From: Christos Tsantilas <chtsanti@users.sourceforge.net>
Date: Mon, 1 Aug 2016 11:27:44 +0000 (+0300)
Subject: Fetch missing certificates
X-Git-Tag: SQUID_4_0_13~5
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6f9f8f9d10ce1fedbd52f4362c6982d5308a9c4d;p=thirdparty%2Fsquid.git

Fetch missing certificates

Many web servers do not have complete certificate chains. Many browsers use
certificate extensions of the server certificate and download the missing
intermediate certificates automatically from the Internet.
This patch add this feature to Squid.

The information for missing issuer certificates provided by the Authority
Information Access X509 extension. This describes the format and the location
of additional information provided by the issuer of the certificate.

This patch:
  - Implements a class Downloader as an independet AsyncJob class. This new
    class can be used by internal squid subsystems to download objects from
    the network.
  - Modify Ssl::PeerConnector class to use new Downloader class to
    retrieve missing certificates from the net. The URIs of missing
    certificates from the Authority Information Access X509 extension.
  - Implements a new basic certificates parser based on openSSL for the
    TLS handshake messages parser.
  - Modify the Ssl::ServerBio class to:
     * Buffer the Server Hello message and not pass it to the openSSL library
       until downloading missing certificates, if any, is finished.
     * Extract server certificates from server hello message.
       This is required to check if there are missing certificates, and if yes
       give the chance to squid to download missing certificates and complete
       certificate chains before pass them for processing to openSSL

TODO:
  - Add support for certs-only CMS message.
    From  RFC 4325:
    "Where the information is available via HTTP or FTP, accessLocation
    MUST be a uniformResourceIdentifier and the URI MUST point to either
    a single DER encoded certificate as specified in [RFC2585] or a
    collection of certificates in a BER or DER encoded "certs-only" CMS
    message as specified in [RFC2797]. "
    ...
    "Conforming applications that support HTTP or FTP for accessing
    certificates MUST be able to accept individual DER encoded
    certificates and SHOULD be able to accept "certs-only" CMS messages."

This is a Measurement Factory project
---

6f9f8f9d10ce1fedbd52f4362c6982d5308a9c4d