[squid-users] How are others handling missing intermediate certificates?
Amos Jeffries
squid3 at treenet.co.nz
Tue Apr 28 07:17:11 UTC 2015
On 28/04/2015 9:08 a.m., Tom Harris wrote:
> In SSL bump mode, I find I am hitting sites with incomplete certificate
> chains fairly often. When accessed directly, browsers will work it out -
> I guess by downloading the missing CA certs.
>
> I know I can load the intermediate CA certs in my system DB as I encounter
> the issues. But, I'm wondering if others have more proactive solutions.
> Is there a list of commonly encountered certs, maybe just a subset like the
> top tier CAs?
Make sure that your set of trusted-CA used by OpenSSL is up to date. It
changes monthly or so in my experience. On Linux distros it tends to be
the "ca-certificates" software package.
You also have the alternative of building your own list from the ones
you hit. Though this can lead to security problems if you dont take
great care. I suggest at least following the news about what
organisations have been blacklisted from the global Trusted-CA and why
if you take this path.
> Or, is this being addressed in code making squid behave
> like browsers do?
TLS specification says the sender is responsible for delivering the
entire cert chain except (optionally) those in the global Trusted-CA set.
Do you really think its a good idea to continue talking to broken and
misconfigured HTTPS servers in the modern Internet?
Amos
More information about the squid-users
mailing list