[squid-users] Squid and Certificates
Amos Jeffries
squid3 at treenet.co.nz
Wed Feb 23 08:57:14 UTC 2022
On 23/02/22 07:11, Garbacik, Joe wrote:
> When the squid proxy validates a certificate of a destination, does it
> cache that certificate's status for a period of time or does it validate
> the certificate each time? Would it log when it makes calls to a CRL or
> OCSP server to validate the certificate or is it just part of the
> process?
All of your questions answers depend on the library doing that validation.
AFAIK, Squid only performs AIA lookups to find missing chain
certificates. CRL/OSCP are part of the libraries internal validation
process and may not involve server lookups at all.
> Also, does it support putting a CRL/IOCSP data in the
> certificate provided to the client if doing SSL intercept?
>
The certificate sent to the client mimics the real server certificate
fields when available. It is an intentional security design *not* to
inject details, not even to fix brokenness.
The SSL-Bump signing cert is used as-is for the chain. You can place any
valid certificate fields you want when it is created.
Amos
More information about the squid-users
mailing list