Many web servers do not have complete certificate chains. Many browsers
use certificate extensions of the server certificate and download the
missing intermediate certificates automatically from the Internet.
This patch adds a similar feature to Squid:
- Parse Server Hello messages and extract certificates chain.
- Check whether the issuers of each certificate exist in the chain.
- If not, retrieve the issuer certificate URI from Authority Info
extension of the certificate (if it is provided) and download the
certificate.
- Store downloaded certificates in Squid object cache, just like any
other HTTP object.
Implementation highlights:
- A new Downloader class allows Squid subsystems to download objects
via HTTP. These downloads are not backed by a proxy user.
- Add support for an internal database of intermediate pre-loaded
certificates to be used to complete incomplete chains.
- Ssl::HandshakeParser parses TLS records and TLS Handshake messages.
- Ssl::PeerConnector now uses the Downloader objects to download
missing certificates.