On 11/29/2015 09:00 AM, Amos Jeffries wrote:
On 28/11/2015 9:35 p.m., Christos Tsantilas wrote:
Hi all,
Sometimes the SSL servers does not send the full chain of intermediate
certificates, but instead send a link where the client can download the
intermediate certificates.
Currently squid can not handle such cases. Measurement Factory build a
patch which provides a workaround for this problem: Allow the users to
build a database of intermediate certificates, which can be used by
squid to complete certificate chains.
Measurement Factory currently works to implement a full solution for
this bug, a downloader for squid which will retrieve missing
certificates from the net.
However this solution may take some time to test and finish it.
Is it OK to apply to trunk the workaround patch in bug 4305?
It touches the squid.conf UI so I would rather not at this point.
That said the problem it resolves is rather more important than
preserving an arbitrary policy. So I am in agreement with it going in
sooner rather than later provided it works as planned.
This is means that I should apply it to trunk?
But please extend the squid.conf documentation to state that self-signed
(aka root) certificates are not supported by the new option and will be
ignored. They are ignores silently, so it needs to be stated somewhere
to avoid confusion.
The new directive "sslproxy_untrusted_certs" documented as
"Squid uses the intermediate certificates pre-loaded from the specified
file to validate origin server certificate chains. Squid receives many
incomplete chains (i.e., chains with intermediate certificates missing).
The file is expected to contain zero or more PEM-encoded intermediate
certificates. These certificates are not treated as trusted root
certificates."
Isn't it enough the following reference: "These certificates are not
treated as trusted root certificates."?
Moreover the name of new directive it should be clear about the purpose
of these certificates.
_______________________________________________
squid-dev mailing list
[email protected]
http://lists.squid-cache.org/listinfo/squid-dev
