23.01.2017 23:31, Alex Rousskov пишет: > On 01/23/2017 04:28 AM, Yuri wrote: > >> 1. How does it work? > My response below and the following commit message might answer some of > your questions: > > http://bazaar.launchpad.net/~squid/squid/5/revision/14769 > >> I.e., where downloaded certs stored, how it >> handles, does it saves anywhere to disk? > Missing certificates are fetched using HTTP[S]. Certificate responses > should be treated as any other HTTP[S] responses with regard to caching. > For example, if you have disk caching enabled and your caching rules > (including defaults) allow certificate response caching, then the > response should be cached. Similarly, the cached certificate will > eventually be evicted from the cache following regular cache maintenance > rules. When that happens, Squid will try to fetch the certificate again > (if it becomes needed again). I.e., fetchesd intermediate certificate stores only in memory cache for sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s /var/lib/ssl_db -M 4MB daemon, right? And never stores anywhere on disk? > > >> 2. How this feature is related to sslproxy_foreign_intermediate_certs, >> how it can interfere with it? > AFAICT by looking at the code, Squid only downloads certificates that > Squid is missing when trying to build a complete certificate chain for a > given server connection. Any sslproxy_foreign_intermediate_certs are > used as needed during the chain building process (i.e., they are _not_ > "missing"). Ok, so, this file uses for complete chains, and it contains statically added (manually) certs only, right? I.e., downloader should not save fetched intermediate CA's here, which will be logically, isn't it? > > >> Release notes contains nothing about this feature. Wiki contains only >> one mention in passing that this functionality exists in principle. > I agree that this feature lacks documentation. This is, in part, because > the feature has no configuration options that normally force developers > to document at least some of the code logic. We should add a few words > about it to sslproxy_foreign_intermediate_certs documentation. > > > FWIW, we are also adding an ACL to identify internal transactions that > fetch missing certificates. > > > HTH, > > Alex. >
Attachment:
0x613DEC46.asc
Description: application/pgp-keys
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
