[squid-users] Ssl-Bump and revoked server certificates

Walter H. walter.h at mathemainzel.info
Tue Oct 6 10:21:52 UTC 2015


Hello,

can you please provide an example of how to use this in squid.conf

by the way how would I use these

sslcrtvalidator_program
and
sslcrtvalidator_children

Thanks,
Walter

On Tue, October 6, 2015 09:27, Jason Haar wrote:
> Good catch - I don't think squid does CRL/OCSP checks
>
> I'm using the external_acl_type method to achieve that: it does the
> extra work and returns "ERR" for revoked certs - which (for me) causes
> squid to fallback on splice mode - so that the client browser can see
> the actual fault directly (ie I'm making sure revoked certs are never
> bumped)
>
> But this is a bug in squid - this means untrustworthy certs become
> trusted again - not a good look
>




More information about the squid-users mailing list