[squid-dev] Bug 4305: Squid reports X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY...

Christos Tsantilas christos at chtsanti.net
Tue Dec 1 08:36:35 UTC 2015


On 11/29/2015 09:00 AM, Amos Jeffries wrote:
> On 28/11/2015 9:35 p.m., Christos Tsantilas wrote:
>> Hi all,
>>    Sometimes the SSL servers does not send the full chain of intermediate
>> certificates, but instead send a link where the client can download the
>> intermediate certificates.
>>
>> Currently squid can not handle such cases. Measurement Factory build a
>> patch which provides a workaround for this problem: Allow the users to
>> build a database of intermediate certificates, which can be used by
>> squid to complete certificate chains.
>>
>> Measurement Factory currently works to implement a full solution for
>> this bug, a downloader for squid which will retrieve missing
>> certificates from the net.
>> However this solution may take some time to test and finish it.
>>
>> Is it OK to apply to trunk the workaround patch in bug 4305?
>
>
> It touches the squid.conf UI so I would rather not at this point.
>
> That said the problem it resolves is rather more important than
> preserving an arbitrary policy. So I am in agreement with it going in
> sooner rather than later provided it works as planned.

This is means that I should apply it to trunk?

>
>
> But please extend the squid.conf documentation to state that self-signed
> (aka root) certificates are not supported by the new option and will be
> ignored. They are ignores silently, so it needs to be stated somewhere
> to avoid confusion.

The new directive "sslproxy_untrusted_certs" documented as

"Squid uses the intermediate certificates pre-loaded from the specified 
file to validate origin server certificate chains. Squid receives many 
incomplete chains (i.e., chains with intermediate certificates missing). 
The file is expected to contain zero or more PEM-encoded intermediate 
certificates. These certificates are not treated as trusted root 
certificates."

Isn't it enough the following reference: "These certificates are not 
treated as trusted root certificates."?
Moreover the name of new directive it should be clear about the purpose 
of these certificates.




More information about the squid-dev mailing list