[squid-users] Squid Cache Issues migration from 5.8 to 6.6
Alex Rousskov
rousskov at measurement-factory.com
Fri Jul 5 13:33:26 UTC 2024
On 2024-07-04 19:12, Jonathan Lee wrote:
> You also stated .. " my current working theory suggests that we are
> looking at a (default) signUntrusted use case.”
>
> I noticed for Squid documents that default is now set to off ..
The http_port option you are looking at now is not the directive I was
talking about earlier.
> http_port
> tls-default-ca[=off]
> Whether to use the system Trusted CAs. Default is OFF.
>
> Would enabling this resolve the problem in Squid 6.6 for error.
No, the above poorly documented http_port option is for validating
_client_ certificates. It has been off since Squid v4 AFAICT. Your
clients are not sending client certificates to Squid.
According to the working theory, the problem we are solving is related
to server certificates. http_port tls-default-ca option does not affect
server certificate validation. Server certificate validation should use
default CAs by default.
Outside of SslBump, server certificate validation is controlled by
tls_outgoing_options default-ca option. That option defaults to "on". I
am not sure whether SslBump honors that directive/option though. There
are known related bugs in that area. However, we are jumping ahead of
ourselves. We should confirm the working theory first.
> The squid.conf.documented lists it incorrectly
Squid has many directives and a directive may have many options. One
should not use an directive option name instead of a directive name. One
should not use an option from one directive with another directive.
Squid naming is often inconsistent; be careful.
* http_port is a directive. tls-default-ca is an option for that
directive. It is used for client certificate validation. It defaults to
"off" (because client certificates are rarely signed by well-known
(a.k.a. "default") CAs preinstalled in many deployment environments).
* tls_outgoing_options is a directive. default-ca is an option for that
directive. It is used for server certificate validation outside of
SslBump contexts (at least!). It defaults to "on" (because server
certificates are usually signed by well-known (a.k.a. "default") CAs
preinstalled in many deployment environments).
AFAICT, the documentation in question is not wrong (but is insufficient).
Again, I do not recommend changing any Squid configuration
directives/options at this triage state.
Alex.
More information about the squid-users
mailing list