[squid-users] Ssl-Bump and revoked server certificates
Amos Jeffries
squid3 at treenet.co.nz
Wed Oct 7 09:05:01 UTC 2015
On 7/10/2015 4:27 a.m., Alex Rousskov wrote:
> On 10/06/2015 01:27 AM, Jason Haar wrote:
>> Good catch - I don't think squid does CRL/OCSP checks
>
>> But this is a bug in squid - this means untrustworthy certs become
>> trusted again - not a good look
>
>
> IIRC, Squid relies on OpenSSL to perform CRL checks. OpenSSL is
> difficult to configure to do CRL checks. If my recollection is correct,
> then this is not exactly a Squid bug but more like a missing convenience
> feature.
Exactly. All thats missing is the squid.conf directive in Squid-3.x.
That has been added in Squid-4.
>
> Squid does not know about OCSP. Another missing feature.
>
> One may perform all those checks using a custom certificate validator
> helper, of course.
>
Amos
More information about the squid-users
mailing list