[squid-users] Squid 4.x: Intermediate certificates downloader

Yuri Voinov yvoinov at gmail.com
Mon Jan 23 19:23:34 UTC 2017 


24.01.2017 0:06, Marcus Kool пишет:
>
>
> On 23/01/17 15:31, Alex Rousskov wrote:
>> On 01/23/2017 04:28 AM, Yuri wrote:
>>
>>> 1. How does it work?
>>
>> My response below and the following commit message might answer some of
>> your questions:
>>
>>     http://bazaar.launchpad.net/~squid/squid/5/revision/14769
>
> This seems that the feature only goes to Squid 5.  Will it be ported
> to Squid 4 ?
>
>>> I.e., where downloaded certs stored, how it
>>> handles, does it saves anywhere to disk?
>>
>> Missing certificates are fetched using HTTP[S]. Certificate responses
>> should be treated as any other HTTP[S] responses with regard to caching.
>> For example, if you have disk caching enabled and your caching rules
>> (including defaults) allow certificate response caching, then the
>> response should be cached. Similarly, the cached certificate will
>> eventually be evicted from the cache following regular cache maintenance
>> rules. When that happens, Squid will try to fetch the certificate again
>> (if it becomes needed again).
>>
>>
>>> 2. How this feature is related to sslproxy_foreign_intermediate_certs,
>>> how it can interfere with it?
>>
>> AFAICT by looking at the code, Squid only downloads certificates that
>> Squid is missing when trying to build a complete certificate chain for a
>> given server connection. Any sslproxy_foreign_intermediate_certs are
>> used as needed during the chain building process (i.e., they are _not_
>> "missing").
>
> I created bug report http://bugs.squid-cache.org/show_bug.cgi?id=4659
> a week ago but there has not been any activity.
> Is there someone who has sslproxy_foreign_intermediate_certs
> working in Squid 4.0.17 ?
Seems works as by as in 3.5.x. As I can see.
>
> Thanks,
> Marcus
>
> [snip]
>
>> HTH,
>>
>> Alex.
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x613DEC46.asc
Type: application/pgp-keys
Size: 2437 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170124/ddb7090d/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170124/ddb7090d/attachment.sig>

More information about the squid-users mailing list