Sorry for my original positive vote.
The patch does not handle the case the crtd daemon is used.
I am suggesting to move the following block from
ConnStateData::getSslContextStart :
+
+ Security::ContextPtr ctx = SSL_get_SSL_CTX(ssl);
+ addSigningCertificatesToChain(ctx);
to be inside ConnStateData::startPeekAndsplice() where the
Security::Context object is created:
auto unConfiguredCTX = Ssl::createSSLContext(port->signingCert,
port->signPkey, *port);
fd_table[clientConnection->fd].dynamicSslContext = unConfiguredCTX;
+ addSigningCertificatesToChain(unConfiguredCTX);
I did not check it, so someone should check if my proposal works...
On 02/15/2016 12:07 PM, Christos Tsantilas wrote:
+1
On 02/10/2016 04:49 PM, Dave Lewthwaite wrote:
Hi,
Please find attached a modified patch generated by the bzr process (it
seems this is a little different to using plain old diff).
Code has passed all tests (test-builds.sh) and formatting checks
(source-maintenance.sh).
Fix is to make sure that intermediate certificates for certificates
generated by squid during SSL bump are included when sent to the user
agent. Previously when performing peek or stare intermediate
certificates were not included. This addresses this bug specifically:
http://bugs.squid-cache.org/show_bug.cgi?id=4337.
Thanks
Dave Lewthwaite
Infrastructure Systems Architect, RealityMine
E: [email protected] | M: +44 (0) 7919 100 358 | W:
www.realitymine.com <http://www.realitymine.com/> | T: +44 (0) 161
414 0707
_______________________________________________
squid-dev mailing list
[email protected]
http://lists.squid-cache.org/listinfo/squid-dev
