If there is not any objection I will commit this patch to trunk
On 10/21/2011 04:49 PM, Tsantilas Christos wrote:
SslBump code assumed that it is signing generated certificates with a root CA certificate. Root certificates are usually not sent along with the server certificates because clients must have them independently installed or built-in. Squid was not sending the signing certificate. In many environments, Squid signing certificate is intermediate (i.e., it belongs to a non-root CA). If Squid does not send that intermediate signing certificate with the generated one, the client will not be able to establish a complete chain of trust from the generated fake to the root CA certificate, leading to errors. With this change, Squid may send the signing certificate (along with the generated one) using the following rules: * If the configured signing certificate is self-signed, then just send the generated certificate alone. Note that root CA certificates are self-signed (by root CA). * Otherwise (i.e., if the configured signing certificate is an intermediate CA certificate), send both the intermediate CA and the generated fake certificate. This is a Measurement Factory Project
