I am wondering how to verify the feature "Fetch missing certificate" which was added to Squid v4. https://github.com/squid-cache/squid/commit/55369ae649646901d3038c63217386174d01eb7b I tried to trigger the feature by requesting some domains via squid which lack the intermediate certificate (e.g. www.facworld.com, taas.citrix.com, karantina.genelsigorta.com). Because of the following observation I believe something is not working correctly: 1. Curl retruns with a "SSL certificate problem: Invalid certificate chain" in all three cases 2. By enabling 33,5 83,5 81,5 88,3 logging and analysing the log trace I get the feeling that the code of the feature is not called (-> missing certificate not downloaded). See the log trace in the attachment I verified that these domains deliver an incomplete certificate by: $ openssl s_client -connect taas.citrix.com:443 -showcerts -verify 32 -CApath $path/to/root/certs/ Which returns "Verify return code: 21 (unable to verify the first certificate)" for all of them Question: 1. How to verify that the feature is working? Am I doing something wrong? 2. Is this feature always on or do I have to configure/enable it in Squid v4? Squid Cache: Version v4.0-6d8f397398995c4512cb045920ee2747cc6b14f8 -- Christof Gerber Email: christof.gerber1@xxxxxxxxx
Attachment:
logs_squid4-facworld
Description: Binary data
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
