[squid-dev] [PATCH] Validate server certificates without bumping

Tsantilas Christos chtsanti at users.sourceforge.net
Thu Oct 2 09:30:17 UTC 2014

On 10/02/2014 04:10 AM, Amos Jeffries wrote:
> Hash: SHA1
> On 2/10/2014 5:17 a.m., Tsantilas Christos wrote:
>> Hi all,
>> This patch add support for the "Validate server certificates
>> without bumping" use case described on the Peek and Splice wiki
>> page: http://wiki.squid-cache.org/Features/SslPeekAndSplice
>> This patch send to the certificate validation helper the
>> certificates and errors found in SslBump3 step, even if the
>> splicing mode selected. In the case the validation helper found
>> errors in certificates an error page returned to the http client.
> Any particular reason driving this addition?
> I think I can see some impact neding it but you should outline your
> reasons for the commit.

We are supporting certs validation for ssl bumped requests.
The certificates validation required because:
   1) Not all of the certificate errors are dangerous to the user.
   2) System admin may want to block some serious  server certificate 

The validation helper allow analyzing the errors and decide to ingore 
them or abort immediately the connection.

This patch makes possible to do server certificates validation, without 
the need to bump the connection.

> NP: have not yet reviewed the patch itself.


> Amos

More information about the squid-dev mailing list