[squid-users] Ssl-Bump and revoked server certificates

Walter H. Walter.H at mathemainzel.info
Mon Oct 5 03:52:11 UTC 2015


On 04.10.2015 21:08, Walter H. wrote:
> Hello,
>
> does anybody know if squid does certificate checks and how to tell 
> squid to do so;
>
> this is a site with a revoked certificate
> https://revoked.grc.com/
>
> without squid, the browser shows that the certificate is revoked and 
> doesn't show the page
> with squid, the page is shown ...
>
> Thanks,
> Walter 

these are my sslproxy_* lines in squid.conf

sslproxy_cipher 
HIGH:MEDIUM:!AECDH:!ADH:!DES:!SSLv2:+SSLv3:+3DES:!RC4:!MD5:!SEED:!aNULL:!eNULL:!LOW:!EXP:!DSS:!PSK:!SRP:!SEED:!IDEA

sslproxy_options NO_SSLv2 NO_SSLv3 TLSv1 TLSv1_1 TLSv1_2
sslproxy_cafile /etc/pki/tls/certs/ca-bundle.trust.crt

acl ssl_expired_cert ssl_error X509_V_ERR_CERT_HAS_EXPIRED
acl ssl_revoked_cert ssl_error X509_V_ERR_CERT_REVOKED
sslproxy_cert_error deny ssl_expired_cert <-- must these be 'allow'?
sslproxy_cert_error deny ssl_revoked_cert
sslproxy_cert_sign signUntrusted ssl_revoked_cert <.-- how should I 
recognice if this won?
sslproxy_cert_sign signUntrusted ssl_expired_cert
sslproxy_cert_error deny all

and that doesn't work

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4312 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20151005/f0435636/attachment-0001.bin>


More information about the squid-users mailing list