[squid-dev] [PATCH] Add chained certificates and signing certificate to bumpAndSpliced connections

Nathan Hoad nathan at getoffmalawn.com
Tue May 5 07:13:12 UTC 2015


On 1 May 2015 at 18:36, Amos Jeffries <squid3 at treenet.co.nz> wrote:
>
> Which mode? bump or splice or peek-then-bump or peek-then-splice mode?

Peek then bump! Apologies, I was incredibly unclear on that.

>
> The valid operations are different in each combination of operations.
>
> bump mode is equivalent to the old client-first. Where squid is
> generating teh whole certificate chain sent to the client.
>
> splice or peek-then-splice modes are both equivalent to not bumping at
> all. Squid is expected to pass on exactly what the server emits, no
> matter how screwed.
>
> peek-then-bump is equivalent to server-first mode. Where the
> certificates generated by Squid are expected to mimic what the server
> sent. The full chain is only expected IF the server sent its whole chain.

The scenario this patch addresses is when Squid is configured with an
intermediate signing CA certificate, and clients have the root CA
installed on their machines. What happens is that the generated
certificates come down with an unknown issuer (the intermediate
signing certificate), with no intermediates, so they are rejected. By
adding the configured certificate chain as old client-first mode did,
the intermediate and root certificates come down as well, resulting in
the issuer being identified and the connection being established
"securely".

>
> Amos
>
> _______________________________________________
> squid-dev mailing list
> squid-dev at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-dev


More information about the squid-dev mailing list