On 22.01.15 08:14, Amos Jeffries wrote:
Squid only *generates* server certificates using that helper. If you
are seeing the log lines "Generating SSL certificate" they are
incorrect when not using the helper.
The non-helper bumping is limited to using the configured http(s)_port
cert= and key= contents. In essence only doing client-first or
peek+splice SSL-bumping styles.
I'm pretty sure this is incorrect - I'm running Squid 3.4 without
ssl_crtd, configured to bump server-first. The cert= parameter to the
http_port line points at a CA certificate. When visiting an https site
through the proxy, the certificate sent to the browser is a forged
version of the server's certificate, signed by the cert= CA. This
definitely seems to be server-first bumping - if the server's CA is
unknown, Squid generates an appropriately broken certificate, etc. as
you would expect.
Am I missing something?
--
- Steve Hill
Technical Director
Opendium Limited http://www.opendium.com
Direct contacts:
Instant messager: xmpp:st...@opendium.com
Email: st...@opendium.com
Phone: sip:st...@opendium.com
Sales / enquiries contacts:
Email: sa...@opendium.com
Phone: +44-1792-824568 / sip:sa...@opendium.com
Support contacts:
Email: supp...@opendium.com
Phone: +44-1792-825748 / sip:supp...@opendium.com
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
