Re: [PATCH] sslBump: Send intermediate CA

From: Alex Rousskov <rousskov_at_measurement-factory.com>
Date: Mon, 24 Oct 2011 14:24:15 -0600

On 10/24/2011 02:26 AM, Tsantilas Christos wrote:
> On 10/24/2011 09:28 AM, Henrik Nordström wrote:
>> fre 2011-10-21 klockan 16:49 +0300 skrev Tsantilas Christos:
>>
>>> With this change, Squid may send the signing certificate (along with the
>>> generated one) using the following rules:
>>>
>>> * If the configured signing certificate is self-signed,
>>> then just send the generated certificate alone.
>>> Note that root CA certificates are self-signed (by root CA).
>>>
>>> * Otherwise (i.e., if the configured signing certificate is an
>>> intermediate CA certificate), send both the intermediate CA
>>> and the generated fake certificate.
>>
>> To be complete one needs to be able to specify the certificate chain.
>> This because there may be a chain of certificates with more than one
>> intermediary ca level.
>
> Hi Henrik,
> I forgot to mention, but this patch support it. Someone can append in
> the certificate file pointed by the "cert=" option all the required
> certificates in the chain.

Christos,

    When committing, please add a third bullet. Something along these
lines may work:

    * If Squid sends the intermediate CA certificate, Squid also sends
all other certificates from the "cert=" file, Sending a chain with
multiple intermediate CA certificates may be required when the Squid
signing certificate was signed by another intermediate CA.

Thank you,

Alex.
Received on Mon Oct 24 2011 - 20:24:47 MDT

This archive was generated by hypermail 2.2.0 : Tue Oct 25 2011 - 12:00:11 MDT