[squid-users] Using subordinate CA for SSL Bump

Alex Rousskov rousskov at measurement-factory.com
Thu Dec 17 17:01:29 UTC 2015 

On 12/17/2015 03:12 AM, Yuri Voinov wrote:
> This looks like. Root CA doesn't send. Subordinate CA uses as signer for
> mimicked. All and any clients got security alert.


There may still be some terminology misunderstanding here because not
sending the root certificate is the right thing to do in most cases (as
I tried to explain in my earlier response). Let's continue with a more
specific example at Bug 4398:

http://bugs.squid-cache.org/show_bug.cgi?id=4398

Alex.


> 16.12.15 1:38, Alex Rousskov пишет:
>> On 12/14/2015 04:48 PM, Marcus Kool wrote:
>>> On 12/14/2015 09:16 PM, Amos Jeffries wrote:
>>>> Squid may be horribly sending
>>>> all-but-one of the certs needed, on the assumption that the signing cert
>>>> is itself installed on the client.
> 
> 
>>> The RFC says that it is not necessary to send the signing CA certificate.
> 
> 
>> Sending the CA certificate is usually both unnecessary (because the
>> clients must have it) and borderline dangerous (because some clients do
>> not expect this extra information). This is why, I bet, Squid does not
>> send the signing certificate in some cases.
> 
>> On the other hand, sending the signing certificate is necessary if that
>> signing certificate is not the CA certificate expected to be stored by
>> clients. IIRC, we have fixed at least one Squid bug in this area in
>> 2015, but I do not have a reference handy.
> 
>> And there are actually situations in-between the two extremes above
>> because a CA (well-known and not) often has its own CA certificate
>> hierarchy, and some clients may trust intermediate CA certificates [with
>> or without storing the root CA certificate].
> 
>> The above does not answer the OP question. The answer may go something
>> like this:
> 
>> If you expect your clients to store your signing certificate, then you
>> can configure Squid to sign with that certificate and not worry about
>> any higher-level (closer to root) certificate that may or may not exist.
>> On the other hand, if your clients are storing a higher-level
>> certificate, then you need to test whether Squid does the right thing
>> (i.e., sends the intermediate certificate which also happens to be the
>> signing certificate). If Squid does not do the right thing, file a bug
>> report.
> 
> 
>> HTH,
> 
>> Alex.
> 
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
> 
> 
> 
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>

More information about the squid-users mailing list