[squid-dev] [PATCH] Add chained certificates and signing certificate to bumpAndSpliced connections
Tsantilas Christos
chtsanti at users.sourceforge.net
Sat May 23 09:14:05 UTC 2015
Hi Nathan,
The patch works.
However I believe It is not good idea to configure SSL_CTX objects while
we are setting parameters to an SSL object.
A SSL_CTX object is common to many SSL objects.
Instead of setting SSL_CTX object from
configureSSLUsingPkeyAndCertFromMemory I am suggesting a new method
"configureUnconfigureCTX()" which does the job:
Then inside client_side use:
bool ret = Ssl::configureSSLUsingPkeyAndCertFromMemory(...);
if (!ret)
debugs(33, 5, "mpla mpla");
SSL_CTX *sslContext = SSL_get_SSL_CTX(ssl);
ret = configureUnconfigureCTX(sslContext,..., signAlgorithm)
OR
Ssl::configureSSL(ssl, certProperties, *port))
SSL_CTX *sslContext = SSL_get_SSL_CTX(ssl);
ret = configureUnconfigureCTX(sslContext,..., signAlgorithm)
Probably the above should be wrapped to a new method.
Or maybe a new function which its name says that both CTX and SSL
objects are modified.
On 04/30/2015 08:11 AM, Nathan Hoad wrote:
> Hello,
>
> I am running Squid with SSL bump in bump and splice mode, and I've
> observed that this mode does not append the signing certificate or any
> chained certificates to the certificate chain presented to the client.
>
> With old bump mode, Squid adds the signing certificate and any other
> chained certificates to the SSL context. With bump and splice mode,
> these certificates are not added. Attached is a patch that adds these
> certificates for bump and spliced connections.
>
> Thank you,
>
> Nathan.
>
>
>
> _______________________________________________
> squid-dev mailing list
> squid-dev at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-dev
>
More information about the squid-dev
mailing list