On 28/11/2015 9:35 p.m., Christos Tsantilas wrote: > Hi all, > Sometimes the SSL servers does not send the full chain of intermediate > certificates, but instead send a link where the client can download the > intermediate certificates. > > Currently squid can not handle such cases. Measurement Factory build a > patch which provides a workaround for this problem: Allow the users to > build a database of intermediate certificates, which can be used by > squid to complete certificate chains. > > Measurement Factory currently works to implement a full solution for > this bug, a downloader for squid which will retrieve missing > certificates from the net. > However this solution may take some time to test and finish it. > > Is it OK to apply to trunk the workaround patch in bug 4305?
It touches the squid.conf UI so I would rather not at this point. That said the problem it resolves is rather more important than preserving an arbitrary policy. So I am in agreement with it going in sooner rather than later provided it works as planned. But please extend the squid.conf documentation to state that self-signed (aka root) certificates are not supported by the new option and will be ignored. They are ignores silently, so it needs to be stated somewhere to avoid confusion. Amos _______________________________________________ squid-dev mailing list [email protected] http://lists.squid-cache.org/listinfo/squid-dev
