[squid-dev] Patches for dynamic SSL certificate generation
Alex Rousskov
rousskov at measurement-factory.com
Wed Sep 17 14:12:08 UTC 2025
On 2025-09-16 09:49, Michal Rybarik wrote:
> I’ve created several patches to improve dynamic SSL certificate
> generation for modern browser compatibility. The patches are for Squid
> 4, but most should also apply to Squid 5 and 6. Would you be interested
> in reviewing and possibly merging them (with adjustments if needed)?
Yes, especially if they are posted as well-tested minimal pull requests
(i.e. one change/feature per PR) against the current master branch on
GitHub. Some of the changes you mentioned may have been implemented
recently (e.g., commit 22b2a7a0 deals with IP-based SANs).
For general notes about Squid pull requests, please see
https://wiki.squid-cache.org/MergeProcedure#pull-request
Thank you,
Alex.
> Main improvements:
>
> - Correct generation of certificates mimicked from self-signed certs
> (use |CA:FALSE| instead of |CA:TRUE|).
> - Add SAN when missing (derived from CN), as modern browsers require SAN.
> - Proper generation of certificates for IP addresses.
> - Improved setCommonName functionality, so valid certificates for DNS/IP
> are generated in intercept/tproxy modes too.
>
> Thank you again, and I wish you all the best.
>
> --
> Regards,
> Michal Rybarik
>
>
> _______________________________________________
> squid-dev mailing list
> squid-dev at lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-dev
More information about the squid-dev
mailing list