Search squid archive

Re: How are others handling missing intermediate certificates?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 28/04/2015 9:08 a.m., Tom Harris wrote:
> In SSL bump mode, I find I am hitting sites with incomplete certificate
> chains fairly often.   When accessed directly, browsers will work it out -
> I guess by downloading the missing CA certs.
> 
> I know I can load the intermediate CA certs in my system DB as I encounter
> the issues.   But, I'm wondering if others have more proactive solutions.
> Is there a list of commonly encountered certs, maybe just a subset like the
> top tier CAs?

Make sure that your set of trusted-CA used by OpenSSL is up to date. It
changes monthly or so in my experience. On Linux distros it tends to be
the "ca-certificates" software package.

You also have the alternative of building your own list from the ones
you hit. Though this can lead to security problems if you dont take
great care. I suggest at least following the news about what
organisations have been blacklisted from the global Trusted-CA and why
if you take this path.


>    Or, is this being addressed in code making squid behave
> like browsers do?

TLS specification says the sender is responsible for delivering the
entire cert chain except (optionally) those in the global Trusted-CA set.

Do you really think its a good idea to continue talking to broken and
misconfigured HTTPS servers in the modern Internet?

Amos

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users





[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux