Hi,
We have SLL inspection enabled on Web filtering and one of our Linux users gets that error message when downloading using curl
Proxy CA cert was generated this year so i don't know why it says it's too weak.
Can i just re-generate and re-deploy the cert to the endpoints?
Some info from the console:
$ curl https://dl-ssl.google.com/linux/linux_signing_key.pub
curl: (60) SSL certificate problem: EE certificate key too weak
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
$ curl -k -v https://dl-ssl.google.com/linux/linux_signing_key.pub
* Trying 74.125.193.190...
* TCP_NODELAY set
* Connected to dl-ssl.google.com (74.125.193.190) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: C=US; ST=California; L=Mountain View; O=Google LLC; CN=*.google.com
* start date: May 3 10:56:47 2018 GMT
* expire date: Jun 23 10:56:47 2021 GMT
* issuer: C=**; L=******; O=*****; CN=******* Proxy CA; emailAddress=***@*******.com
* SSL certificate verify result: EE certificate key too weak (66), continuing anyway.
> GET /linux/linux_signing_key.pub HTTP/1.1
> Host: dl-ssl.google.com
> User-Agent:
This thread was automatically locked due to age.
