If there is not any objection I will commit this patch to trunk
On 10/21/2011 04:49 PM, Tsantilas Christos wrote:
> SslBump code assumed that it is signing generated certificates with a
> root CA certificate. Root certificates are usually not sent along with
> the server certificates because clients must have them independently
> installed or built-in. Squid was not sending the signing certificate.
>
> In many environments, Squid signing certificate is intermediate (i.e.,
> it belongs to a non-root CA). If Squid does not send that intermediate
> signing certificate with the generated one, the client will not be able
> to establish a complete chain of trust from the generated fake to the
> root CA certificate, leading to errors.
>
> With this change, Squid may send the signing certificate (along with the
> generated one) using the following rules:
>
> * If the configured signing certificate is self-signed,
> then just send the generated certificate alone.
> Note that root CA certificates are self-signed (by root CA).
>
> * Otherwise (i.e., if the configured signing certificate is an
> intermediate CA certificate), send both the intermediate CA
> and the generated fake certificate.
>
>
> This is a Measurement Factory Project
Received on Thu Oct 27 2011 - 10:42:45 MDT
This archive was generated by hypermail 2.2.0 : Thu Oct 27 2011 - 12:00:13 MDT