Discussion:
[squid-users] Fetch missing certificate feature of Squid_v4
Christof Gerber
2018-09-27 15:56:50 UTC
Permalink
Concerning the new feature which fetches the missing intermediate
certificates I have three questions about its implementation and
implications:

1. What happens if the certificate fetch requests runs into a timeout?
Is this prevented somehow?

2. Does Squid also learn intermediate certificates from complete
certificate chains of other requests?

3. Will this feature make it necessary to increase the cache size?
--
Christof Gerber
Email: ***@gmail.com
Alex Rousskov
2018-09-27 16:32:34 UTC
Permalink
Post by Christof Gerber
Concerning the new feature which fetches the missing intermediate
certificates I have three questions about its implementation and
1. What happens if the certificate fetch requests runs into a timeout?
If Squid lacks a certificate required to validate the server, the server
validation will fail. What happens after that probably depends on your
configuration, but bumping the client connection to report the
validation error is typical for SslBump-driven deployments.
Post by Christof Gerber
Is this prevented somehow?
Not sure what you mean: No software can prevent external events such as
I/O timeouts.
Post by Christof Gerber
2. Does Squid also learn intermediate certificates from complete
certificate chains of other requests?
Interesting question. AFAIK, Squid does not cache certificates received
in TLS server Hellos (yet?). The missing certificates are fetched and
cached using the regular Squid HTTP fetching/caching mechanism (as if
somebody else sent a simple GET request for the certificate). There is
no dedicated cache type/system for the certificates. This implies that
the same intermediate certificate, if it was fetched from two different
places/URLs, will be cached twice (by default).

I have CCed Christos that may be able to verify my statements in the
above paragraph.
Post by Christof Gerber
3. Will this feature make it necessary to increase the cache size?
YMMV. By definition, the cache should never be necessary (i.e. required
for correct operation). You should increase the cache size if increasing
the cache size improves performance. This general statement applies to
all features, not just the feature discussed on this thread, of course.

Alex.
Alex Rousskov
2018-09-27 17:28:57 UTC
Permalink
I mean what happens if the extra request to the CA to download the
missing certificate takes ages. Is there a timeout routine running
which aborts the request if for instance the certificate is not
downloaded after 5 seconds?
Yes, of course. There are many timeouts at play here. For example,
forward_timeout is used when setting a timeout to negotiate a secure
connection with the origin server (which includes fetching missing
certificates) and read_timeout is a network read timeout applied to
every individual fetching request.

Again, fetching a missing certificate feature reuses the regular "fetch
this URL" functionality in Squid, with all the features/timeouts on that
code path. IIRC, these internal certificate requests even go through
eCAP/ICAP REQMOD services!

Alex.
Post by Alex Rousskov
Post by Christof Gerber
Concerning the new feature which fetches the missing intermediate
certificates I have three questions about its implementation and
1. What happens if the certificate fetch requests runs into a timeout?
If Squid lacks a certificate required to validate the server, the server
validation will fail. What happens after that probably depends on your
configuration, but bumping the client connection to report the
validation error is typical for SslBump-driven deployments.
Post by Christof Gerber
Is this prevented somehow?
Not sure what you mean: No software can prevent external events such as
I/O timeouts.
Post by Christof Gerber
2. Does Squid also learn intermediate certificates from complete
certificate chains of other requests?
Interesting question. AFAIK, Squid does not cache certificates received
in TLS server Hellos (yet?). The missing certificates are fetched and
cached using the regular Squid HTTP fetching/caching mechanism (as if
somebody else sent a simple GET request for the certificate). There is
no dedicated cache type/system for the certificates. This implies that
the same intermediate certificate, if it was fetched from two different
places/URLs, will be cached twice (by default).
I have CCed Christos that may be able to verify my statements in the
above paragraph.
Post by Christof Gerber
3. Will this feature make it necessary to increase the cache size?
YMMV. By definition, the cache should never be necessary (i.e. required
for correct operation). You should increase the cache size if increasing
the cache size improves performance. This general statement applies to
all features, not just the feature discussed on this thread, of course.
Alex.
_______________________________________________
squid-users mailing list
http://lists.squid-cache.org/listinfo/squid-users
Loading...