[squid-users] Squid 4.x: Intermediate certificates downloader

Amos Jeffries squid3 at treenet.co.nz
Mon Jan 23 22:59:17 UTC 2017


On 24/01/2017 8:22 a.m., Yuri Voinov wrote:
> 
> 
> 24.01.2017 0:06, Alex Rousskov пишет:
>> On 01/23/2017 10:41 AM, Yuri Voinov wrote:
>>> 23.01.2017 23:31, Alex Rousskov пишет:
>>>> On 01/23/2017 04:28 AM, Yuri wrote:
>>
>>>>> 2. How this feature is related to sslproxy_foreign_intermediate_certs,
>>>>> how it can interfere with it?
>>>> AFAICT by looking at the code, Squid only downloads certificates that
>>>> Squid is missing when trying to build a complete certificate chain for a
>>>> given server connection. Any sslproxy_foreign_intermediate_certs are
>>>> used as needed during the chain building process (i.e., they are _not_
>>>> "missing").
>>> Ok, so, this file uses for complete chains, and it contains statically
>>> added (manually) certs only, right?
>> Yes, the sslproxy_foreign_intermediate_certs file is maintained by the
>> Squid administrator. Squid does not update it.
>>
>>
>>> I.e., downloader should not save fetched intermediate CA's here,
>> Correct.
>>
>>
>>> which will be logically, isn't it?
>> I believe it is better to use the regular Squid cache for storing the
>> fetched missing certificates. I would not call abusing the
>> sslproxy_foreign_intermediate_certs file for this purpose completely
>> illogical, but such abuse would create more problems than it would solve
>> IMO. We have also considered using a dedicated storage for the fetched
>> missing certificates, but have decided (for many reasons) that it would
>> be worse than reusing the existing caching infrastructure.
>>
>> FWIW, IMO, storing the generated fake certificates in the regular Squid
>> cache would also be better than using an OpenSSL-administered database.
> Exactly.

There is one drawback to that suggestion though.

The certs which are downloaded are publicly available information and
intended to be such. Anyone can download them from source just like
browsers and Squid-4 do. So there is no harm in having the data stored
in a semi-insecure cache.

The cert generated by Squid are pollution as far as TLS is concerned.
Intended for use only by that proxy installation with the specific set
of details involved with the origin certificate on that connection.
Re-usability is purely a bonus. People could get into connectivity
trouble if they were stored long-term like other cache items.

Amos



More information about the squid-users mailing list