[squid-dev] [PREVIEW] Fetch missing certificates

Christos Tsantilas christos at chtsanti.net
Tue Dec 22 17:35:41 UTC 2015


This is a preview patch. The internal review procedure is not finished 
yet, there are some TODOs, which probably we need to address them.

However I am posting it here to start a discussion on this patch, which 
is a little big and important.

Patch description:

Many web servers do not have complete certificate chains. Many browsers 
use certificate extensions of the server certificate and download the 
missing intermediate certificates automatically from the Internet. This 
patch add this feature to Squid.

The information for missing issuer certificates provided by the 
Authority  Information Access X509 extension. This describes the format 
and location of additional information provided by the issuer of the 
certificate in which in which this extension appears. If the caIssuers 
access method provided then the issuer certificate information provided 
and the access location field exist in thois extension provides the 
location of the issuer certificate.

This patch:
   - Implements an Downloader class as ConnStateData kid class. This new 
class can be used by internal squid subsystems to download objects from 
net.

   - Modify Ssl::PeerConnector class to use new Downloader class to 
retrieve missing certificaes from the net. It retrieved the URIs of 
missing certificates from the Authority Information Access X509 extension.

   - Implements a new SSL records and SSL handshake messages parser 
(Ssl::HandshakeParser class) to improve current SSL messages parsing. 
The new parser now used to check if a Change Cipher Spec message 
included in server hello. The related code removed from 
Ssl::Bio::sslFeatures class

   - Modify the Ssl::ServerBio class to:
      * Buffer the Server Hello message and process it before pass it to 
the openSSL library.
      * Extract server certificates from server hello message. This is 
required to check if there are missing certificates, and if yes give the 
chance to squid to download missing certificates and complete 
certificate chains before pass them for processing to openSSL

   - Fixes and improves the Ssl::Bio related code.

This is a Measurement Factory project
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fetch-certificates-preview-t1.patch
Type: text/x-patch
Size: 142513 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-dev/attachments/20151222/476bd1e6/attachment-0001.bin>


More information about the squid-dev mailing list