On 19/10/2015 8:37 a.m., Walter H. wrote: > On 04.10.2015 21:08, Walter H. wrote: >> Hello, >> >> does anybody know if squid does certificate checks and how to tell >> squid to do so; >> >> this is a site with a revoked certificate >> https://revoked.grc.com/ >> >> without squid, the browser shows that the certificate is revoked and >> doesn't show the page >> with squid, the page is shown ... >> >> Thanks, >> Walter > > I have solved it: > > my solution not only does certificate checks using OCSP, it also stores > the real certificates into a different "database" folder; > if someone doesn't want this, just remove the few lines of the shell > script; > as there exist no CA that allows IP adresses neither in certificate > subject nor in the SAN (subject alternative name), > > https://www.whitehouse.gov/ > (is blocked at my solution because of a root certificate not in the cert > store) > > all these candidates are blocked with error > > /X509_V_ERR_CERT_REJECTED/ > > it uses two components: > > - a shell script (BASH) called by the programme > - the main programme (in C): the only missing is an exception list of > domains/hosts not to validate through this procedure
If you are interested in getting this helper bundled with Squid the details on how to prepare and submit a patch to squid-dev mailing list are at: <http://wiki.squid-cache.org/MergeProcedure> Cheers Amos _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
