SslBump code assumed that it is signing generated certificates with a
root CA certificate. Root certificates are usually not sent along with
the server certificates because clients must have them independently
installed or built-in. Squid was not sending the signing certificate.
In many environments, Squid signing certificate is intermediate (i.e.,
it belongs to a non-root CA). If Squid does not send that intermediate
signing certificate with the generated one, the client will not be able
to establish a complete chain of trust from the generated fake to the
root CA certificate, leading to errors.
With this change, Squid may send the signing certificate (along with the
generated one) using the following rules:
* If the configured signing certificate is self-signed,
then just send the generated certificate alone.
Note that root CA certificates are self-signed (by root CA).
* Otherwise (i.e., if the configured signing certificate is an
intermediate CA certificate), send both the intermediate CA
and the generated fake certificate.
This is a Measurement Factory Project
This archive was generated by hypermail 2.2.0 : Thu Oct 27 2011 - 12:00:13 MDT