[squid-users] Trusted first verification regarding cross root cert

Amos Jeffries squid3 at treenet.co.nz
Mon Jun 29 09:51:55 UTC 2020


On 29/06/20 7:29 pm, mikio.kishi wrote:
> Hi Amos,
> 
> Thank you for your reply and I apologize for the missing information.
> The following is the detailed one.
> 
>> * Squid version
> * squid version 3.5.26 (probably, ver4.X also might have same issue)
> * OpenSSL 1.0.2k
> 
>> * details of the chain being delivered to Squid
>> * details of the expected cross-signing chain(s).
> 
> There are so many websites which are facing this issue.
> For instance, "sbv.gov.vn:443 <http://sbv.gov.vn:443>".
> 
> # openssl s_client -connect sbv.gov.vn:443 <http://sbv.gov.vn:443>
> -servername sbv.gov.vn <http://sbv.gov.vn> -showcerts -verify 5 -state
> verify depth is 5

...
> 
> Could you please add the trusted_first option on squid ?
> 

Ah. This is a feature of OpenSSL v1.1. Apparently your OpenSSL v1.0 has
had the feature *partially* backported to it.

I suggest you upgrade to Squid-4 and build against OpenSSL v1.1 where
this "feature" is the default behaviour. Squid-3 is no longer supported
for code updates.


Amos


More information about the squid-users mailing list