[squid-users] Using subordinate CA for SSL Bump

Alex Rousskov rousskov at measurement-factory.com
Tue Dec 15 19:38:02 UTC 2015


On 12/14/2015 04:48 PM, Marcus Kool wrote:
> On 12/14/2015 09:16 PM, Amos Jeffries wrote:
>> Squid may be horribly sending
>> all-but-one of the certs needed, on the assumption that the signing cert
>> is itself installed on the client.


> The RFC says that it is not necessary to send the signing CA certificate.


Sending the CA certificate is usually both unnecessary (because the
clients must have it) and borderline dangerous (because some clients do
not expect this extra information). This is why, I bet, Squid does not
send the signing certificate in some cases.

On the other hand, sending the signing certificate is necessary if that
signing certificate is not the CA certificate expected to be stored by
clients. IIRC, we have fixed at least one Squid bug in this area in
2015, but I do not have a reference handy.

And there are actually situations in-between the two extremes above
because a CA (well-known and not) often has its own CA certificate
hierarchy, and some clients may trust intermediate CA certificates [with
or without storing the root CA certificate].

The above does not answer the OP question. The answer may go something
like this:

If you expect your clients to store your signing certificate, then you
can configure Squid to sign with that certificate and not worry about
any higher-level (closer to root) certificate that may or may not exist.
On the other hand, if your clients are storing a higher-level
certificate, then you need to test whether Squid does the right thing
(i.e., sends the intermediate certificate which also happens to be the
signing certificate). If Squid does not do the right thing, file a bug
report.


HTH,

Alex.



More information about the squid-users mailing list