[squid-users] squid & handling/propagating certificat revocations...?
L A Walsh
squid-user at tlinx.org
Sat Feb 18 22:31:02 UTC 2017
How does squid 'normally' handle security revocations, like from
this test page?:
https://revoked.grc.com/
Or how 'should' it be handling it (i.e. is my setup more broken
than most? ;^) )
Or, when squid fetches the page, does it do any checking before
sending it to the user?
Or, does it pass it through, w/o checking, to user, but check
revocation before storing it in the local disk cache.
In the above two cases, a client (say a browser) configured to
check revocations, would detect the revocations both on initial
connect as well as content served from cache. That works, though
it _might_ be more efficient if squid didn't cache such pages.
However, in the case of squid using https-interception to allow
breaking open otherwise uncacheable streams, my configuration doesn't
seem to check if a remote site is using a revoked cert.
So question(s): Is there anyway to configure squid to check and
either add a message to the page indicating the security revocation,
or, at least, fail in retrieving the message?
And, ideally, _could_ squid interactively prompt the user about
whether or not the specific cert should be used/allowed anyway,
*and* whether or not the cert should be _stored_ as an "exception"?
If so, then further connects would "just work", otherwise, clients
would get an error message)?
Ideas? Anyone else solved this problem?
Thanks!
-linda
More information about the squid-users
mailing list