[squid-users] Ssl-Bump and revoked server certificates

Alex Rousskov rousskov at measurement-factory.com
Tue Oct 6 15:27:32 UTC 2015

On 10/06/2015 01:27 AM, Jason Haar wrote:
> Good catch - I don't think squid does CRL/OCSP checks

> But this is a bug in squid - this means untrustworthy certs become
> trusted again - not a good look

IIRC, Squid relies on OpenSSL to perform CRL checks. OpenSSL is
difficult to configure to do CRL checks. If my recollection is correct,
then this is not exactly a Squid bug but more like a missing convenience

Squid does not know about OCSP. Another missing feature.

One may perform all those checks using a custom certificate validator
helper, of course.


More information about the squid-users mailing list