Upgrading to 1.1 on a running os is a challenge for any sysadmin. Eliezer
On Mon, Jun 29, 2020, 13:30 <mikio.ki...@gmail.com> wrote: > Hi Amos, > > >Ah. This is a feature of OpenSSL v1.1. Apparently your OpenSSL v1.0 has > >had the feature *partially* backported to it. > >I suggest you upgrade to Squid-4 and build against OpenSSL v1.1 where > >this "feature" is the default behaviour. > > Yes, Exactly. However, currently I am using CentOS7 which openssl package > version is still 1.0..... > Upgrading openssl to v1.1.1 is challenging for me. Could you please > implement the rusted first option to squid-4 ? ... > > Regards, > -- > Mikio Kishi > > > On Mon, Jun 29, 2020 at 7:05 PM Amos Jeffries <squ...@treenet.co.nz> > wrote: > >> On 29/06/20 7:29 pm, mikio.kishi wrote: >> > Hi Amos, >> > >> > Thank you for your reply and I apologize for the missing information. >> > The following is the detailed one. >> > >> >> * Squid version >> > * squid version 3.5.26 (probably, ver4.X also might have same issue) >> > * OpenSSL 1.0.2k >> > >> >> * details of the chain being delivered to Squid >> >> * details of the expected cross-signing chain(s). >> > >> > There are so many websites which are facing this issue. >> > For instance, "sbv.gov.vn:443 <http://sbv.gov.vn:443>". >> > >> > # openssl s_client -connect sbv.gov.vn:443 <http://sbv.gov.vn:443> >> > -servername sbv.gov.vn <http://sbv.gov.vn> -showcerts -verify 5 -state >> > verify depth is 5 >> >> ... >> > >> > Could you please add the trusted_first option on squid ? >> > >> >> Ah. This is a feature of OpenSSL v1.1. Apparently your OpenSSL v1.0 has >> had the feature *partially* backported to it. >> >> I suggest you upgrade to Squid-4 and build against OpenSSL v1.1 where >> this "feature" is the default behaviour. Squid-3 is no longer supported >> for code updates. >> >> >> Amos >> _______________________________________________ >> squid-users mailing list >> squid-users@lists.squid-cache.org >> http://lists.squid-cache.org/listinfo/squid-users >> > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
