[squid-users] ssl-bump doesn't like valid web server
Amos Jeffries
squid3 at treenet.co.nz
Thu Jan 22 08:14:10 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 22/01/2015 8:20 p.m., Steve Hill wrote:
> On 21/01/15 18:39, Eliezer Croitoru wrote:
>
>>> but not using ssl_crtd
>> What are using if not ssl_crtd?
>
> Squid generates the certificates internally if ssl_crtd isn't
> turned on at compile time. I've not seen any information
> explaining the pros and cons of each approach (I'd welcome any
> input!).
>
Squid only *generates* server certificates using that helper. If you
are seeing the log lines "Generating SSL certificate" they are
incorrect when not using the helper.
The non-helper bumping is limited to using the configured http(s)_port
cert= and key= contents. In essence only doing client-first or
peek+splice SSL-bumping styles.
Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
iQEcBAEBAgAGBQJUwLFSAAoJELJo5wb/XPRj8OQIAIRtSks7fQaXRZYvMLhrT3EL
Kn+AKOg1opYqjmQyIZIWOZYTW61675deiPkQUxjWj//4hU9QegKwsmyDpfyqjOkq
GfCbR8mQxu6Z4h/+ECYMmKpj7/iXlmMz9ri9fRxjaDqNJdQWnRPrUkJeKvD6hTM5
x9P6TBYiOeVCg5yySUheLH335z3akrjKKYlML3nJzDuzHhP7lObzhjjbfZqJC6rr
6l5aSfaTA7Oh9wbeSCLBu71IDGAlFgzt9iC0gNefG9tqlcofxWBZNRrs2JGdzmQG
lHnbwof5t/hQVpo+tiZY8ZqYxcmWtjIu/hvzBnRjbs6eUr+F0mCdWexgGh6Ts+A=
=IOlx
-----END PGP SIGNATURE-----
More information about the squid-users
mailing list