On 2/10/2015 7:58 p.m., Jason Haar wrote: > Just a reminder people, but you've gone off-topic. The postbank.de > website issue has NOTHING to do with pining > > Someone mentioned earlier it's due to the HTTPS cert not having a > complete cert-chain, and that web browsers auto-correct that situation, > but squid does not. So I would say either squid should: > > 1. implement the same sort of auto-correction code (say) Firefox does > (which I bet is a lot of work), or > 2. flick into splice-mode when there's a cert error (which could be as > much work - I dunno) > > I use external_acl_type to call an external script that tries to achieve > that. Basically it manually downloads the homepage to get the cert, > checks if it's valid against the OS CA list and if not, returns ERR so > that squid splice's the connection instead of bump-ing it. Means the > entire connection blocks of course the first time this occurs, but after > that caches it and it mostly works.
I'm not sure but a custom certificate validator helper can probably do all this better. An example helper in Perl can be found at helpers/ssl/cert_valid.pl Amos _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
