[squid-dev] [PATCH] Add chained certificates and signing certificate to bumpAndSpliced connections

Nathan Hoad nathan at getoffmalawn.com
Sat Jun 6 14:41:18 UTC 2015 

Hello,

Attached is a patch making the changes recommended by Christos. I've
done as described, creating a Ssl::configureUnconfiguredSslContext
function, rather than making the changes to Ssl::configureSSL.

Thank you,

Nathan.

On 23 May 2015 at 19:14, Tsantilas Christos
<chtsanti at users.sourceforge.net> wrote:
> Hi Nathan,
>
>  The patch works.
>
> However I believe It is not good idea to configure SSL_CTX objects while we
> are setting parameters to an SSL object.
> A SSL_CTX object is common to many SSL objects.
>
> Instead of setting SSL_CTX object from
> configureSSLUsingPkeyAndCertFromMemory I am suggesting a new method
> "configureUnconfigureCTX()" which does the job:
>
> Then inside client_side use:
>
>  bool ret = Ssl::configureSSLUsingPkeyAndCertFromMemory(...);
>   if (!ret)
>         debugs(33, 5, "mpla mpla");
>  SSL_CTX *sslContext = SSL_get_SSL_CTX(ssl);
>  ret = configureUnconfigureCTX(sslContext,..., signAlgorithm)
>
>
> OR
>
>   Ssl::configureSSL(ssl, certProperties, *port))
>   SSL_CTX *sslContext = SSL_get_SSL_CTX(ssl);
>   ret = configureUnconfigureCTX(sslContext,..., signAlgorithm)
>
>
> Probably the above should be wrapped to a new method.
> Or  maybe a new function which its name says that both CTX and SSL objects
> are modified.
>
>
>
> On 04/30/2015 08:11 AM, Nathan Hoad wrote:
>>
>> Hello,
>>
>> I am running Squid with SSL bump in bump and splice mode, and I've
>> observed that this mode does not append the signing certificate or any
>> chained certificates to the certificate chain presented to the client.
>>
>> With old bump mode, Squid adds the signing certificate and any other
>> chained certificates to the SSL context. With bump and splice mode,
>> these certificates are not added. Attached is a patch that adds these
>> certificates for bump and spliced connections.
>>
>> Thank you,
>>
>> Nathan.
>>
>>
>>
>> _______________________________________________
>> squid-dev mailing list
>> squid-dev at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-dev
>>
>
> _______________________________________________
> squid-dev mailing list
> squid-dev at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-dev
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bumpnsplice-chained-certificates-v2.patch
Type: text/x-diff
Size: 4656 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-dev/attachments/20150607/e78db81e/attachment.patch>

More information about the squid-dev mailing list