[squid-users] Ssl-Bump and revoked server certificates
Amos Jeffries
squid3 at treenet.co.nz
Thu Oct 22 09:41:43 UTC 2015
On 22/10/2015 7:22 p.m., Sebastian Kirschner wrote:
> Hi,
>
> I have a question regarding the SSL Server Certificate Validator.
>
> In the Wiki is written:
> "The helper will be optionally consulted after an internal OpenSSL validation we do now, regardless of that validation results."
>
> What checks does the internal validation include ?
The "internal" validation is done by OpenSSL library. So whatever it is
doing based on the configuration you give it.
I believe that includes X.509 certificate syntax validity, and X.509
properties validity in light of the TLS extensions negotiated on the
connection, and a check the cert was signed by one of the system default
Trusted-CA authorities (unless flags=NO_DEFAULT_CA was used) or a custom
CA you loaded (with cafile=/capath= options).
There may be more (or less) happening but that is the bulk of it. And
all inside OpenSSL so we can't easily debug the what/when/how of it when
the output messages are obscure.
Amos
More information about the squid-users
mailing list