On 23/10/2015 12:02 a.m., Sebastian Kirschner wrote: > Hi Amos , > > thanks for your reply. > > Maybe we got an misunderstanding or I have an "false" opinion of the sentence I quoted before. > > I thought you could say to me what for checks would definitely performed in "standard" installation with openssl, > > not only that you believe that the X.509 certificate syntax and properties would be checked in correctness and the signer. > Currently it is an "I believe" because I am only part way through learning the SSL related code and refactoring it for TLS support. Those are the checks I have seen being enabled to happen so far, there may yet be some more hiding elsewhere later in the transaction handling. They are all configurable, and in my experience it is a rarity for people to actually use the default config settings. Normally we see configs being posted disabling the verifications or restricting ciphers and OpenSSL feature usage. The X.509 syntax and TLS extension checks are all library dependent to begin with. The squid default config just enables the library to do its default of those, and to check the system CA signings. Everthing else, including whether the helper is used is administrative choice. > I´m sorry for these remark , but for me it's important to know what checks would performed to prevent another on the same thing and slow down the "process". > Understood. FWIW the result of the above checks (what gets done) gets passed to the helper. > > Another question regarding the Options from "sslcrtvalidator_program", > ttl " TTL in seconds for cached results. The default is 60 secs" > > Is the cached results referred to the sslhost ? I'm not sure. I've not reached the validator helper code yet in my refactoring. IIRC that is the helper lookup cache TTL. To prevent the helper being queried for the identical work multiple times in a row. All helpers have such a cache. The cache key is the exact byte sequence for the "line" passed to the helper, excluding the channel-ID field. > > For example , I configured that the TTL is 12 hours. > A request from Client A is performed to https://www.google.com the validator report back to squid that the certificate is ok and the connection would be spliced/bumped, > 1 hour later Client B perform a request again too https://www.google.com , would squid use the "cached" answer from the validator used ? > If a) my recollection is right, and b) the internal validation results in the same helper query details being passed to the helper, then yes. If something happens like different TLS extensions being negotiated and resulting in even slightly different error message from internal validation - then the lookups will be different and a re-check will be needed. > > And another question regarding the cache option. > What from the response would be cached , the complete one or maybe only the sslhost and response code ? The helper response cache stores helper response "lines", excluding the channel-ID. So it can act as if the helper was queried but produced the same result as previous lookup. > > Would it be defined as byte in as the validator and speak ? 8 bits is one byte. This is network terminology, not specific to the helper. The helper protocol is UTF-8 capable, though usually only the ASCII characters are used. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
