[squid-users] Squid 4.x: Intermediate certificates downloader

Yuri Voinov yvoinov at gmail.com
Mon Jan 23 17:41:12 UTC 2017 


23.01.2017 23:31, Alex Rousskov пишет:
> On 01/23/2017 04:28 AM, Yuri wrote:
>
>> 1. How does it work? 
> My response below and the following commit message might answer some of
> your questions:
>
>     http://bazaar.launchpad.net/~squid/squid/5/revision/14769
>
>> I.e., where downloaded certs stored, how it
>> handles, does it saves anywhere to disk?
> Missing certificates are fetched using HTTP[S]. Certificate responses
> should be treated as any other HTTP[S] responses with regard to caching.
> For example, if you have disk caching enabled and your caching rules
> (including defaults) allow certificate response caching, then the
> response should be cached. Similarly, the cached certificate will
> eventually be evicted from the cache following regular cache maintenance
> rules. When that happens, Squid will try to fetch the certificate again
> (if it becomes needed again).
I.e., fetchesd intermediate certificate stores only in memory cache for

sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s
/var/lib/ssl_db -M 4MB

daemon, right? And never stores anywhere on disk?
>
>
>> 2. How this feature is related to sslproxy_foreign_intermediate_certs,
>> how it can interfere with it?
> AFAICT by looking at the code, Squid only downloads certificates that
> Squid is missing when trying to build a complete certificate chain for a
> given server connection. Any sslproxy_foreign_intermediate_certs are
> used as needed during the chain building process (i.e., they are _not_
> "missing").
Ok, so, this file uses for complete chains, and it contains statically
added (manually) certs only, right?

I.e., downloader should not save fetched intermediate CA's here, which
will be logically, isn't it?
>
>
>> Release notes contains nothing about this feature. Wiki contains only
>> one mention in passing that this functionality exists in principle.
> I agree that this feature lacks documentation. This is, in part, because
> the feature has no configuration options that normally force developers
> to document at least some of the code logic. We should add a few words
> about it to sslproxy_foreign_intermediate_certs documentation.
>
>
> FWIW, we are also adding an ACL to identify internal transactions that
> fetch missing certificates.
>
>
> HTH,
>
> Alex.
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x613DEC46.asc
Type: application/pgp-keys
Size: 2437 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170123/d50257b0/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170123/d50257b0/attachment.sig>

More information about the squid-users mailing list