[squid-users] How are others handling missing intermediate certificates?

Amos Jeffries squid3 at treenet.co.nz
Tue Apr 28 07:17:11 UTC 2015


On 28/04/2015 9:08 a.m., Tom Harris wrote:
> In SSL bump mode, I find I am hitting sites with incomplete certificate
> chains fairly often.   When accessed directly, browsers will work it out -
> I guess by downloading the missing CA certs.
> 
> I know I can load the intermediate CA certs in my system DB as I encounter
> the issues.   But, I'm wondering if others have more proactive solutions.
> Is there a list of commonly encountered certs, maybe just a subset like the
> top tier CAs?

Make sure that your set of trusted-CA used by OpenSSL is up to date. It
changes monthly or so in my experience. On Linux distros it tends to be
the "ca-certificates" software package.

You also have the alternative of building your own list from the ones
you hit. Though this can lead to security problems if you dont take
great care. I suggest at least following the news about what
organisations have been blacklisted from the global Trusted-CA and why
if you take this path.


>    Or, is this being addressed in code making squid behave
> like browsers do?

TLS specification says the sender is responsible for delivering the
entire cert chain except (optionally) those in the global Trusted-CA set.

Do you really think its a good idea to continue talking to broken and
misconfigured HTTPS servers in the modern Internet?

Amos



More information about the squid-users mailing list