[squid-users] Fetch missing certificate feature of Squid_v4

[Alex Rousskov]

On 09/27/2018 09:56 AM, Christof Gerber wrote:
> Concerning the new feature which fetches the missing intermediate
> certificates I have three questions about its implementation and
> implications:

> 1. What happens if the certificate fetch requests runs into a timeout?

If Squid lacks a certificate required to validate the server, the server
validation will fail. What happens after that probably depends on your
configuration, but bumping the client connection to report the
validation error is typical for SslBump-driven deployments.


> Is this prevented somehow?

Not sure what you mean: No software can prevent external events such as
I/O timeouts.


> 2. Does Squid also learn intermediate certificates from complete
> certificate chains of other requests?

Interesting question. AFAIK, Squid does not cache certificates received
in TLS server Hellos (yet?). The missing certificates are fetched and
cached using the regular Squid HTTP fetching/caching mechanism (as if
somebody else sent a simple GET request for the certificate). There is
no dedicated cache type/system for the certificates. This implies that
the same intermediate certificate, if it was fetched from two different
places/URLs, will be cached twice (by default).

I have CCed Christos that may be able to verify my statements in the
above paragraph.


> 3. Will this feature make it necessary to increase the cache size?

YMMV. By definition, the cache should never be necessary (i.e. required
for correct operation). You should increase the cache size if increasing
the cache size improves performance. This general statement applies to
all features, not just the feature discussed on this thread, of course.

Alex.