Hi,
I have worked out a simple fix for this bug
http://bugs.squid-cache.org/show_bug.cgi?id=4337
To test I’ve copied the code which adds the certificate to the chain from
ConnStateData::getSslContextDone to ConnStateData::getSslContextStart inside
the sslBump decision (if (sslServerBump && (sslServerBump->act.step1 ==
Ssl::bumpPeek || sslServerBump->act.step1 == Ssl::bumpStare)))
Addition:
SSL_CTX * ctx = SSL_get_SSL_CTX(ssl);
X509 *cert = port->signingCert.get();
if (SSL_CTX_add_extra_chain_cert(ctx, cert)) {
// increase the certificate lock
CRYPTO_add(&(cert->references),1,CRYPTO_LOCK_X509);
} else {
const int ssl_error = ERR_get_error();
debugs(33, DBG_IMPORTANT, "WARNING: can not add signing
certificate to SSL context chain: " << ERR_error_string(ssl_error, NULL));
}
Ssl::addChainToSslContext(ctx, port->certsToChain.get());
There will be a better way of this (definitely one that doesn’t involve
duplication of code) but it at least pin-points the problem.
_______________________________________________
squid-dev mailing list
[email protected]
http://lists.squid-cache.org/listinfo/squid-dev
