[squid-dev] Patches for dynamic SSL certificate generation
Amos Jeffries
squid3 at treenet.co.nz
Wed Sep 17 10:35:57 UTC 2025
Hi Michal,
Thank you for the interest in improving Squid.
Please be aware that we are already up to working on Squid version 8,
and are not supporting versions older than v7.
If possible, please submit as a github pull request against the "master"
branch at <https://github.com/squid-cache/squid>.
Otherwise, older patches may still be of interest to our downstream
vendors. Please feel free to post them here as attachments that others
can pick up. In this case, ensure each patch adds your name+email to the
CONTRIBUTORS file.
Amos Jeffries
The Squid Software Foundation
On 17/09/25 01:49, Michal Rybarik wrote:
> Dear Squid developers,
>
> thank you for all your effort and work on Squid.
>
> I’ve created several patches to improve dynamic SSL certificate
> generation for modern browser compatibility. The patches are for Squid
> 4, but most should also apply to Squid 5 and 6. Would you be interested
> in reviewing and possibly merging them (with adjustments if needed)?
>
> Main improvements:
>
> - Correct generation of certificates mimicked from self-signed certs
> (use |CA:FALSE| instead of |CA:TRUE|).
> - Add SAN when missing (derived from CN), as modern browsers require SAN.
> - Proper generation of certificates for IP addresses.
> - Improved setCommonName functionality, so valid certificates for DNS/IP
> are generated in intercept/tproxy modes too.
>
> Thank you again, and I wish you all the best.
>
> --
> Regards,
> Michal Rybarik
>
>
> _______________________________________________
> squid-dev mailing list
> squid-dev at lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-dev
More information about the squid-dev
mailing list