Search squid archive

Re: Trusted first verification regarding cross root cert

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 29/06/20 7:29 pm, mikio.kishi wrote:
> Hi Amos,
> 
> Thank you for your reply and I apologize for the missing information.
> The following is the detailed one.
> 
>> * Squid version
> * squid version 3.5.26 (probably, ver4.X also might have same issue)
> * OpenSSL 1.0.2k
> 
>> * details of the chain being delivered to Squid
>> * details of the expected cross-signing chain(s).
> 
> There are so many websites which are facing this issue.
> For instance, "sbv.gov.vn:443 <http://sbv.gov.vn:443>".
> 
> # openssl s_client -connect sbv.gov.vn:443 <http://sbv.gov.vn:443>
> -servername sbv.gov.vn <http://sbv.gov.vn> -showcerts -verify 5 -state
> verify depth is 5

...
> 
> Could you please add the trusted_first option on squid ?
> 

Ah. This is a feature of OpenSSL v1.1. Apparently your OpenSSL v1.0 has
had the feature *partially* backported to it.

I suggest you upgrade to Squid-4 and build against OpenSSL v1.1 where
this "feature" is the default behaviour. Squid-3 is no longer supported
for code updates.


Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux