[squid-users] Trusted first verification regarding cross root cert

mikio.kishi at gmail.com mikio.kishi at gmail.com
Mon Jun 29 10:30:34 UTC 2020


Hi Amos,

>Ah. This is a feature of OpenSSL v1.1. Apparently your OpenSSL v1.0 has
>had the feature *partially* backported to it.
>I suggest you upgrade to Squid-4 and build against OpenSSL v1.1 where
>this "feature" is the default behaviour.

Yes, Exactly.  However, currently I am using CentOS7 which openssl package
version is still 1.0.....
Upgrading  openssl to v1.1.1 is challenging for me. Could you please
implement the rusted first option to squid-4 ? ...

Regards,
--
Mikio Kishi


On Mon, Jun 29, 2020 at 7:05 PM Amos Jeffries <squid3 at treenet.co.nz> wrote:

> On 29/06/20 7:29 pm, mikio.kishi wrote:
> > Hi Amos,
> >
> > Thank you for your reply and I apologize for the missing information.
> > The following is the detailed one.
> >
> >> * Squid version
> > * squid version 3.5.26 (probably, ver4.X also might have same issue)
> > * OpenSSL 1.0.2k
> >
> >> * details of the chain being delivered to Squid
> >> * details of the expected cross-signing chain(s).
> >
> > There are so many websites which are facing this issue.
> > For instance, "sbv.gov.vn:443 <http://sbv.gov.vn:443>".
> >
> > # openssl s_client -connect sbv.gov.vn:443 <http://sbv.gov.vn:443>
> > -servername sbv.gov.vn <http://sbv.gov.vn> -showcerts -verify 5 -state
> > verify depth is 5
>
> ...
> >
> > Could you please add the trusted_first option on squid ?
> >
>
> Ah. This is a feature of OpenSSL v1.1. Apparently your OpenSSL v1.0 has
> had the feature *partially* backported to it.
>
> I suggest you upgrade to Squid-4 and build against OpenSSL v1.1 where
> this "feature" is the default behaviour. Squid-3 is no longer supported
> for code updates.
>
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20200629/c7527fab/attachment.html>


More information about the squid-users mailing list