[squid-users] Using subordinate CA for SSL Bump

Yuri Voinov yvoinov at gmail.com
Thu Dec 17 10:12:46 UTC 2015

Hash: SHA256

This looks like. Root CA doesn't send. Subordinate CA uses as signer for
mimicked. All and any clients got security alert.

16.12.15 1:38, Alex Rousskov пишет:
> On 12/14/2015 04:48 PM, Marcus Kool wrote:
>> On 12/14/2015 09:16 PM, Amos Jeffries wrote:
>>> Squid may be horribly sending
>>> all-but-one of the certs needed, on the assumption that the signing cert
>>> is itself installed on the client.
>> The RFC says that it is not necessary to send the signing CA certificate.
> Sending the CA certificate is usually both unnecessary (because the
> clients must have it) and borderline dangerous (because some clients do
> not expect this extra information). This is why, I bet, Squid does not
> send the signing certificate in some cases.
> On the other hand, sending the signing certificate is necessary if that
> signing certificate is not the CA certificate expected to be stored by
> clients. IIRC, we have fixed at least one Squid bug in this area in
> 2015, but I do not have a reference handy.
> And there are actually situations in-between the two extremes above
> because a CA (well-known and not) often has its own CA certificate
> hierarchy, and some clients may trust intermediate CA certificates [with
> or without storing the root CA certificate].
> The above does not answer the OP question. The answer may go something
> like this:
> If you expect your clients to store your signing certificate, then you
> can configure Squid to sign with that certificate and not worry about
> any higher-level (closer to root) certificate that may or may not exist.
> On the other hand, if your clients are storing a higher-level
> certificate, then you need to test whether Squid does the right thing
> (i.e., sends the intermediate certificate which also happens to be the
> signing certificate). If Squid does not do the right thing, file a bug
> report.
> HTH,
> Alex.
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

Version: GnuPG v2

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20151217/91548e5a/attachment.html>

More information about the squid-users mailing list