[squid-users] Support for DistributionPoints in the dynamic creates certificate via sslbump

Amos Jeffries squid3 at treenet.co.nz
Sat Oct 13 02:29:10 UTC 2018


On 13/10/18 3:08 AM, Dieter Bloms wrote:
> Hello,
> 
> we use the sslbump feature of squid, and it works very well.
> One of our http clients expect a CRL distribution point in the dynamic
> generated certificate.
> I've setup a http server, which delivers this crl list, but don't know
> how to configure squid to set this distribution point in every
> dynamic gererated certificate.
> 
> Does anybody know whether squid support this feature ?


AFAIK you should set it in the CA certificate you are using to sign
those dynamic ones.

The dynamic certs are exactly that - dynamic, created as needed and
erased when done with. When the proxy CA is changed all the dynamic
certs also change completely. So there should never exist a case where
Squid is emitting a dynamic cert with stale/different CA - that is
definitely a bug.

That just leaves the problem of clients configured to trust the stale CA
after Squid stops using it. So a CRL is only necessary to expire that CA
cert.


If that does not work then AFAIK the helper generating certs would need
extending to add the CRL reference. BUT ... carefully so as not to clash
with upstream server CRL details. Squid may need an extension to also
present the CRL itself (like it does icons etc.)


HTH
Amos


More information about the squid-users mailing list