[squid-users] How to have squid as safe as (e.g.) firefox?
rousskov at measurement-factory.com
Thu Aug 13 20:42:19 UTC 2015
On 08/13/2015 12:06 AM, Amos Jeffries wrote:
> On 13/08/2015 9:20 a.m., Jeremie Rafin wrote:
>> sslproxy_cert_error deny all
> You have also configured "sslproxy_cert_error deny all" which forces
> Squid to accept and ignore all possible origin server certificate
> errors. Including revocation.
"deny" does not force Squid to "accept and ignore". I think you are
describing the effects of the opposite setting:
sslproxy_cert_error allow all
The actual "deny all" configuration means "do not allow any error to get
through". We should have used custom ACL verbs if the default allow/deny
are causing confusion among the best of us.
More information about the squid-users