git.ipfire.org Git - thirdparty/squid.git/commit

author	Amos Jeffries <squid3@treenet.co.nz>
	Fri, 15 Jan 2016 06:57:17 +0000 (19:57 +1300)
committer	Amos Jeffries <squid3@treenet.co.nz>
	Fri, 15 Jan 2016 06:57:17 +0000 (19:57 +1300)
commit	435c72b07c5b7ebf782049cd2b50abe79a6f7db5
tree	03040404249dff1cbf66967174c4f2a88c4f6518	tree \| snapshot
parent	c50b35b557e59c83fa7e4d1a4bb911ac5148fe31	commit \| diff

Bug 4005: Dynamic certificate cache exceeds dynamic_cert_mem_cache_size

* disable the use of system CA by default to verify client connection
  certificates. Since the use of client certificates is rare.

* no change to verification of upstream server or peer certificates.
  Since the use of system CA to sign server certificates is common.

* the new "default-ca" configuration option and its documentation are
  updated to make the situation more obvious amongst the other TLS options
  changes in Squid-4.

* the action of the sslflags=NO_DEFAULT_CA is already deprecated, so no
  change when it is used. On port lines it now merely sets the default.

It may be a good idea to also disable system CA use for cache_peer and
ICAPS connections. For now they are left unchanged.

doc/release-notes/release-4.sgml		diff \| blob \| blame \| history
src/cf.data.pre		diff \| blob \| blame \| history
src/security/PeerOptions.cc		diff \| blob \| blame \| history
src/security/PeerOptions.h		diff \| blob \| blame \| history
src/security/ServerOptions.h		diff \| blob \| blame \| history