[squid-dev] [PATCH] Errors served using invalid certificates when dealing with SSL server errors.
Tsantilas Christos
chtsanti at users.sourceforge.net
Tue Jul 7 16:28:39 UTC 2015
Hi all,
When bumping Squid needs to send an Squid-generated error "page" over a
secure connection, Squid needs to generate a certificate for that
connection. Prior to these changes, several scenarios could lead to
Squid generating a certificate that clients could not validate. In those
cases, the user would get a cryptic and misleading browser error instead
of a Squid-generated error page with useful details about the problem.
For example, is a server certificate that is rejected by the certificate
validation helper. Squid no longer uses CN from that certificate to
generate a fake certificate.
Another example is a user accessing an origin server using one of its
"alternative names" and getting a Squid-generated certificate containing
just the server common name (CN).
These changes make sure that certificate for error pages is generated
using SNI (when peeking or staring, if available) or CONNECT host name
(including server-first bumping mode). We now update the
ConnStateData::sslCommonName field (used as CN field for generated
certificates) only _after_ the server certificate is successfully validated.
This is a Measurement Factory project.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Invalid-Certificate-on-Blocked-SSL-Errors-trunk-t2.patch
Type: text/x-patch
Size: 6675 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-dev/attachments/20150707/3d44489b/attachment.bin>
More information about the squid-dev
mailing list