[squid-dev] Patches for dynamic SSL certificate generation
Michal Rybarik
michal at rybarik.sk
Tue Sep 16 13:49:09 UTC 2025
Dear Squid developers,
thank you for all your effort and work on Squid.
I’ve created several patches to improve dynamic SSL certificate
generation for modern browser compatibility. The patches are for Squid
4, but most should also apply to Squid 5 and 6. Would you be interested
in reviewing and possibly merging them (with adjustments if needed)?
Main improvements:
- Correct generation of certificates mimicked from self-signed certs
(use |CA:FALSE| instead of |CA:TRUE|).
- Add SAN when missing (derived from CN), as modern browsers require SAN.
- Proper generation of certificates for IP addresses.
- Improved setCommonName functionality, so valid certificates for DNS/IP
are generated in intercept/tproxy modes too.
Thank you again, and I wish you all the best.
--
Regards,
Michal Rybarik
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-dev/attachments/20250916/dbdcc7c1/attachment.htm>
More information about the squid-dev
mailing list