[squid-dev] [PATCH] Validate server certificates without bumping
chtsanti at users.sourceforge.net
Thu Oct 2 09:30:17 UTC 2014
On 10/02/2014 04:10 AM, Amos Jeffries wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> On 2/10/2014 5:17 a.m., Tsantilas Christos wrote:
>> Hi all,
>> This patch add support for the "Validate server certificates
>> without bumping" use case described on the Peek and Splice wiki
>> page: http://wiki.squid-cache.org/Features/SslPeekAndSplice
>> This patch send to the certificate validation helper the
>> certificates and errors found in SslBump3 step, even if the
>> splicing mode selected. In the case the validation helper found
>> errors in certificates an error page returned to the http client.
> Any particular reason driving this addition?
> I think I can see some impact neding it but you should outline your
> reasons for the commit.
We are supporting certs validation for ssl bumped requests.
The certificates validation required because:
1) Not all of the certificate errors are dangerous to the user.
2) System admin may want to block some serious server certificate
The validation helper allow analyzing the errors and decide to ingore
them or abort immediately the connection.
This patch makes possible to do server certificates validation, without
the need to bump the connection.
> NP: have not yet reviewed the patch itself.
More information about the squid-dev