[squid-users] Ssl-Bump and revoked server certificates
Jason Haar
Jason_Haar at trimble.com
Tue Oct 6 07:27:39 UTC 2015
Good catch - I don't think squid does CRL/OCSP checks
I'm using the external_acl_type method to achieve that: it does the
extra work and returns "ERR" for revoked certs - which (for me) causes
squid to fallback on splice mode - so that the client browser can see
the actual fault directly (ie I'm making sure revoked certs are never
bumped)
But this is a bug in squid - this means untrustworthy certs become
trusted again - not a good look
--
Cheers
Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
More information about the squid-users
mailing list