[squid-dev] [PATCH] Add chained certificates and signing certificate to bumpAndSpliced connections

Amos Jeffries squid3 at treenet.co.nz
Fri May 1 08:36:37 UTC 2015


On 30/04/2015 5:11 p.m., Nathan Hoad wrote:
> Hello,
> 
> I am running Squid with SSL bump in bump and splice mode, and I've
> observed that this mode does not append the signing certificate or any
> chained certificates to the certificate chain presented to the client.
> 
> With old bump mode, Squid adds the signing certificate and any other
> chained certificates to the SSL context. With bump and splice mode,
> these certificates are not added. Attached is a patch that adds these
> certificates for bump and spliced connections.
> 

Which mode? bump or splice or peek-then-bump or peek-then-splice mode?

The valid operations are different in each combination of operations.

bump mode is equivalent to the old client-first. Where squid is
generating teh whole certificate chain sent to the client.

splice or peek-then-splice modes are both equivalent to not bumping at
all. Squid is expected to pass on exactly what the server emits, no
matter how screwed.

peek-then-bump is equivalent to server-first mode. Where the
certificates generated by Squid are expected to mimic what the server
sent. The full chain is only expected IF the server sent its whole chain.

Amos



More information about the squid-dev mailing list