On Mon, 4 Jul 2011 19:25:41 +0000, Ming Fu wrote:
> Hi Amos,
>
> I am trying to make the intermediate certs into the dynamic ssl
> connection.
> Based on the code, the "cert" entry of http_port configure is
> actually a cert chain file. So the configure does have enough info
> for
> the intermediate cert chain to work. What is missing is when the
> SSL_CTX is dynamically generated, it only added the resigned server
> cert without the chain of certs.
>
> My current difficulty is after I located the dynamic SSL_CTX context,
> how can I find the resigning cert chain defined in configure line
> http_port ..... cert=certfile....
>
> Is it stored in some global?
Squid has nothing to do with the actual cert generation or signing. The
cert= parameter from whichever port is involved (may be multiple
configured) is a helper STDIN parameter received by ssl_crtd. The
certificate as sent to the client is the output of that helper.
The code only you need to alter is in src/ssl/ssl_crtd.cc.
The helper STDIN/STDOUT protocol is documented here:
http://wiki.squid-cache.org/Features/AddonHelpers#SSL_certificate_generation
Amos
Received on Mon Jul 04 2011 - 22:21:25 MDT
This archive was generated by hypermail 2.2.0 : Tue Jul 05 2011 - 12:00:01 MDT