[squid-dev] [PATCH] sslproxy_cert_sign_hash configuration option
Tsantilas Christos
chtsanti at users.sourceforge.net
Wed Oct 1 16:48:12 UTC 2014
Browser vendors will get rid of SSL certificates that use SHA-1 to
generate the hash that is then signed by the CA. For example, Google
Chrome will start to show an "insecure" sign for certificates that are
valid after 1.1.2016 and will generate a warning page for certificates
that are valid after 1.1.2017 [1],[2],[4]. Microsoft will block
certificates with SHA-1 after 1.1.2017 [3].
This patch:
1) Add a new configuration option to select the signing hash for
generated certificates: sslproxy_cert_sign_hash.
2) If sslproxy_cert_sign_hash is not set, then use the sha256 hash.
[1]
https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/2-R4XziFc7A/YO0ZSrX_X4wJ
[2] https://code.google.com/p/chromium/issues/detail?id=401365
[3]
http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx
[4]
http://googleonlinesecurity.blogspot.ch/2014/09/gradually-sunsetting-sha-1.html
This is a Measurement Factory project
-------------- next part --------------
A non-text attachment was scrubbed...
Name: trunk-Sign-with-SHA-256-t3.patch
Type: text/x-patch
Size: 25155 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-dev/attachments/20141001/8517e9bb/attachment-0001.bin>
More information about the squid-dev
mailing list