On 09/27/2018 11:12 AM, Christof Gerber wrote: > I mean what happens if the extra request to the CA to download the > missing certificate takes ages. Is there a timeout routine running > which aborts the request if for instance the certificate is not > downloaded after 5 seconds? Yes, of course. There are many timeouts at play here. For example, forward_timeout is used when setting a timeout to negotiate a secure connection with the origin server (which includes fetching missing certificates) and read_timeout is a network read timeout applied to every individual fetching request. Again, fetching a missing certificate feature reuses the regular "fetch this URL" functionality in Squid, with all the features/timeouts on that code path. IIRC, these internal certificate requests even go through eCAP/ICAP REQMOD services! Alex. > On Thu, 27 Sep 2018 at 18:32, Alex Rousskov wrote: >> >> On 09/27/2018 09:56 AM, Christof Gerber wrote: >>> Concerning the new feature which fetches the missing intermediate >>> certificates I have three questions about its implementation and >>> implications: >> >>> 1. What happens if the certificate fetch requests runs into a timeout? >> >> If Squid lacks a certificate required to validate the server, the server >> validation will fail. What happens after that probably depends on your >> configuration, but bumping the client connection to report the >> validation error is typical for SslBump-driven deployments. >> >> >>> Is this prevented somehow? >> >> Not sure what you mean: No software can prevent external events such as >> I/O timeouts. >> >> >>> 2. Does Squid also learn intermediate certificates from complete >>> certificate chains of other requests? >> >> Interesting question. AFAIK, Squid does not cache certificates received >> in TLS server Hellos (yet?). The missing certificates are fetched and >> cached using the regular Squid HTTP fetching/caching mechanism (as if >> somebody else sent a simple GET request for the certificate). There is >> no dedicated cache type/system for the certificates. This implies that >> the same intermediate certificate, if it was fetched from two different >> places/URLs, will be cached twice (by default). >> >> I have CCed Christos that may be able to verify my statements in the >> above paragraph. >> >> >>> 3. Will this feature make it necessary to increase the cache size? >> >> YMMV. By definition, the cache should never be necessary (i.e. required >> for correct operation). You should increase the cache size if increasing >> the cache size improves performance. This general statement applies to >> all features, not just the feature discussed on this thread, of course. >> >> Alex. >> _______________________________________________ >> squid-users mailing list >> squid-users@xxxxxxxxxxxxxxxxxxxxx >> http://lists.squid-cache.org/listinfo/squid-users > > > _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
