[squid-users] Fetch missing certificate feature of Squid_v4

Christof Gerber christof.gerber1 at gmail.com
Mon Aug 20 09:10:17 UTC 2018

I am wondering how to verify the feature "Fetch missing certificate"
which was added to Squid v4.

I tried to trigger the feature by requesting some domains via squid
which lack the intermediate certificate (e.g. www.facworld.com,
taas.citrix.com, karantina.genelsigorta.com).

Because of the following observation I believe something is not
working correctly:
1. Curl retruns with a "SSL certificate problem: Invalid certificate
chain" in all three cases
2. By enabling 33,5 83,5 81,5 88,3 logging and analysing the log trace
I get the feeling that the code of the feature is not called (->
missing certificate not downloaded). See the log trace in the

I verified that these domains deliver an incomplete certificate by:
$ openssl s_client -connect taas.citrix.com:443 -showcerts -verify 32
-CApath  $path/to/root/certs/
Which returns "Verify return code: 21 (unable to verify the first
certificate)" for all of them

1. How to verify that the feature is working? Am I doing something wrong?
2. Is this feature always on or do I have to configure/enable it in Squid v4?

Squid Cache: Version v4.0-6d8f397398995c4512cb045920ee2747cc6b14f8

Christof Gerber
Email: christof.gerber1 at gmail.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: logs_squid4-facworld
Type: application/octet-stream
Size: 25615 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180820/dfcce10b/attachment-0001.obj>

More information about the squid-users mailing list