[squid-dev] [PATCH] Include intermediate certs to client when using peek/stare
Christos Tsantilas
christos at chtsanti.net
Mon Feb 15 10:37:16 UTC 2016
Sorry for my original positive vote.
The patch does not handle the case the crtd daemon is used.
I am suggesting to move the following block from
ConnStateData::getSslContextStart :
+
+ Security::ContextPtr ctx = SSL_get_SSL_CTX(ssl);
+ addSigningCertificatesToChain(ctx);
to be inside ConnStateData::startPeekAndsplice() where the
Security::Context object is created:
auto unConfiguredCTX = Ssl::createSSLContext(port->signingCert,
port->signPkey, *port);
fd_table[clientConnection->fd].dynamicSslContext = unConfiguredCTX;
+ addSigningCertificatesToChain(unConfiguredCTX);
I did not check it, so someone should check if my proposal works...
On 02/15/2016 12:07 PM, Christos Tsantilas wrote:
> +1
>
> On 02/10/2016 04:49 PM, Dave Lewthwaite wrote:
>> Hi,
>>
>> Please find attached a modified patch generated by the bzr process (it
>> seems this is a little different to using plain old diff).
>>
>> Code has passed all tests (test-builds.sh) and formatting checks
>> (source-maintenance.sh).
>>
>> Fix is to make sure that intermediate certificates for certificates
>> generated by squid during SSL bump are included when sent to the user
>> agent. Previously when performing peek or stare intermediate
>> certificates were not included. This addresses this bug specifically:
>> http://bugs.squid-cache.org/show_bug.cgi?id=4337.
>>
>> Thanks
>>
>> Dave Lewthwaite
>> Infrastructure Systems Architect, RealityMine
>>
>>
>> E: davel at realitymine.com | M: +44 (0) 7919 100 358 | W:
>> www.realitymine.com <http://www.realitymine.com/> | T: +44 (0) 161
>> 414 0707
More information about the squid-dev
mailing list