[squid-users] Trusted first verification regarding cross root cert
Amos Jeffries
squid3 at treenet.co.nz
Mon Jun 29 09:51:55 UTC 2020
On 29/06/20 7:29 pm, mikio.kishi wrote:
> Hi Amos,
>
> Thank you for your reply and I apologize for the missing information.
> The following is the detailed one.
>
>> * Squid version
> * squid version 3.5.26 (probably, ver4.X also might have same issue)
> * OpenSSL 1.0.2k
>
>> * details of the chain being delivered to Squid
>> * details of the expected cross-signing chain(s).
>
> There are so many websites which are facing this issue.
> For instance, "sbv.gov.vn:443 <http://sbv.gov.vn:443>".
>
> # openssl s_client -connect sbv.gov.vn:443 <http://sbv.gov.vn:443>
> -servername sbv.gov.vn <http://sbv.gov.vn> -showcerts -verify 5 -state
> verify depth is 5
...
>
> Could you please add the trusted_first option on squid ?
>
Ah. This is a feature of OpenSSL v1.1. Apparently your OpenSSL v1.0 has
had the feature *partially* backported to it.
I suggest you upgrade to Squid-4 and build against OpenSSL v1.1 where
this "feature" is the default behaviour. Squid-3 is no longer supported
for code updates.
Amos
More information about the squid-users
mailing list