[squid-dev] [PATCH] Errors served using invalid certificates when dealing with SSL server errors.
Tsantilas Christos
chtsanti at users.sourceforge.net
Thu Jul 9 13:13:32 UTC 2015
Applied to trunk as r14145.
On 07/07/2015 09:05 PM, Amos Jeffries wrote:
> On 8/07/2015 4:28 a.m., Tsantilas Christos wrote:
>> Hi all,
>>
>> When bumping Squid needs to send an Squid-generated error "page" over a
>> secure connection, Squid needs to generate a certificate for that
>> connection. Prior to these changes, several scenarios could lead to
>> Squid generating a certificate that clients could not validate. In those
>> cases, the user would get a cryptic and misleading browser error instead
>> of a Squid-generated error page with useful details about the problem.
>>
>> For example, is a server certificate that is rejected by the certificate
>> validation helper. Squid no longer uses CN from that certificate to
>> generate a fake certificate.
>>
>> Another example is a user accessing an origin server using one of its
>> "alternative names" and getting a Squid-generated certificate containing
>> just the server common name (CN).
>>
>> These changes make sure that certificate for error pages is generated
>> using SNI (when peeking or staring, if available) or CONNECT host name
>> (including server-first bumping mode). We now update the
>> ConnStateData::sslCommonName field (used as CN field for generated
>> certificates) only _after_ the server certificate is successfully
>> validated.
>>
>
> +1.
>
> Amos
>
>
> _______________________________________________
> squid-dev mailing list
> squid-dev at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-dev
>
More information about the squid-dev
mailing list