<div dir="ltr">with 3.5.15, I have this config:<div><br></div><div>---8<---</div><div><div>https_port 8443 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=64MB \</div><div> cert=/etc/squid/ssl/proxy.pem \</div><div> key=/etc/squid/ssl/proxy.key \</div><div> cafile=/etc/squid/ssl/proxy.pem</div></div><div>--->8---<br><div><br></div></div><div>proxy.pem is the concatenation of both the CA cert (intermediate) followed by the root cert (my offline CA). Best i can tell, all of it is sent back to the client (generated cert, intermediate and root CA).</div><div><br></div><div>HTH</div><div>Jok</div><div><br></div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Apr 7, 2016 at 10:59 AM, Amos Jeffries <span dir="ltr"><<a href="mailto:squid3@treenet.co.nz" target="_blank">squid3@treenet.co.nz</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 7/04/2016 5:25 a.m., Nicolaas Hyatt wrote:<br>
> Amos,<br>
> Thanks for your quick response and your time. I have not yet messed with<br>
> 4.0. Is this something that may find its way into the 3.x stable branch<br>
> at some point?<br>
><br>
<br>
Maybe. I am reliant on the guys doing OpenSSL code (aka. Christos) to<br>
test the backporting though. So it will depend on whether he thinks its<br>
important enough.<br>
<br>
I'm hopeful, but no guarantees.<br>
<div class="HOEnZb"><div class="h5"><br>
Amos<br>
<br>
_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
</div></div></blockquote></div><br></div>