[squid-users] Ssl-Bump and revoked server certificates
Amos Jeffries
squid3 at treenet.co.nz
Sun Oct 18 23:01:55 UTC 2015
On 19/10/2015 8:37 a.m., Walter H. wrote:
> On 04.10.2015 21:08, Walter H. wrote:
>> Hello,
>>
>> does anybody know if squid does certificate checks and how to tell
>> squid to do so;
>>
>> this is a site with a revoked certificate
>> https://revoked.grc.com/
>>
>> without squid, the browser shows that the certificate is revoked and
>> doesn't show the page
>> with squid, the page is shown ...
>>
>> Thanks,
>> Walter
>
> I have solved it:
>
> my solution not only does certificate checks using OCSP, it also stores
> the real certificates into a different "database" folder;
> if someone doesn't want this, just remove the few lines of the shell
> script;
> as there exist no CA that allows IP adresses neither in certificate
> subject nor in the SAN (subject alternative name),
>
> https://www.whitehouse.gov/
> (is blocked at my solution because of a root certificate not in the cert
> store)
>
> all these candidates are blocked with error
>
> /X509_V_ERR_CERT_REJECTED/
>
> it uses two components:
>
> - a shell script (BASH) called by the programme
> - the main programme (in C): the only missing is an exception list of
> domains/hosts not to validate through this procedure
If you are interested in getting this helper bundled with Squid the
details on how to prepare and submit a patch to squid-dev mailing list
are at:
<http://wiki.squid-cache.org/MergeProcedure>
Cheers
Amos
More information about the squid-users
mailing list