[squid-dev] Bug 4305: Squid reports X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY...

Amos Jeffries squid3 at treenet.co.nz
Sun Nov 29 07:00:51 UTC 2015

On 28/11/2015 9:35 p.m., Christos Tsantilas wrote:
> Hi all,
>   Sometimes the SSL servers does not send the full chain of intermediate
> certificates, but instead send a link where the client can download the
> intermediate certificates.
> Currently squid can not handle such cases. Measurement Factory build a
> patch which provides a workaround for this problem: Allow the users to
> build a database of intermediate certificates, which can be used by
> squid to complete certificate chains.
> Measurement Factory currently works to implement a full solution for
> this bug, a downloader for squid which will retrieve missing
> certificates from the net.
> However this solution may take some time to test and finish it.
> Is it OK to apply to trunk the workaround patch in bug 4305?

It touches the squid.conf UI so I would rather not at this point.

That said the problem it resolves is rather more important than
preserving an arbitrary policy. So I am in agreement with it going in
sooner rather than later provided it works as planned.

But please extend the squid.conf documentation to state that self-signed
(aka root) certificates are not supported by the new option and will be
ignored. They are ignores silently, so it needs to be stated somewhere
to avoid confusion.


More information about the squid-dev mailing list