Bug 1204375

Summary: squid sends incorrect ssl chain breaking newer gnutls using applications
Product: Red Hat Enterprise Linux 7 Reporter: Kevin Fenzi <kevin>
Component: squidAssignee: Luboš Uhliarik <luhliari>
Status: CLOSED ERRATA QA Contact: Ondřej Pták <optak>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.1CC: isenfeld, kevin, luhliari, optak, thozza
Target Milestone: rcKeywords: Patch
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: squid-3.3.8-13.el7 Doc Type: Bug Fix
Doc Text:
Cause: SSL certificate is received twice from Squid. Consequence: SSL negotiation is failing for some client applications. Fix: SSL certificate is sent only once. Result: SSL client applications are not failing anymore.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-19 12:20:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
This is a backported patch which should fix bug #1204375
none
SRPM of squid containing patch none

Description Kevin Fenzi 2015-03-21 13:17:44 UTC 
This bug: 

http://bugs.squid-cache.org/show_bug.cgi?id=3849

was fixed upstream, but doesn't seem to be in the current RHEL7 squid package. 

This means if you use ssl with a cert chain, any clients using newer gnutls will be unable to use your proxy. ;( 

We have hit this with a proxy in Fedora, see: https://fedorahosted.org/fedora-infrastructure/ticket/4682 

Please consider backporting this fix. Thanks.
Comment 2 Luboš Uhliarik 2015-04-07 08:56:45 UTC 
Created attachment 1011660 [details]
This is a backported patch which should fix bug #1204375
Comment 3 Luboš Uhliarik 2015-04-07 09:00:42 UTC 
Hi Kevin,

which version of squid and RHEL are you exactly using? I backported this patch, for the latest squid (3.3.8) in RHEL 7.1. I'm attaching the PATCH, so you can try, if it fixes this bug in your squid configuration.
Comment 5 Luboš Uhliarik 2015-04-07 11:37:55 UTC 
Created attachment 1011700 [details]
SRPM of squid containing patch
Comment 6 Kevin Fenzi 2015-04-07 18:02:59 UTC 
We can confirm this fixes the issue. ;) Thanks!
Comment 12 errata-xmlrpc 2015-11-19 12:20:29 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-2378.html