[squid-users] How to make sslbump'ing more robust? (option to continue?)

Amos Jeffries squid3 at treenet.co.nz
Fri May 12 12:21:37 UTC 2017



On 12/05/17 15:45, L A Walsh wrote:
> Alex Rousskov wrote:
>> Yes, there is a way. Your options include:
>>
>> 1. Tell Squid to ignore expired certificates errors. Squid will then
>> mimic the expired certificate while allowing the client traffic. The
>> client should then detect the expired (fake) certificate and may offer
>> the user to bypass the problem. 
> ...
> ----
>
> Since my SSL-bump is on a private server with most clients
> being my clients, this is probably the most ideal.  I wasn't sure
> if the type of SSL-problem would be correctly duplicated to the
> client, as I didn't want to just continue the connection without
> telling the browser operator (most often, me) that there was
> some problem.

The detail of what gets mimic'd are documented at 
<http://wiki.squid-cache.org/Features/MimicSslServerCert>.

Under validity Dates:
  "True dates by default. If a true validity date is missing or if 
sslproxy_cert_adapt setValidAfter and setValidBefore is active, then the 
signing certificate validity date is used."

Amos



More information about the squid-users mailing list