On 29/06/20 7:29 pm, mikio.kishi wrote: > Hi Amos, > > Thank you for your reply and I apologize for the missing information. > The following is the detailed one. > >> * Squid version > * squid version 3.5.26 (probably, ver4.X also might have same issue) > * OpenSSL 1.0.2k > >> * details of the chain being delivered to Squid >> * details of the expected cross-signing chain(s). > > There are so many websites which are facing this issue. > For instance, "sbv.gov.vn:443 <http://sbv.gov.vn:443>". > > # openssl s_client -connect sbv.gov.vn:443 <http://sbv.gov.vn:443> > -servername sbv.gov.vn <http://sbv.gov.vn> -showcerts -verify 5 -state > verify depth is 5 ... > > Could you please add the trusted_first option on squid ? > Ah. This is a feature of OpenSSL v1.1. Apparently your OpenSSL v1.0 has had the feature *partially* backported to it. I suggest you upgrade to Squid-4 and build against OpenSSL v1.1 where this "feature" is the default behaviour. Squid-3 is no longer supported for code updates. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
