C:SSL routines:ssl3_get_record:http
> > > request 2021-03-15 10:07:44.978 7f863fa1f700 Error: Failed to open a
> > > secure connection with the client
>
> > Anybody have ideas about this error msg?
>
> Do you know which client is causing the messages?
> Has the client been configured to accept Privoxy's CA certificate?
>
> > As long as I'm using https inspection, I wrote a program to delete the
> > generated certificate files older than 11 hours. But I don't know if this
> > is the best cleaning strategy.
>
> The best cleaning strategy depends on your goals.
>
> How did you choose 11 hours?
>
> > I also get some errors like this:
> >
> > > 2021-03-15 10:10:07.260 7f86209e1700 Error: X509 subject name (code:
> > > CN, val:
> > >
> only-d-pmjr9f4mclevwwl2mwckreicm8k1afzk-1615774207025.nstool.netease.com)
> > > error: error:0D07A097:asn1 encoding
> > > routines:ASN1_mbstring_ncopy:string too long
>
> > Are these errors related to my certificates cleaning? What's next I can
> > do to try to fix it?
>
> Thanks for the report.
>
> Apparently OpenSSL does not accept common names longer than 64 characters.
> This should be fixed in git master now:
>
> https://www.privoxy.org/gitweb/?p=privoxy.git;a=commitdiff;h=7fb2856b4d81f1a6c63054cc8a002b9aa3a5fb69
>
> Fabian
>


-- 
Regards.
Wen Yue