[squid-users] Trying to set up SSL cache - solved!

[Dave Blanchard]

On Thu, 24 Feb 2022 14:22:25 -0500
Alex Rousskov <rousskov at measurement-factory.com> wrote:

> [...]
>
> action is supposed to be doing. Legacy actions mentioned there, 
> including client-first, should be treated as unsupported, having unknown 
> side effects, and meant to be removed from Squid (yesterday). YMMV.

What is the replacement for client-first? That line is the only way I could get this thing working right. I think the first working config was with server-first instead, but IIRC it was still passing through the server certificate somehow rather than using the locally generated certificate. Only with client-first did it have the desired effect. Maybe I need to set generate-host-certificates to 'off.'

I prefer to handle the certificate validation externally via a different means, i.e. not using the browser or Squid, because neither the browser nor the certificate authority is trustworthy. The 'chain of trust' argument for SSL is total bunk; none of these people can actually be trusted. If the certificate is automatically checked for validity every time one visits a site, then the shadowy people running the certificate authority can effectively track one's every move on the internet, and of course that data will be sold or given away to other shadowy people. Needless to say, censoring some inconvenient web site would be as simple as them revoking or invalidating the site's certificate, especially with the browser so "helpfully" refusing to allow one to bypass the revoked/invalid certificate.

-- 
Dave Blanchard <dave at killthe.net>