Search squid archive

Re: Squid 4.x: Intermediate certificates downloader

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




23.01.2017 23:31, Alex Rousskov пишет:
> On 01/23/2017 04:28 AM, Yuri wrote:
>
>> 1. How does it work? 
> My response below and the following commit message might answer some of
> your questions:
>
>     http://bazaar.launchpad.net/~squid/squid/5/revision/14769
>
>> I.e., where downloaded certs stored, how it
>> handles, does it saves anywhere to disk?
> Missing certificates are fetched using HTTP[S]. Certificate responses
> should be treated as any other HTTP[S] responses with regard to caching.
> For example, if you have disk caching enabled and your caching rules
> (including defaults) allow certificate response caching, then the
> response should be cached. Similarly, the cached certificate will
> eventually be evicted from the cache following regular cache maintenance
> rules. When that happens, Squid will try to fetch the certificate again
> (if it becomes needed again).
I.e., fetchesd intermediate certificate stores only in memory cache for

sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s
/var/lib/ssl_db -M 4MB

daemon, right? And never stores anywhere on disk?
>
>
>> 2. How this feature is related to sslproxy_foreign_intermediate_certs,
>> how it can interfere with it?
> AFAICT by looking at the code, Squid only downloads certificates that
> Squid is missing when trying to build a complete certificate chain for a
> given server connection. Any sslproxy_foreign_intermediate_certs are
> used as needed during the chain building process (i.e., they are _not_
> "missing").
Ok, so, this file uses for complete chains, and it contains statically
added (manually) certs only, right?

I.e., downloader should not save fetched intermediate CA's here, which
will be logically, isn't it?
>
>
>> Release notes contains nothing about this feature. Wiki contains only
>> one mention in passing that this functionality exists in principle.
> I agree that this feature lacks documentation. This is, in part, because
> the feature has no configuration options that normally force developers
> to document at least some of the code logic. We should add a few words
> about it to sslproxy_foreign_intermediate_certs documentation.
>
>
> FWIW, we are also adding an ACL to identify internal transactions that
> fetch missing certificates.
>
>
> HTH,
>
> Alex.
>

Attachment: 0x613DEC46.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux