On Mon, 4 Jul 2011 19:25:41 +0000, Ming Fu wrote:
Hi Amos,
I am trying to make the intermediate certs into the dynamic ssl
connection.
Based on the code, the "cert" entry of http_port configure is
actually a cert chain file. So the configure does have enough info
for
the intermediate cert chain to work. What is missing is when the
SSL_CTX is dynamically generated, it only added the resigned server
cert without the chain of certs.
My current difficulty is after I located the dynamic SSL_CTX context,
how can I find the resigning cert chain defined in configure line
http_port ..... cert=certfile....
Is it stored in some global?
Squid has nothing to do with the actual cert generation or signing. The
cert= parameter from whichever port is involved (may be multiple
configured) is a helper STDIN parameter received by ssl_crtd. The
certificate as sent to the client is the output of that helper.
The code only you need to alter is in src/ssl/ssl_crtd.cc.
The helper STDIN/STDOUT protocol is documented here:
http://wiki.squid-cache.org/Features/AddonHelpers#SSL_certificate_generation
Amos
