On 09/27/2018 09:56 AM, Christof Gerber wrote: > Concerning the new feature which fetches the missing intermediate > certificates I have three questions about its implementation and > implications: > 1. What happens if the certificate fetch requests runs into a timeout? If Squid lacks a certificate required to validate the server, the server validation will fail. What happens after that probably depends on your configuration, but bumping the client connection to report the validation error is typical for SslBump-driven deployments. > Is this prevented somehow? Not sure what you mean: No software can prevent external events such as I/O timeouts. > 2. Does Squid also learn intermediate certificates from complete > certificate chains of other requests? Interesting question. AFAIK, Squid does not cache certificates received in TLS server Hellos (yet?). The missing certificates are fetched and cached using the regular Squid HTTP fetching/caching mechanism (as if somebody else sent a simple GET request for the certificate). There is no dedicated cache type/system for the certificates. This implies that the same intermediate certificate, if it was fetched from two different places/URLs, will be cached twice (by default). I have CCed Christos that may be able to verify my statements in the above paragraph. > 3. Will this feature make it necessary to increase the cache size? YMMV. By definition, the cache should never be necessary (i.e. required for correct operation). You should increase the cache size if increasing the cache size improves performance. This general statement applies to all features, not just the feature discussed on this thread, of course. Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
