[squid-users] Squid 4.x: Intermediate certificates downloader

Alex Rousskov rousskov at measurement-factory.com
Mon Jan 23 17:31:49 UTC 2017


On 01/23/2017 04:28 AM, Yuri wrote:

> 1. How does it work? 

My response below and the following commit message might answer some of
your questions:

    http://bazaar.launchpad.net/~squid/squid/5/revision/14769

> I.e., where downloaded certs stored, how it
> handles, does it saves anywhere to disk?

Missing certificates are fetched using HTTP[S]. Certificate responses
should be treated as any other HTTP[S] responses with regard to caching.
For example, if you have disk caching enabled and your caching rules
(including defaults) allow certificate response caching, then the
response should be cached. Similarly, the cached certificate will
eventually be evicted from the cache following regular cache maintenance
rules. When that happens, Squid will try to fetch the certificate again
(if it becomes needed again).


> 2. How this feature is related to sslproxy_foreign_intermediate_certs,
> how it can interfere with it?

AFAICT by looking at the code, Squid only downloads certificates that
Squid is missing when trying to build a complete certificate chain for a
given server connection. Any sslproxy_foreign_intermediate_certs are
used as needed during the chain building process (i.e., they are _not_
"missing").


> Release notes contains nothing about this feature. Wiki contains only
> one mention in passing that this functionality exists in principle.

I agree that this feature lacks documentation. This is, in part, because
the feature has no configuration options that normally force developers
to document at least some of the code logic. We should add a few words
about it to sslproxy_foreign_intermediate_certs documentation.


FWIW, we are also adding an ACL to identify internal transactions that
fetch missing certificates.


HTH,

Alex.



More information about the squid-users mailing list