[squid-users] Fetch missing certificate feature of Squid_v4

Alex Rousskov rousskov at measurement-factory.com
Thu Sep 27 17:28:57 UTC 2018


On 09/27/2018 11:12 AM, Christof Gerber wrote:

> I mean what happens if the extra request to the CA to download the
> missing certificate takes ages. Is there a timeout routine running
> which aborts the request if for instance the certificate is not
> downloaded after 5 seconds?

Yes, of course. There are many timeouts at play here. For example,
forward_timeout is used when setting a timeout to negotiate a secure
connection with the origin server (which includes fetching missing
certificates) and read_timeout is a network read timeout applied to
every individual fetching request.

Again, fetching a missing certificate feature reuses the regular "fetch
this URL" functionality in Squid, with all the features/timeouts on that
code path. IIRC, these internal certificate requests even go through
eCAP/ICAP REQMOD services!

Alex.


> On Thu, 27 Sep 2018 at 18:32, Alex Rousskov wrote:
>>
>> On 09/27/2018 09:56 AM, Christof Gerber wrote:
>>> Concerning the new feature which fetches the missing intermediate
>>> certificates I have three questions about its implementation and
>>> implications:
>>
>>> 1. What happens if the certificate fetch requests runs into a timeout?
>>
>> If Squid lacks a certificate required to validate the server, the server
>> validation will fail. What happens after that probably depends on your
>> configuration, but bumping the client connection to report the
>> validation error is typical for SslBump-driven deployments.
>>
>>
>>> Is this prevented somehow?
>>
>> Not sure what you mean: No software can prevent external events such as
>> I/O timeouts.
>>
>>
>>> 2. Does Squid also learn intermediate certificates from complete
>>> certificate chains of other requests?
>>
>> Interesting question. AFAIK, Squid does not cache certificates received
>> in TLS server Hellos (yet?). The missing certificates are fetched and
>> cached using the regular Squid HTTP fetching/caching mechanism (as if
>> somebody else sent a simple GET request for the certificate). There is
>> no dedicated cache type/system for the certificates. This implies that
>> the same intermediate certificate, if it was fetched from two different
>> places/URLs, will be cached twice (by default).
>>
>> I have CCed Christos that may be able to verify my statements in the
>> above paragraph.
>>
>>
>>> 3. Will this feature make it necessary to increase the cache size?
>>
>> YMMV. By definition, the cache should never be necessary (i.e. required
>> for correct operation). You should increase the cache size if increasing
>> the cache size improves performance. This general statement applies to
>> all features, not just the feature discussed on this thread, of course.
>>
>> Alex.
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
> 
> 
> 



More information about the squid-users mailing list