[squid-users] Fetch missing certificate feature of Squid_v4

Amos Jeffries squid3 at treenet.co.nz
Mon Aug 20 12:18:28 UTC 2018

On 20/08/18 9:10 PM, Christof Gerber wrote:
> I am wondering how to verify the feature "Fetch missing certificate"
> which was added to Squid v4.
> https://github.com/squid-cache/squid/commit/55369ae649646901d3038c63217386174d01eb7b
> I tried to trigger the feature by requesting some domains via squid
> which lack the intermediate certificate (e.g. www.facworld.com,
> taas.citrix.com, karantina.genelsigorta.com).
> Because of the following observation I believe something is not
> working correctly:
> 1. Curl retruns with a "SSL certificate problem: Invalid certificate
> chain" in all three cases

This is the chain received by curl. Not the chain received by Squid.

To get this from curl either Squid is not even involved in any TLS with
the broken cert chain (splice, regular tunneling, not using the proxy).
Or, the CA cert chain you configured Squid to use is itself incomplete.

> 2. By enabling 33,5 83,5 81,5 88,3 logging and analysing the log trace
> I get the feeling that the code of the feature is not called (->
> missing certificate not downloaded). See the log trace in the
> attachment

Log trace says Squid identified http://aia.entrust.net/l1k-chain256.cer
as the missing CA and downloaded it. AFAICT the verification then passed
and bump proceeded to happen.

> I verified that these domains deliver an incomplete certificate by:
> $ openssl s_client -connect taas.citrix.com:443 -showcerts -verify 32
> -CApath  $path/to/root/certs/
> Which returns "Verify return code: 21 (unable to verify the first
> certificate)" for all of them
> Question:
> 1. How to verify that the feature is working?

AFAIK, just what you did. The problem seems to be not understanding the
log resulting.

2018/08/20 10:37:26.975 kid1| 83,5| PeerConnector.cc(712)
checkForMissingCertificates: SSL server sent 1 certificates
2018/08/20 10:37:26.976 kid1| 33,3| Downloader.cc(226) handleReply:
Object data transfer successfully complete
2018/08/20 10:37:27.089 kid1| 83,5| PeekingPeerConnector.cc(353)
serverCertificateVerified: HTTPS server CN: www.facworld.com bumped:
local= remote= FD 17 flags=1
2018/08/20 10:37:27.091 kid1| 33,5| client_side.cc(2917)
getTlsContextFromCache: Cached SSL certificate for www.facworld.com is valid

> Am I doing something wrong?

Maybe. It only can D/L *if* the present certificate provides a URL for
its absent CA certificate. Not all types of incomplete chains have that
required info.

> 2. Is this feature always on or do I have to configure/enable it in Squid v4?

Always on.

> Squid Cache: Version v4.0-6d8f397398995c4512cb045920ee2747cc6b14f8

Uhm, Squid code at 6d8f397 self-identify as 4.2.


More information about the squid-users mailing list