[squid-users] after changed from 3.4.13 to 3.5.8 sslbump doesn't work for the site https://banking.postbank.de/

Amos Jeffries squid3 at treenet.co.nz
Fri Oct 2 08:38:30 UTC 2015


On 2/10/2015 7:58 p.m., Jason Haar wrote:
> Just a reminder people, but you've gone off-topic. The postbank.de
> website issue has NOTHING to do with pining
> 
> Someone mentioned earlier it's due to the HTTPS cert not having a
> complete cert-chain, and that web browsers auto-correct that situation,
> but squid does not. So I would say either squid should:
> 
> 1. implement the same sort of auto-correction code (say) Firefox does
> (which I bet is a lot of work), or
> 2. flick into splice-mode when there's a cert error (which could be as
> much work - I dunno)
> 
> I use external_acl_type to call an external script that tries to achieve
> that. Basically it manually downloads the homepage to get the cert,
> checks if it's valid against the OS CA list and if not, returns ERR so
> that squid splice's the connection instead of bump-ing it. Means the
> entire connection blocks of course the first time this occurs, but after
> that caches it and it mostly works.

I'm not sure but a custom certificate validator helper can probably do
all this better. An example helper in Perl can be found at
helpers/ssl/cert_valid.pl

Amos



More information about the squid-users mailing list