[squid-users] Ssl-Bump and revoked server certificates

Amos Jeffries squid3 at treenet.co.nz
Sun Oct 18 23:01:55 UTC 2015

On 19/10/2015 8:37 a.m., Walter H. wrote:
> On 04.10.2015 21:08, Walter H. wrote:
>> Hello,
>> does anybody know if squid does certificate checks and how to tell
>> squid to do so;
>> this is a site with a revoked certificate
>> https://revoked.grc.com/
>> without squid, the browser shows that the certificate is revoked and
>> doesn't show the page
>> with squid, the page is shown ...
>> Thanks,
>> Walter
> I have solved it:
> my solution not only does certificate checks using OCSP, it also stores
> the real certificates into a different "database" folder;
> if someone doesn't want this, just remove the few lines of the shell
> script;
> as there exist no CA that allows IP adresses neither in certificate
> subject nor in the SAN (subject alternative name),
> https://www.whitehouse.gov/
> (is blocked at my solution because of a root certificate not in the cert
> store)
> all these candidates are blocked with error
> it uses two components:
> - a shell script (BASH) called by the programme
> - the main programme (in C): the only missing is an exception list of
> domains/hosts not to validate through this procedure

If you are interested in getting this helper bundled with Squid the
details on how to prepare and submit a patch to squid-dev mailing list
are at:


More information about the squid-users mailing list