[squid-users] What's the best way to ban Let's encrypt based certificates? or whitelist a very narrow list of Root and Intermediates CA?
Alex Rousskov
rousskov at measurement-factory.com
Sun Jan 20 22:20:33 UTC 2019
On 1/20/19 3:02 PM, Eliezer Croitoru wrote:
> What's the best way to ban Let's encrypt based certificates? or
> whitelist a very narrow list of Root and Intermediates CA?
A requirement to ban all Let's Encrypt sites sounds invalid to me, but
you can use certificate validator to do that. Same for whitelisting CAs.
The corresponding squid.conf directives are sslcrtvalidator_program and
sslcrtvalidator_children. For a rough description of the helper messages
format, please see "certificate validator" at
https://wiki.squid-cache.org/Features/AddonHelpers
Squid distribution also includes a minimal certificate validation
helper: security_fake_certverify.pl
> I was thinking about an external ACL helper
Some use cases can be addressed using %ssl::<cert_issuer, but it would
be difficult to supply the right info the the external ACL helper in
general because Squid lacks logformat %codes that relay all intermediate
certificates.
Alex.
More information about the squid-users
mailing list