[squid-users] Ssl-Bump and revoked server certificates

Amos Jeffries squid3 at treenet.co.nz
Thu Oct 22 09:41:43 UTC 2015


On 22/10/2015 7:22 p.m., Sebastian Kirschner wrote:
> Hi,
> 
> I have a question regarding the SSL Server Certificate Validator.
> 
> In the Wiki is written:
> "The helper will be optionally consulted after an internal OpenSSL validation we do now, regardless of that validation results."
> 
> What checks does the internal validation include ?

The "internal" validation is done by OpenSSL library. So whatever it is
doing based on the configuration you give it.

I believe that includes X.509 certificate syntax validity, and X.509
properties validity in light of the TLS extensions negotiated on the
connection, and a check the cert was signed by one of the system default
Trusted-CA authorities (unless flags=NO_DEFAULT_CA was used) or a custom
CA you loaded (with cafile=/capath= options).

There may be more (or less) happening but that is the bulk of it. And
all inside OpenSSL so we can't easily debug the what/when/how of it when
the output messages are obscure.

Amos



More information about the squid-users mailing list