[squid-users] how to configure squid to check server certificate?
Amos Jeffries
squid3 at treenet.co.nz
Thu Mar 5 07:55:13 UTC 2020
On 4/03/20 2:02 pm, GeorgeShen wrote:
>> There should not need to be anything configured though. Rejecting
>> unknown root CAs is how TLS is designed to work. With splice the error
>> should be produced by your UA/Browser.
>
> Although the client I have has the root cert of that untrusted CA from
> server but getting the TLS handshaking error, it was not the client locally
> rejects that. Does that change anything regarding the splice operation does
> not need any configure for that operation (if it's a squid)?
Splice means Squid has decided to have no part in the TLS or any of the
traffic. It blindly relays the exact bytes between client and upstream
server.
If Squid is doing *anything* to alter those bytes it is not splicing. It
is performing one of: stare, bump, terminate, or client-first.
Amos
More information about the squid-users
mailing list