[squid-users] How to have squid as safe as (e.g.) firefox?

Alex Rousskov rousskov at measurement-factory.com
Thu Aug 20 00:02:54 UTC 2015


On 08/19/2015 09:43 AM, Jeremie Rafin wrote:

> # Non bumped list (only spliced): wellsfargo
> acl splicelist ssl::server_name .wellsfargo.com
> 
> # SSL configuration
> acl step1 at_step SslBump1
> acl step2 at_step SslBump2
> ssl_bump peek step1 all
> ssl_bump splice step2 splicelist
> ssl_bump bump all


> With this config file, https://revoked.grc.com/ is not rejected.

On my test machine, "openssl verify -crl_check ..." does not reject that
site's certificate either unless I manually download and set up the
corresponding CRL. You should not expect much more vigilance from a
stock Squid installation than you get from OpenSSL on the same box:
Squid uses OpenSSL for certificate validation.

FireFox does reject that URL with sec_error_revoked_certificate. This
means that FireFox CRL lists maintenance is "better" than that of stock
OpenSSL installation [on Ubuntu 14.04.3 LTS].

You might also find Squid's http_port crlfile option and the following
answer useful:
http://askubuntu.com/questions/448876/how-do-i-install-an-openssl-crl-file


HTH,

Alex.



More information about the squid-users mailing list