Re: [PATCH] sslBump: Send intermediate CA

From: Tsantilas Christos <chtsanti_at_users.sourceforge.net>
Date: Mon, 24 Oct 2011 11:26:34 +0300

On 10/24/2011 09:28 AM, Henrik Nordström wrote:
> fre 2011-10-21 klockan 16:49 +0300 skrev Tsantilas Christos:
>
>> With this change, Squid may send the signing certificate (along with the
>> generated one) using the following rules:
>>
>> * If the configured signing certificate is self-signed,
>> then just send the generated certificate alone.
>> Note that root CA certificates are self-signed (by root CA).
>>
>> * Otherwise (i.e., if the configured signing certificate is an
>> intermediate CA certificate), send both the intermediate CA
>> and the generated fake certificate.
>
> To be complete one needs to be able to specify the certificate chain.
> This because there may be a chain of certificates with more than one
> intermediary ca level.

Hi Henrik,
I forgot to mention, but this patch support it. Someone can append in
the certificate file pointed by the "cert=" option all the required
certificates in the chain.

This is already supported by the https_port option.

>
> But the above is a good and reasonable approximation.
>
> Regards
> Henrik
>
>
Received on Mon Oct 24 2011 - 08:26:46 MDT

This archive was generated by hypermail 2.2.0 : Tue Oct 25 2011 - 12:00:11 MDT