[squid-users] yum update fails when using squid even though .redhat.com is whitelisted

Alex Rousskov rousskov at measurement-factory.com
Thu Nov 21 18:10:30 UTC 2019


On 11/21/19 11:29 AM, Giles Coochey wrote:

> I believe Palo Alto and Bluecoats have a feature mechanism to provide
> the client with an appropriately broken cert , e.g. if the cert is
> expired, but has a trusted chain then it uses an expired cert with a
> trusted chain to the client, and if a cert is self signed, then it sends
> a self-signed cert to the client.

> I don't know whether Squid also has that mechanism

Yes, Squid also tries to mimic various aspects of origin server
certificate brokenness. Unfortunately, I do not think there is a wiki
table that fully documents which problems are mimicked by default, and I
do not remember all of the specifics. It would be great if somebody
would build such a table (e.g., by observing what Squid does with broken
certificates provided by various TLS testing web sites/services).

Alex.


More information about the squid-users mailing list