Hi Amos, >Ah. This is a feature of OpenSSL v1.1. Apparently your OpenSSL v1.0 has >had the feature *partially* backported to it. >I suggest you upgrade to Squid-4 and build against OpenSSL v1.1 where >this "feature" is the default behaviour.
Yes, Exactly. However, currently I am using CentOS7 which openssl package version is still 1.0..... Upgrading openssl to v1.1.1 is challenging for me. Could you please implement the rusted first option to squid-4 ? ... Regards, -- Mikio Kishi On Mon, Jun 29, 2020 at 7:05 PM Amos Jeffries <[email protected]> wrote: > On 29/06/20 7:29 pm, mikio.kishi wrote: > > Hi Amos, > > > > Thank you for your reply and I apologize for the missing information. > > The following is the detailed one. > > > >> * Squid version > > * squid version 3.5.26 (probably, ver4.X also might have same issue) > > * OpenSSL 1.0.2k > > > >> * details of the chain being delivered to Squid > >> * details of the expected cross-signing chain(s). > > > > There are so many websites which are facing this issue. > > For instance, "sbv.gov.vn:443 <http://sbv.gov.vn:443>". > > > > # openssl s_client -connect sbv.gov.vn:443 <http://sbv.gov.vn:443> > > -servername sbv.gov.vn <http://sbv.gov.vn> -showcerts -verify 5 -state > > verify depth is 5 > > ... > > > > Could you please add the trusted_first option on squid ? > > > > Ah. This is a feature of OpenSSL v1.1. Apparently your OpenSSL v1.0 has > had the feature *partially* backported to it. > > I suggest you upgrade to Squid-4 and build against OpenSSL v1.1 where > this "feature" is the default behaviour. Squid-3 is no longer supported > for code updates. > > > Amos > _______________________________________________ > squid-users mailing list > [email protected] > http://lists.squid-cache.org/listinfo/squid-users >
_______________________________________________ squid-users mailing list [email protected] http://lists.squid-cache.org/listinfo/squid-users
