[PATCH] sslBump: Send intermediate CA from Tsantilas Christos on 2011-10-21 (squid-dev)

From: Tsantilas Christos <chtsanti_at_users.sourceforge.net>
Date: Fri, 21 Oct 2011 16:49:13 +0300

SslBump code assumed that it is signing generated certificates with a
root CA certificate. Root certificates are usually not sent along with
the server certificates because clients must have them independently
installed or built-in. Squid was not sending the signing certificate.

In many environments, Squid signing certificate is intermediate (i.e.,
it belongs to a non-root CA). If Squid does not send that intermediate
signing certificate with the generated one, the client will not be able
to establish a complete chain of trust from the generated fake to the
root CA certificate, leading to errors.

With this change, Squid may send the signing certificate (along with the
generated one) using the following rules:

    * If the configured signing certificate is self-signed,
      then just send the generated certificate alone.
      Note that root CA certificates are self-signed (by root CA).

    * Otherwise (i.e., if the configured signing certificate is an
      intermediate CA certificate), send both the intermediate CA
      and the generated fake certificate.

This is a Measurement Factory Project

text/x-patch attachment: trunk-send-intermediate-CA-v4.patch

text/x-patch attachment: squid-3.1.11-send-intermediate-CA-v4.patch

Received on Fri Oct 21 2011 - 13:49:31 MDT

This archive was generated by hypermail 2.2.0 : Thu Oct 27 2011 - 12:00:13 MDT