[squid-users] squid & handling/propagating certificat revocations...?

Alex Rousskov rousskov at measurement-factory.com
Sat Feb 18 23:17:03 UTC 2017

On 02/18/2017 03:31 PM, L A Walsh wrote:
> How does squid 'normally' handle security revocations,

In the simplest case without SslBump, Squid does not see the server
certificate at all and, hence, cannot validate it. Squid simply tunnels
opaque bytes, including certificate bytes, from the server to the
client. You cannot customize this aspect of Squid behavior.

If an SslBump peeking or staring rule matches at step2, then Squid
receives the server certificate and asks OpenSSL to validate it before
sending/receiving any HTTP-level data to/from that server. If your
OpenSSL installation considers the certificate revoked, Squid will treat
it as such and, by default, terminate the connection to the origin
server without receiving an HTTP response.

You can customize that default using several configuration options
and/or a certificate validation helper. Search squid.conf.documented for
"certificate" and "sslcrtvalidator_program".

> However, in the case of squid using https-interception to allow
> breaking open otherwise uncacheable streams, my configuration doesn't
> seem to check if a remote site is using a revoked cert.

Squid does not validate server certificates that it does not see. For
example, if you splice the intercepted connections at SslBump step1 or
step2, then Squid will not see the server certificate and will just
forward all certificate bytes to the client "as is".

> And, ideally, _could_ squid interactively prompt the user about
> whether or not the specific cert should be used/allowed anyway,
> *and* whether or not the cert should be _stored_ as an "exception"?

Upon receiving a revoked certificate, a _browser_ can do that. Squid is
not a User Agent and does not talk to the user directly (although it
can, in some cases, respond with an error page that a user will see).

If you are bumping (rather than splicing) SSL connections, then the fake
certificate generated by Squid will not be revoked even if the origin
server certificate was -- I do not think Squid mimics that aspect of the
origin server certificate.



More information about the squid-users mailing list