[squid-users] How to make sslbump'ing more robust? (option to continue?)
Amos Jeffries
squid3 at treenet.co.nz
Fri May 12 12:21:37 UTC 2017
On 12/05/17 15:45, L A Walsh wrote:
> Alex Rousskov wrote:
>> Yes, there is a way. Your options include:
>>
>> 1. Tell Squid to ignore expired certificates errors. Squid will then
>> mimic the expired certificate while allowing the client traffic. The
>> client should then detect the expired (fake) certificate and may offer
>> the user to bypass the problem.
> ...
> ----
>
> Since my SSL-bump is on a private server with most clients
> being my clients, this is probably the most ideal. I wasn't sure
> if the type of SSL-problem would be correctly duplicated to the
> client, as I didn't want to just continue the connection without
> telling the browser operator (most often, me) that there was
> some problem.
The detail of what gets mimic'd are documented at
<http://wiki.squid-cache.org/Features/MimicSslServerCert>.
Under validity Dates:
"True dates by default. If a true validity date is missing or if
sslproxy_cert_adapt setValidAfter and setValidBefore is active, then the
signing certificate validity date is used."
Amos
More information about the squid-users
mailing list