On 25/02/22 10:49, Dave Blanchard wrote:
On Thu, 24 Feb 2022 15:07:53 -0500
Alex Rousskov wrote:
What is the replacement for client-first?
A "good" answer depends on what exactly you are trying to achieve;
details matter. A "dumb" answer (i.e. a direct replacement without
considering your true needs and Squid bugs) is:
ssl_bump bump all
That's what I had tried first, and was banging my head on the wall for hours trying to
get it to work right--though the "ssl_bump peek" was in there also, on the
suggestion of various tutorials. Now I just tried it again, with only that line...and it
works perfectly! No problem. SMH...
This tutorial situation is really out of control. Sadly, this is what can be
expected to happen when the syntax is changed with every version. Now we're in
a real mess. I hope the Squid developers will make up their minds on how they
want the syntax to be structured, build it that way, then LEAVE IT ALONE!
Agreed. Luckily we hear you (Alex and I are pretty much "them" these days).
If it helps. The config for this stabilized in Squid-3.5.
<https://wiki.squid-cache.org/Features/SslPeekAndSplice>
I prefer to handle the certificate validation externally
It is a common need. Squid supports external certificate validator
programs (a.k.a. helpers). Look for sslcrtvalidator_program in
squid.conf.documented.
Or at <http://www.squid-cache.org/Doc/config/sslcrtvalidator_program/>
For communication details, see the following
wikip age and src/security/cert_validators/fake/
https://wiki.squid-cache.org/Features/AddonHelpers
Awesome! That's very useful.
Thanks a lot for your help!
HTH
Amos
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
