[squid-users] What's the best way to ban Let's encrypt based certificates? or whitelist a very narrow list of Root and Intermediates CA?
Amos Jeffries
squid3 at treenet.co.nz
Mon Jan 21 09:46:50 UTC 2019
On 21/01/19 11:02 am, Eliezer Croitoru wrote:
> OK so from the real world:
>
> What's the best way to ban Let's encrypt based certificates? or
> whitelist a very narrow list of Root and Intermediates CA?
>
Besides what Alex has answered to your first question. I think the
simpler approach would be the second, and probably more what you need
anyway...
tls_outgoing_options default-ca=off cafile=X.pem cafile=Y.pem
That makes Squid outgoing connections *not* use the global Trusted CA
set. Then explicitly load the individual one(s) you *do* want to trust.
A whitelist - but only for the root / self-signed CA certs. Intermediary
CAs inherit their trust (or lack) from their root CA.
If intermediary CA trust matters to your situation then a custom
validator as mentioned by Alex would be necessary.
NP: You can list cafile=... as many times as you wish to load multiple
files and should be able to load multiple CA certs in any of the
file(s). But have not confirmed that latter.
cache_peer has matching options with "tls-" prefix.
Amos
More information about the squid-users
mailing list