Due to a typo Squid 3.2 cannot correctly handle forward loops in
transparent mode.
You can see it with
wget -O /dev/null -S http://transparent_squid_proxy:some_port/
Attached patch fixes the issue.
--
Best wishes,
Alexander Komyagin
--- squid-3.2.0.16/src/client_side_reply.cc 2012-03-07 06:42
omeday extended OCSP functionality will go into
upstream, though this will require additional efforts.
Attached patch was tested in our company and seems to work fine.
--
Best wishes,
Alexander Komyagin
diff --git a/apps/apps.c b/apps/apps.c
index 4e11915..47f8c2f 100644
--- a/apps/apps
#x27;s certificate validity (not necessary if this certificate has
> an OCSPNoCheck extension, but some don't have this extension).
>
> Le 08/06/2012 13:07, Alexander Komyagin a écrit :
> > [...]
> > How it works:
> >
> > 1) OCSP revocation check is done rig
ecessary if this certificate has
> an OCSPNoCheck extension, but some don't have this extension).
OCSP responder's certificate revocation status is only checked against
CRL's. (via OCSP_basic_verify()).
>
> Le 08/06/2012 13:07, Alexander Komyagin a écrit :
> > [...]
>
ILURE doesn't
tell you much).
--
Best wishes,
Alexander Komyagin
diff --git a/apps/apps.c b/apps/apps.c
index 4e11915..47f8c2f 100644
--- a/apps/apps.c
+++ b/apps/apps.c
@@ -2338,8 +2338,12 @@ int args_verify(char ***pargs, int *pargc,
flags |= X509_V_FLAG_CB_ISSUER_CHECK;
else if (!
ed in some other place (though
check_revocation(X509_STORE_CTX *) seems rather logical place) or is
there some other way to solve this problem?
--
Best wishes,
Alexander Komyagin
__
OpenSSL Project http
Can you give me an example of such application? I'll take a look at it.
On Fri, 2012-05-04 at 13:14 +0200, Dr. Stephen Henson wrote:
> On Thu, May 03, 2012, Alexander Komyagin wrote:
>
> > Thanks for the note, Stephen! I'll certainly take this into account.
> > If
hment to be fast. Good service will handle other connections in
a separate thread for the sake of availability, won't it?
On Thu, 2012-05-03 at 13:11 +0200, Dr. Stephen Henson wrote:
> On Thu, May 03, 2012, Alexander Komyagin wrote:
>
> > Hi! In our project we want to perform a com
arg, arglen) \
> SSL_ctrl(ssl,SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP,arglen, (void
> *)arg)
>
>
>
>
>
> At 2012-05-03 15:23:49,"Alexander Komyagin" wrote:
> >Hi! In our project we want to perform a complete global switch to OCSP
> >certificate verification (for a num
. There is only one check_revocation() function, which checks
a chain against CRL's. I think that check_revocation() can be altered to
use OCSP instead just like ocsp-app does. Or shall I use any other place
to perform OCSP verification?
Thanks!
--
Best wishes
10 matches
Mail list logo