[squid-users] Trust a particular CA only for a limited domain

Alex Rousskov rousskov at measurement-factory.com
Tue Jun 26 18:37:27 UTC 2018

On 06/26/2018 07:22 AM, Ahmad, Sarfaraz wrote:
> I need to provide access to my clients to a service on the internet that
> is using a private CA.
> I do not want to trust that CA outside the scope of that destination
> domain.  (The thought is to not just blindly trust a random CA, rather
> if we have to, we limit it to the particular domain.)
> Can something like this be achieved without toying with the squid’s code ?

I believe this can be done with a sslcrtvalidator_program helper:

* http://www.squid-cache.org/Doc/config/sslcrtvalidator_program/

Alternatively, you may be able to block (wrong) responses signed by that
CA using an external ACL that is supplied %ssl::>cert_issuer and origin
domain information.

The validator helper approach prevents untrusted HTTP messages from
reaching Squid, but the external ACL approach is easier to implement.



More information about the squid-users mailing list