[squid-dev] [PATCH] Errors served using invalid certificates when dealing with SSL server errors.

Amos Jeffries squid3 at treenet.co.nz
Tue Jul 7 18:05:27 UTC 2015


On 8/07/2015 4:28 a.m., Tsantilas Christos wrote:
> Hi all,
> 
> When bumping Squid needs to send an Squid-generated error "page" over a
> secure connection, Squid needs to generate a certificate for that
> connection. Prior to these changes, several scenarios could lead to
> Squid generating a certificate that clients could not validate. In those
> cases, the user would get a cryptic and misleading browser error instead
> of a Squid-generated error page with useful details about the problem.
> 
> For example, is a server certificate that is rejected by the certificate
> validation helper. Squid no longer uses CN from that certificate to
> generate a fake certificate.
> 
> Another example is a user accessing an origin server using one of its
> "alternative names" and getting a Squid-generated certificate containing
> just the server common name (CN).
> 
> These changes make sure that certificate for error pages is generated
> using SNI (when peeking or staring, if available) or CONNECT host name
> (including server-first bumping mode). We now update the
> ConnStateData::sslCommonName  field (used as CN field for generated
> certificates) only _after_ the server certificate is successfully
> validated.
> 

+1.

Amos




More information about the squid-dev mailing list