[squid-users] Using subordinate CA for SSL Bump

Yuri Voinov yvoinov at gmail.com
Thu Dec 17 10:12:46 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
 




This looks like. Root CA doesn't send. Subordinate CA uses as signer for
mimicked. All and any clients got security alert.

16.12.15 1:38, Alex Rousskov пишет:
> On 12/14/2015 04:48 PM, Marcus Kool wrote:
>> On 12/14/2015 09:16 PM, Amos Jeffries wrote:
>>> Squid may be horribly sending
>>> all-but-one of the certs needed, on the assumption that the signing cert
>>> is itself installed on the client.
>
>
>> The RFC says that it is not necessary to send the signing CA certificate.
>
>
> Sending the CA certificate is usually both unnecessary (because the
> clients must have it) and borderline dangerous (because some clients do
> not expect this extra information). This is why, I bet, Squid does not
> send the signing certificate in some cases.
>
> On the other hand, sending the signing certificate is necessary if that
> signing certificate is not the CA certificate expected to be stored by
> clients. IIRC, we have fixed at least one Squid bug in this area in
> 2015, but I do not have a reference handy.
>
> And there are actually situations in-between the two extremes above
> because a CA (well-known and not) often has its own CA certificate
> hierarchy, and some clients may trust intermediate CA certificates [with
> or without storing the root CA certificate].
>
> The above does not answer the OP question. The answer may go something
> like this:
>
> If you expect your clients to store your signing certificate, then you
> can configure Squid to sign with that certificate and not worry about
> any higher-level (closer to root) certificate that may or may not exist.
> On the other hand, if your clients are storing a higher-level
> certificate, then you need to test whether Squid does the right thing
> (i.e., sends the intermediate certificate which also happens to be the
> signing certificate). If Squid does not do the right thing, file a bug
> report.
>
>
> HTH,
>
> Alex.
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
 
iQEcBAEBCAAGBQJWcoqdAAoJENNXIZxhPexGykoIAJsF/fkG0HvtMH6ACAYyc9WN
4+1z/UpVrNID4tSJapFPaCBFJ6pGcSQrAXzSzT+94nQZJMMStverO94x+YJ8a4bp
hpVzewc0jVu4PCW0+V8YyvCvx0O4/sbEhWywc/dNz22KdAt6JhyWmaJTn22/JYMb
xlvEYQ0wZ0r/u2+WMTbcMq1cyAESCYouZSxsmhQubM60d3ZUs25I3AUULEHguzXp
JO29tZcy1ZUzQZ9bCmVIwJTHfAjK3jTFRw66LpB2sooMb1O/Xfm+HGbndnpi1+ab
98/1Lhz4hTNJRFu4fxMbt1+VqXxp1q3OQA8OOOrbBu8vluFdB3WqwwqV/ACGsPo=
=zzWl
-----END PGP SIGNATURE-----

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20151217/91548e5a/attachment.html>


More information about the squid-users mailing list