[squid-users] Trusted first verification regarding cross root cert

NgTech LTD ngtech1ltd at gmail.com
Mon Jun 29 12:14:27 UTC 2020 

Upgrading to 1.1 on a running os is a challenge for any sysadmin.

Eliezer

On Mon, Jun 29, 2020, 13:30 <mikio.kishi at gmail.com> wrote:

> Hi Amos,
>
> >Ah. This is a feature of OpenSSL v1.1. Apparently your OpenSSL v1.0 has
> >had the feature *partially* backported to it.
> >I suggest you upgrade to Squid-4 and build against OpenSSL v1.1 where
> >this "feature" is the default behaviour.
>
> Yes, Exactly.  However, currently I am using CentOS7 which openssl package
> version is still 1.0.....
> Upgrading  openssl to v1.1.1 is challenging for me. Could you please
> implement the rusted first option to squid-4 ? ...
>
> Regards,
> --
> Mikio Kishi
>
>
> On Mon, Jun 29, 2020 at 7:05 PM Amos Jeffries <squid3 at treenet.co.nz>
> wrote:
>
>> On 29/06/20 7:29 pm, mikio.kishi wrote:
>> > Hi Amos,
>> >
>> > Thank you for your reply and I apologize for the missing information.
>> > The following is the detailed one.
>> >
>> >> * Squid version
>> > * squid version 3.5.26 (probably, ver4.X also might have same issue)
>> > * OpenSSL 1.0.2k
>> >
>> >> * details of the chain being delivered to Squid
>> >> * details of the expected cross-signing chain(s).
>> >
>> > There are so many websites which are facing this issue.
>> > For instance, "sbv.gov.vn:443 <http://sbv.gov.vn:443>".
>> >
>> > # openssl s_client -connect sbv.gov.vn:443 <http://sbv.gov.vn:443>
>> > -servername sbv.gov.vn <http://sbv.gov.vn> -showcerts -verify 5 -state
>> > verify depth is 5
>>
>> ...
>> >
>> > Could you please add the trusted_first option on squid ?
>> >
>>
>> Ah. This is a feature of OpenSSL v1.1. Apparently your OpenSSL v1.0 has
>> had the feature *partially* backported to it.
>>
>> I suggest you upgrade to Squid-4 and build against OpenSSL v1.1 where
>> this "feature" is the default behaviour. Squid-3 is no longer supported
>> for code updates.
>>
>>
>> Amos
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20200629/2c2e25be/attachment.html>

More information about the squid-users mailing list