On 12/05/17 15:45, L A Walsh wrote:
Alex Rousskov wrote:
Yes, there is a way. Your options include:
1. Tell Squid to ignore expired certificates errors. Squid will then
mimic the expired certificate while allowing the client traffic. The
client should then detect the expired (fake) certificate and may offer
the user to bypass the problem.
...
----
Since my SSL-bump is on a private server with most clients
being my clients, this is probably the most ideal. I wasn't sure
if the type of SSL-problem would be correctly duplicated to the
client, as I didn't want to just continue the connection without
telling the browser operator (most often, me) that there was
some problem.
The detail of what gets mimic'd are documented at
<http://wiki.squid-cache.org/Features/MimicSslServerCert>.
Under validity Dates:
"True dates by default. If a true validity date is missing or if
sslproxy_cert_adapt setValidAfter and setValidBefore is active, then the
signing certificate validity date is used."
Amos
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
