[squid-users] squid & handling/propagating certificat revocations...?

L A Walsh squid-user at tlinx.org
Sat Feb 18 22:31:02 UTC 2017

How does squid 'normally' handle security revocations, like from
this test page?:


Or how 'should' it be handling it (i.e. is my setup more broken
than most? ;^) )

Or, when squid fetches the page, does it do any checking before
sending it to the user?

Or, does it pass it through, w/o checking, to user, but check
revocation before storing it in the local disk cache.

In the above two cases, a client (say a browser) configured to
check revocations, would detect the revocations both on initial
connect as well as content served from cache.  That works, though
it _might_ be more efficient if squid didn't cache such pages.

However, in the case of squid using https-interception to allow
breaking open otherwise uncacheable streams, my configuration doesn't
seem to check if a remote site is using a revoked cert.

So question(s):  Is there anyway to configure squid to check and
either add a message to the page indicating the security revocation,
or, at least, fail in retrieving the message? 

And, ideally, _could_ squid interactively prompt the user about
whether or not the specific cert should be used/allowed anyway,
*and* whether or not the cert should be _stored_ as an "exception"?
If so, then further connects would "just work", otherwise, clients
would get an error message)?

Ideas?  Anyone else solved this problem?


More information about the squid-users mailing list