|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 This looks like. Root CA doesn't send. Subordinate CA uses as signer for mimicked. All and any clients got security alert. 16.12.15 1:38, Alex Rousskov пишет: > On 12/14/2015 04:48 PM, Marcus Kool wrote: >> On 12/14/2015 09:16 PM, Amos Jeffries wrote: >>> Squid may be horribly sending >>> all-but-one of the certs needed, on the assumption that the signing cert >>> is itself installed on the client. > > >> The RFC says that it is not necessary to send the signing CA certificate. > > > Sending the CA certificate is usually both unnecessary (because the > clients must have it) and borderline dangerous (because some clients do > not expect this extra information). This is why, I bet, Squid does not > send the signing certificate in some cases. > > On the other hand, sending the signing certificate is necessary if that > signing certificate is not the CA certificate expected to be stored by > clients. IIRC, we have fixed at least one Squid bug in this area in > 2015, but I do not have a reference handy. > > And there are actually situations in-between the two extremes above > because a CA (well-known and not) often has its own CA certificate > hierarchy, and some clients may trust intermediate CA certificates [with > or without storing the root CA certificate]. > > The above does not answer the OP question. The answer may go something > like this: > > If you expect your clients to store your signing certificate, then you > can configure Squid to sign with that certificate and not worry about > any higher-level (closer to root) certificate that may or may not exist. > On the other hand, if your clients are storing a higher-level > certificate, then you need to test whether Squid does the right thing > (i.e., sends the intermediate certificate which also happens to be the > signing certificate). If Squid does not do the right thing, file a bug > report. > > > HTH, > > Alex. > > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJWcoqdAAoJENNXIZxhPexGykoIAJsF/fkG0HvtMH6ACAYyc9WN 4+1z/UpVrNID4tSJapFPaCBFJ6pGcSQrAXzSzT+94nQZJMMStverO94x+YJ8a4bp hpVzewc0jVu4PCW0+V8YyvCvx0O4/sbEhWywc/dNz22KdAt6JhyWmaJTn22/JYMb xlvEYQ0wZ0r/u2+WMTbcMq1cyAESCYouZSxsmhQubM60d3ZUs25I3AUULEHguzXp JO29tZcy1ZUzQZ9bCmVIwJTHfAjK3jTFRw66LpB2sooMb1O/Xfm+HGbndnpi1+ab 98/1Lhz4hTNJRFu4fxMbt1+VqXxp1q3OQA8OOOrbBu8vluFdB3WqwwqV/ACGsPo= =zzWl -----END PGP SIGNATURE----- |
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
