[squid-users] How to have squid as safe as (e.g.) firefox?
Alex Rousskov
rousskov at measurement-factory.com
Thu Aug 20 00:02:54 UTC 2015
On 08/19/2015 09:43 AM, Jeremie Rafin wrote:
> # Non bumped list (only spliced): wellsfargo
> acl splicelist ssl::server_name .wellsfargo.com
>
> # SSL configuration
> acl step1 at_step SslBump1
> acl step2 at_step SslBump2
> ssl_bump peek step1 all
> ssl_bump splice step2 splicelist
> ssl_bump bump all
> With this config file, https://revoked.grc.com/ is not rejected.
On my test machine, "openssl verify -crl_check ..." does not reject that
site's certificate either unless I manually download and set up the
corresponding CRL. You should not expect much more vigilance from a
stock Squid installation than you get from OpenSSL on the same box:
Squid uses OpenSSL for certificate validation.
FireFox does reject that URL with sec_error_revoked_certificate. This
means that FireFox CRL lists maintenance is "better" than that of stock
OpenSSL installation [on Ubuntu 14.04.3 LTS].
You might also find Squid's http_port crlfile option and the following
answer useful:
http://askubuntu.com/questions/448876/how-do-i-install-an-openssl-crl-file
HTH,
Alex.
More information about the squid-users
mailing list