]> git.ipfire.org Git - thirdparty/squid.git/commit
When using OpenSSL, trust intermediate CAs from trusted stores (#383)
authorAlex Rousskov <rousskov@measurement-factory.com>
Tue, 19 Mar 2019 20:30:55 +0000 (20:30 +0000)
committerSquid Anubis <squid-anubis@squid-cache.org>
Fri, 22 Mar 2019 14:14:21 +0000 (14:14 +0000)
commit98f951b75c6867831828b18909240cdc5fab20cf
treebeb82c4160ba03ee5df2b112e3e2688fdf19edf3
parent417da4006cf5c97d44e74431b816fc58fec9e270
When using OpenSSL, trust intermediate CAs from trusted stores (#383)

According to [1], GnuTLS and NSS do that by default.

Use case: Chrome and Mozilla no longer trust Semantic root CAs _but_
still trust several whitelisted Semantic intermediate CAs[2]. Squid
built with OpenSSL cannot do that without X509_V_FLAG_PARTIAL_CHAIN.

[1] https://www.openldap.org/lists/openldap-devel/201506/msg00012.html
[2] https://wiki.mozilla.org/CA/Additional_Trust_Changes#Symantec
src/security/PeerOptions.cc
src/security/PeerOptions.h
src/security/ServerOptions.cc
src/tests/stub_libsecurity.cc