On 28/04/2015 9:08 a.m., Tom Harris wrote: > In SSL bump mode, I find I am hitting sites with incomplete certificate > chains fairly often. When accessed directly, browsers will work it out - > I guess by downloading the missing CA certs. > > I know I can load the intermediate CA certs in my system DB as I encounter > the issues. But, I'm wondering if others have more proactive solutions. > Is there a list of commonly encountered certs, maybe just a subset like the > top tier CAs? Make sure that your set of trusted-CA used by OpenSSL is up to date. It changes monthly or so in my experience. On Linux distros it tends to be the "ca-certificates" software package. You also have the alternative of building your own list from the ones you hit. Though this can lead to security problems if you dont take great care. I suggest at least following the news about what organisations have been blacklisted from the global Trusted-CA and why if you take this path. > Or, is this being addressed in code making squid behave > like browsers do? TLS specification says the sender is responsible for delivering the entire cert chain except (optionally) those in the global Trusted-CA set. Do you really think its a good idea to continue talking to broken and misconfigured HTTPS servers in the modern Internet? Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
