From michal at rybarik.sk  Tue Sep 16 13:49:09 2025
From: michal at rybarik.sk (Michal Rybarik)
Date: Tue, 16 Sep 2025 15:49:09 +0200
Subject: [squid-dev] Patches for dynamic SSL certificate generation
Message-ID: <e5663057-6197-40aa-9a87-b2b76a9bd20b@rybarik.sk>

Dear Squid developers,

thank you for all your effort and work on Squid.

I?ve created several patches to improve dynamic SSL certificate 
generation for modern browser compatibility. The patches are for Squid 
4, but most should also apply to Squid 5 and 6. Would you be interested 
in reviewing and possibly merging them (with adjustments if needed)?

Main improvements:

- Correct generation of certificates mimicked from self-signed certs 
(use |CA:FALSE| instead of |CA:TRUE|).
- Add SAN when missing (derived from CN), as modern browsers require SAN.
- Proper generation of certificates for IP addresses.
- Improved setCommonName functionality, so valid certificates for DNS/IP 
are generated in intercept/tproxy modes too.

Thank you again, and I wish you all the best.

-- 
Regards,
Michal Rybarik
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-dev/attachments/20250916/dbdcc7c1/attachment.htm>

From squid3 at treenet.co.nz  Wed Sep 17 10:35:57 2025
From: squid3 at treenet.co.nz (Amos Jeffries)
Date: Wed, 17 Sep 2025 22:35:57 +1200
Subject: [squid-dev] Patches for dynamic SSL certificate generation
In-Reply-To: <e5663057-6197-40aa-9a87-b2b76a9bd20b@rybarik.sk>
References: <e5663057-6197-40aa-9a87-b2b76a9bd20b@rybarik.sk>
Message-ID: <37c98a62-67c3-4c52-a7c7-647b61229597@treenet.co.nz>

Hi Michal,
  Thank you for the interest in improving Squid.

Please be aware that we are already up to working on Squid version 8, 
and are not supporting versions older than v7.

If possible, please submit as a github pull request against the "master" 
branch at <https://github.com/squid-cache/squid>.


Otherwise, older patches may still be of interest to our downstream 
vendors. Please feel free to post them here as attachments that others 
can pick up. In this case, ensure each patch adds your name+email to the 
CONTRIBUTORS file.



Amos Jeffries
The Squid Software Foundation


On 17/09/25 01:49, Michal Rybarik wrote:
> Dear Squid developers,
> 
> thank you for all your effort and work on Squid.
> 
> I?ve created several patches to improve dynamic SSL certificate 
> generation for modern browser compatibility. The patches are for Squid 
> 4, but most should also apply to Squid 5 and 6. Would you be interested 
> in reviewing and possibly merging them (with adjustments if needed)?
> 
> Main improvements:
> 
> - Correct generation of certificates mimicked from self-signed certs 
> (use |CA:FALSE| instead of |CA:TRUE|).
> - Add SAN when missing (derived from CN), as modern browsers require SAN.
> - Proper generation of certificates for IP addresses.
> - Improved setCommonName functionality, so valid certificates for DNS/IP 
> are generated in intercept/tproxy modes too.
> 
> Thank you again, and I wish you all the best.
> 
> -- 
> Regards,
> Michal Rybarik
> 
> 
> _______________________________________________
> squid-dev mailing list
> squid-dev at lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-dev


From rousskov at measurement-factory.com  Wed Sep 17 14:12:08 2025
From: rousskov at measurement-factory.com (Alex Rousskov)
Date: Wed, 17 Sep 2025 10:12:08 -0400
Subject: [squid-dev] Patches for dynamic SSL certificate generation
In-Reply-To: <e5663057-6197-40aa-9a87-b2b76a9bd20b@rybarik.sk>
References: <e5663057-6197-40aa-9a87-b2b76a9bd20b@rybarik.sk>
Message-ID: <2addb639-0a32-49eb-8b04-9ed33420188f@measurement-factory.com>

On 2025-09-16 09:49, Michal Rybarik wrote:

> I?ve created several patches to improve dynamic SSL certificate 
> generation for modern browser compatibility. The patches are for Squid 
> 4, but most should also apply to Squid 5 and 6. Would you be interested 
> in reviewing and possibly merging them (with adjustments if needed)?

Yes, especially if they are posted as well-tested minimal pull requests 
(i.e. one change/feature per PR) against the current master branch on 
GitHub. Some of the changes you mentioned may have been implemented 
recently (e.g., commit 22b2a7a0 deals with IP-based SANs).

For general notes about Squid pull requests, please see
https://wiki.squid-cache.org/MergeProcedure#pull-request


Thank you,

Alex.


> Main improvements:
> 
> - Correct generation of certificates mimicked from self-signed certs 
> (use |CA:FALSE| instead of |CA:TRUE|).
> - Add SAN when missing (derived from CN), as modern browsers require SAN.
> - Proper generation of certificates for IP addresses.
> - Improved setCommonName functionality, so valid certificates for DNS/IP 
> are generated in intercept/tproxy modes too.
> 
> Thank you again, and I wish you all the best.
> 
> -- 
> Regards,
> Michal Rybarik
> 
> 
> _______________________________________________
> squid-dev mailing list
> squid-dev at lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-dev