[squid-users] Ssl-Bump and revoked server certificates

Amos Jeffries squid3 at treenet.co.nz
Mon Oct 26 18:11:54 UTC 2015

On 27/10/2015 5:43 a.m., Sebastian Kirschner wrote:
> Hi,
> in my squid setup the sslcrtvalidator_program doesn’t send the data´s that I expect to the helper :-) .
> The helper receive the data´s as described in the wiki , expect the "form" of the domain,
> here I would expect a FQDN or domain like google.de or ca.google.de but the helper receive a IP.

If this is intercepted traffic then IIRC that is expected behaviour at
present. SNI is new and has not been rolled into every corner yet.

You may need to use key_extras feature for now to send the SNI logformat
value explicitly in a new key=value field.

Or you could look at making a patch to send the SNI instead of HTTP
level "domain" from the CONNECT. Any help getting these annoyances out
of the way is very welcome.


More information about the squid-users mailing list