Hi Amos,
>Ah. This is a feature of OpenSSL v1.1. Apparently your OpenSSL v1.0 has
>had the feature *partially* backported to it.>I suggest you upgrade to Squid-4 and build against OpenSSL v1.1 where
>this "feature" is the default behaviour.
Yes, Exactly. However, currently I am using CentOS7 which openssl package version is still 1.0.....
Upgrading openssl to v1.1.1 is challenging for me. Could you please implement the rusted first option to squid-4 ? ...
Regards,
--
Mikio Kishi
On Mon, Jun 29, 2020 at 7:05 PM Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
On 29/06/20 7:29 pm, mikio.kishi wrote:
> Hi Amos,
>
> Thank you for your reply and I apologize for the missing information.
> The following is the detailed one.
>
>> * Squid version
> * squid version 3.5.26 (probably, ver4.X also might have same issue)
> * OpenSSL 1.0.2k
>
>> * details of the chain being delivered to Squid
>> * details of the expected cross-signing chain(s).
>
> There are so many websites which are facing this issue.
> For instance, "sbv.gov.vn:443 <http://sbv.gov.vn:443>".
>
> # openssl s_client -connect sbv.gov.vn:443 <http://sbv.gov.vn:443>
> -servername sbv.gov.vn <http://sbv.gov.vn> -showcerts -verify 5 -state
> verify depth is 5
...
>
> Could you please add the trusted_first option on squid ?
>
Ah. This is a feature of OpenSSL v1.1. Apparently your OpenSSL v1.0 has
had the feature *partially* backported to it.
I suggest you upgrade to Squid-4 and build against OpenSSL v1.1 where
this "feature" is the default behaviour. Squid-3 is no longer supported
for code updates.
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users