[squid-users] Ssl-Bump and revoked server certificates

Sebastian Kirschner s.kirschner at afa-finanz.de
Thu Oct 22 11:02:46 UTC 2015 

Hi Amos ,

thanks for your reply.

Maybe we got an misunderstanding or I have an "false" opinion of the sentence I quoted before.

I thought you could say to me what for checks would definitely performed in "standard" installation with openssl,

not only that you believe that the X.509 certificate syntax and properties would be checked in correctness and the signer.

I´m sorry for these remark , but for me it's important to know what checks would performed to prevent another on the same thing and slow down the "process".


Another question regarding the Options from "sslcrtvalidator_program",
ttl " TTL in seconds for cached results. The default is 60 secs"

Is the cached results referred to the sslhost ?

For example , I configured that the TTL is 12 hours.
A request from Client A is performed to https://www.google.com the validator report back to squid that the certificate is ok and the connection would be spliced/bumped,
1 hour later Client B perform a request again too https://www.google.com , would squid use the "cached" answer from the validator used ?


And another question regarding the cache option.
What from the response would be cached , the complete one or maybe only the sslhost and response code ?

Would it be defined as byte in as the validator and speak ?
 

------------------------------
Message: 4
Date: Thu, 22 Oct 2015 22:41:43 +1300
From: Amos Jeffries <squid3 at treenet.co.nz>
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] Ssl-Bump and revoked server certificates
Message-ID: <5628AF57.6060002 at treenet.co.nz>
Content-Type: text/plain; charset=utf-8

On 22/10/2015 7:22 p.m., Sebastian Kirschner wrote:
> Hi,
> 
> I have a question regarding the SSL Server Certificate Validator.
> 
> In the Wiki is written:
> "The helper will be optionally consulted after an internal OpenSSL validation we do now, regardless of that validation results."
> 
> What checks does the internal validation include ?

The "internal" validation is done by OpenSSL library. So whatever it is doing based on the configuration you give it.

I believe that includes X.509 certificate syntax validity, and X.509 properties validity in light of the TLS extensions negotiated on the connection, and a check the cert was signed by one of the system default Trusted-CA authorities (unless flags=NO_DEFAULT_CA was used) or a custom CA you loaded (with cafile=/capath= options).

There may be more (or less) happening but that is the bulk of it. And all inside OpenSSL so we can't easily debug the what/when/how of it when the output messages are obscure.

Amos
------------------------------

More information about the squid-users mailing list