On 22.01.15 08:14, Amos Jeffries wrote:
Squid only *generates* server certificates using that helper. If you are seeing the log lines "Generating SSL certificate" they are incorrect when not using the helper. The non-helper bumping is limited to using the configured http(s)_port cert= and key= contents. In essence only doing client-first or peek+splice SSL-bumping styles.
I'm pretty sure this is incorrect - I'm running Squid 3.4 without ssl_crtd, configured to bump server-first. The cert= parameter to the http_port line points at a CA certificate. When visiting an https site through the proxy, the certificate sent to the browser is a forged version of the server's certificate, signed by the cert= CA. This definitely seems to be server-first bumping - if the server's CA is unknown, Squid generates an appropriately broken certificate, etc. as you would expect.
Am I missing something? -- - Steve Hill Technical Director Opendium Limited http://www.opendium.com Direct contacts: Instant messager: xmpp:steve@xxxxxxxxxxxx Email: steve@xxxxxxxxxxxx Phone: sip:steve@xxxxxxxxxxxx Sales / enquiries contacts: Email: sales@xxxxxxxxxxxx Phone: +44-1792-824568 / sip:sales@xxxxxxxxxxxx Support contacts: Email: support@xxxxxxxxxxxx Phone: +44-1792-825748 / sip:support@xxxxxxxxxxxx _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
