[squid-users] Alert unknown CA

Amos Jeffries squid3 at treenet.co.nz
Wed Feb 4 15:39:04 UTC 2015


On 4/02/2015 7:32 p.m., Jason Haar wrote:
> On 04/02/15 18:47, Daniel Greenwald wrote:
>> And happens to be one that squid desperately needs to remain in order
>> to continue ssl bumping..
> ...and is one that diminishes in value as cert pinning becomes more
> popular...
> 
> It's a tough life: on the one hand we want to do TLS intercept in order
> to do content filtering of HTTPS (because the bad guys are deliberately
> putting more and more malware onto HTTPS websites), and yet on the other
> hand we all want some things to be private.
> 
> Bring back RFC3514, then all of this would be easy!!!
> 

While Squid is not able to be section-3 compliant due to lack of a
portable system API. By building with --disable-http-violations it
becomes mostly compliant with section-4 under its role as a network
protection gateway. ;-P

Amos



More information about the squid-users mailing list