[squid-users] OCSP stapling and must-staple
Alex Rousskov
rousskov at measurement-factory.com
Mon Nov 13 16:07:46 UTC 2017
On 11/13/2017 03:21 AM, Niklas Bachmaier wrote:
> The last post I found on OCSP with Squid is from 2015 where it says
> that Squid does not support OCSP by any means.
For the record, here is that 2015 thread:
http://lists.squid-cache.org/pipermail/squid-users/2015-October/005831.html
> For certificate revocation checking we would like to make use of the
> OCSP must-staple feature (defined in RFC 7633). We are asking
> ourselves if OCSP stapling and especially must-staple is now supported
> by Squid and, if it is, if there is any special configuration needed
> to activate it.
AFAIK, OpenSSL does not automatically validate OCSP-related parts of the
server Hello. Squid does not do that either (yet?). As I said in 2015,
it may be possible to do the required validation using an external
certificate validator (sslcrtvalidator_program). If not already possible
"as is", it is probably not difficult to add the missing bits to Squid
to enable such external OCSP validation.
HTH,
Alex.
More information about the squid-users
mailing list