[squid-dev] Bug 4305: Squid reports X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY...

Christos Tsantilas christos at chtsanti.net
Wed Dec 2 15:52:58 UTC 2015


On 12/02/2015 07:18 AM, Amos Jeffries wrote:
> On 2/12/2015 6:08 a.m., Alex Rousskov wrote:
>> On 12/01/2015 04:38 AM, Amos Jeffries wrote:
>>
>>> So, I suggest this for the full doc:
>>> "
>>> DOC_START
>>>    Many origin servers fail to send their full server certificate
>>>    chain for verification. Assuming the client already has or can
>>>    easily locate any intermediate certificates that are missing.
>>>
>>>    Squid uses the certificates from the specified file to fill in
>>>    these missing chains when trying to validate origin server
>>>    certificate chains.
>>>
>>>    The file is expected to contain zero or more PEM-encoded
>>>    intermediate certificates. These certificates are not treated
>>>    as trusted root certificates and any self-signed certificate in
>>>    this file will be ignored.
>>>
>>>    This directive may be repeated to load multiple files
>>> DOC_END
>>> "
>>
>> Looks good to me, assuming the code ignores self-signed certificates and
>> does support loading multiple files.
>>
>> s/verification. Assuming/verification, assuming/
>>
>> s/any intermediate certificates that are missing/any missing
>> intermediate certificates/
>>
>> s/certificates and any/certificates, and any/
>>
>> s/multiple files/multiple files./
>>
>>
>>> Nod. "untrusted" is not exactly a clear name to anyone unfamiliar with
>>> the internals of OpenSSL. To the rest of the world (including Squid's
>>> usage) these are "intermediate certificates". So calling it
>>> "sslproxy_intermediate_certs" might be clearer to admin than untrusted.
>>
>> Agreed. On the other hand, the proxy itself may need send its own
>> intermediate certificates (for regular https_port connections, when
>> _not_ doing SslBump) so some admins will try to stuff those proxy
>> intermediate certificates here.
>
> AFAICS, "sslproxy_" directive set are all consistently scoped as being
> for configuring the outgoing server connections (specifically DIRECT
> ones, not cache_peer).

Well, this is not true.
For example the sslproxy_session_*,  are options which affect squid SSL 
server.
Other options like the sslproxy_cert_sign_hash, sslproxy_cert_adapt, and 
others are refer to the squid SSL server side of bumped connections.

If no objection I will select the  sslproxy_foreign_intermediate_certs. 
Looks the best choice...



>
> The equivalent https_port intermediate certificates are probably best
> loaded as multiple certificates from the cert= file. That seems to be
> where admin are first attempting to putting them already.
>
> Amos
>


More information about the squid-dev mailing list