[squid-users] Ssl-Bump and revoked server certificates
Alex Rousskov
rousskov at measurement-factory.com
Tue Oct 6 15:27:32 UTC 2015
On 10/06/2015 01:27 AM, Jason Haar wrote:
> Good catch - I don't think squid does CRL/OCSP checks
> But this is a bug in squid - this means untrustworthy certs become
> trusted again - not a good look
IIRC, Squid relies on OpenSSL to perform CRL checks. OpenSSL is
difficult to configure to do CRL checks. If my recollection is correct,
then this is not exactly a Squid bug but more like a missing convenience
feature.
Squid does not know about OCSP. Another missing feature.
One may perform all those checks using a custom certificate validator
helper, of course.
Alex.
More information about the squid-users
mailing list