[squid-users] how to configure squid to check server certificate?

Amos Jeffries squid3 at treenet.co.nz
Thu Mar 5 07:55:13 UTC 2020


On 4/03/20 2:02 pm, GeorgeShen wrote:
>> There should not need to be anything configured though. Rejecting
>> unknown root CAs is how TLS is designed to work. With splice the error
>> should be produced by your UA/Browser.
> 
> Although the client I have has the root cert of that untrusted CA from
> server but getting the TLS handshaking error, it was not the client locally
> rejects that. Does that change anything regarding the splice operation does
> not need any configure for that operation (if it's a squid)?

Splice means Squid has decided to have no part in the TLS or any of the
traffic. It blindly relays the exact bytes between client and upstream
server.

If Squid is doing *anything* to alter those bytes it is not splicing. It
is performing one of: stare, bump, terminate, or client-first.


Amos


More information about the squid-users mailing list