[squid-dev] SSL Bump Certificate Chain
Dave Lewthwaite
Dave.Lewthwaite at realitymine.com
Wed Feb 3 15:57:26 UTC 2016
Hi,
I have worked out a simple fix for this bug http://bugs.squid-cache.org/show_bug.cgi?id=4337
To test I’ve copied the code which adds the certificate to the chain from ConnStateData::getSslContextDone to ConnStateData::getSslContextStart inside the sslBump decision (if (sslServerBump && (sslServerBump->act.step1 == Ssl::bumpPeek || sslServerBump->act.step1 == Ssl::bumpStare)))
Addition:
SSL_CTX * ctx = SSL_get_SSL_CTX(ssl);
X509 *cert = port->signingCert.get();
if (SSL_CTX_add_extra_chain_cert(ctx, cert)) {
// increase the certificate lock
CRYPTO_add(&(cert->references),1,CRYPTO_LOCK_X509);
} else {
const int ssl_error = ERR_get_error();
debugs(33, DBG_IMPORTANT, "WARNING: can not add signing certificate to SSL context chain: " << ERR_error_string(ssl_error, NULL));
}
Ssl::addChainToSslContext(ctx, port->certsToChain.get());
There will be a better way of this (definitely one that doesn’t involve duplication of code) but it at least pin-points the problem.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-dev/attachments/20160203/d4f685e2/attachment.html>
More information about the squid-dev
mailing list