On 12/14/2015 04:48 PM, Marcus Kool wrote: > On 12/14/2015 09:16 PM, Amos Jeffries wrote: >> Squid may be horribly sending >> all-but-one of the certs needed, on the assumption that the signing cert >> is itself installed on the client. > The RFC says that it is not necessary to send the signing CA certificate. Sending the CA certificate is usually both unnecessary (because the clients must have it) and borderline dangerous (because some clients do not expect this extra information). This is why, I bet, Squid does not send the signing certificate in some cases. On the other hand, sending the signing certificate is necessary if that signing certificate is not the CA certificate expected to be stored by clients. IIRC, we have fixed at least one Squid bug in this area in 2015, but I do not have a reference handy. And there are actually situations in-between the two extremes above because a CA (well-known and not) often has its own CA certificate hierarchy, and some clients may trust intermediate CA certificates [with or without storing the root CA certificate]. The above does not answer the OP question. The answer may go something like this: If you expect your clients to store your signing certificate, then you can configure Squid to sign with that certificate and not worry about any higher-level (closer to root) certificate that may or may not exist. On the other hand, if your clients are storing a higher-level certificate, then you need to test whether Squid does the right thing (i.e., sends the intermediate certificate which also happens to be the signing certificate). If Squid does not do the right thing, file a bug report. HTH, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
