[squid-users] Trust a particular CA only for a limited domain
Alex Rousskov
rousskov at measurement-factory.com
Tue Jun 26 18:37:27 UTC 2018
On 06/26/2018 07:22 AM, Ahmad, Sarfaraz wrote:
> I need to provide access to my clients to a service on the internet that
> is using a private CA.
>
> I do not want to trust that CA outside the scope of that destination
> domain. (The thought is to not just blindly trust a random CA, rather
> if we have to, we limit it to the particular domain.)
>
> Can something like this be achieved without toying with the squid’s code ?
I believe this can be done with a sslcrtvalidator_program helper:
* http://www.squid-cache.org/Doc/config/sslcrtvalidator_program/
*
https://wiki.squid-cache.org/Features/AddonHelpers#SSL_server_certificate_validator
Alternatively, you may be able to block (wrong) responses signed by that
CA using an external ACL that is supplied %ssl::>cert_issuer and origin
domain information.
The validator helper approach prevents untrusted HTTP messages from
reaching Squid, but the external ACL approach is easier to implement.
HTH,
Alex.
More information about the squid-users
mailing list