[squid-users] Ssl-Bump and revoked server certificates

Amos Jeffries squid3 at treenet.co.nz
Wed Oct 7 09:05:01 UTC 2015


On 7/10/2015 4:27 a.m., Alex Rousskov wrote:
> On 10/06/2015 01:27 AM, Jason Haar wrote:
>> Good catch - I don't think squid does CRL/OCSP checks
> 
>> But this is a bug in squid - this means untrustworthy certs become
>> trusted again - not a good look
> 
> 
> IIRC, Squid relies on OpenSSL to perform CRL checks. OpenSSL is
> difficult to configure to do CRL checks. If my recollection is correct,
> then this is not exactly a Squid bug but more like a missing convenience
> feature.

Exactly. All thats missing is the squid.conf directive in Squid-3.x.
That has been added in Squid-4.

> 
> Squid does not know about OCSP. Another missing feature.
> 
> One may perform all those checks using a custom certificate validator
> helper, of course.
> 

Amos



More information about the squid-users mailing list