[squid-dev] [PATCH] Add chained certificates and signing certificate to bumpAndSpliced connections

Tsantilas Christos chtsanti at users.sourceforge.net
Sat May 23 09:14:05 UTC 2015

Hi Nathan,

  The patch works.

However I believe It is not good idea to configure SSL_CTX objects while 
we are setting parameters to an SSL object.
A SSL_CTX object is common to many SSL objects.

Instead of setting SSL_CTX object from 
configureSSLUsingPkeyAndCertFromMemory I am suggesting a new method 
"configureUnconfigureCTX()" which does the job:

Then inside client_side use:

  bool ret = Ssl::configureSSLUsingPkeyAndCertFromMemory(...);
   if (!ret)
         debugs(33, 5, "mpla mpla");
  SSL_CTX *sslContext = SSL_get_SSL_CTX(ssl);
  ret = configureUnconfigureCTX(sslContext,..., signAlgorithm)


   Ssl::configureSSL(ssl, certProperties, *port))
   SSL_CTX *sslContext = SSL_get_SSL_CTX(ssl);
   ret = configureUnconfigureCTX(sslContext,..., signAlgorithm)

Probably the above should be wrapped to a new method.
Or  maybe a new function which its name says that both CTX and SSL 
objects are modified.

On 04/30/2015 08:11 AM, Nathan Hoad wrote:
> Hello,
> I am running Squid with SSL bump in bump and splice mode, and I've
> observed that this mode does not append the signing certificate or any
> chained certificates to the certificate chain presented to the client.
> With old bump mode, Squid adds the signing certificate and any other
> chained certificates to the SSL context. With bump and splice mode,
> these certificates are not added. Attached is a patch that adds these
> certificates for bump and spliced connections.
> Thank you,
> Nathan.
> _______________________________________________
> squid-dev mailing list
> squid-dev at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-dev

More information about the squid-dev mailing list