[squid-users] ssl-bump doesn't like valid web server

Amos Jeffries squid3 at treenet.co.nz
Thu Jan 22 08:14:10 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 22/01/2015 8:20 p.m., Steve Hill wrote:
> On 21/01/15 18:39, Eliezer Croitoru wrote:
> 
>>> but not using ssl_crtd
>> What are using if not ssl_crtd?
> 
> Squid generates the certificates internally if ssl_crtd isn't
> turned on at compile time.  I've not seen any information
> explaining the pros and cons of each approach (I'd welcome any
> input!).
> 

Squid only *generates* server certificates using that helper. If you
are seeing the log lines "Generating SSL certificate" they are
incorrect when not using the helper.

The non-helper bumping is limited to using the configured http(s)_port
cert= and key= contents. In essence only doing client-first or
peek+splice SSL-bumping styles.

Amos

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUwLFSAAoJELJo5wb/XPRj8OQIAIRtSks7fQaXRZYvMLhrT3EL
Kn+AKOg1opYqjmQyIZIWOZYTW61675deiPkQUxjWj//4hU9QegKwsmyDpfyqjOkq
GfCbR8mQxu6Z4h/+ECYMmKpj7/iXlmMz9ri9fRxjaDqNJdQWnRPrUkJeKvD6hTM5
x9P6TBYiOeVCg5yySUheLH335z3akrjKKYlML3nJzDuzHhP7lObzhjjbfZqJC6rr
6l5aSfaTA7Oh9wbeSCLBu71IDGAlFgzt9iC0gNefG9tqlcofxWBZNRrs2JGdzmQG
lHnbwof5t/hQVpo+tiZY8ZqYxcmWtjIu/hvzBnRjbs6eUr+F0mCdWexgGh6Ts+A=
=IOlx
-----END PGP SIGNATURE-----


More information about the squid-users mailing list