On 30/06/2015 5:35 a.m., Alex Wu wrote: > So far as I know, hen sslbump is enabled for a port, for each dns > name, squid save a cert generated according to dns name and signing > key (from http_port configuration). So the next time, the generated > cert can be fetched if the same dns host and configured signing key. Signing key is just a validation check on the cert. It has nothing else to do with the actual cert. AFAIK generated certs are stored by DN, serial number or hash of the two. > Now have a question on this: > > http_port 10045 ssl-bump generate-host-certificates=on > dynamic_cert_mem_cache_size=4MB > key=/opt/bg/deploy/squid/etc/mydlp/ssl/key_10045.pem > cert=/opt/bg/deploy/squid/etc/mydlp/ssl/cert_10045.pem http_port > 10046 ssl-bump generate-host-certificates=on > dynamic_cert_mem_cache_size=4MB > key=/opt/bg/deploy/squid/etc/mydlp/ssl/key_10046.pem > cert=/opt/bg/deploy/squid/etc/mydlp/ssl/cert_10046.pem I have two > ports configured with SSLBUMP. Each port has its own CA signing key. > The desired behavior is that, for the hostname www.foo.com, the > certificate generated for the port should use key_10045, and the > certificate generated for the port should use key_10046. It seems OK. > But, if we look at the ssl_db, only the last generated certificate > is cached for www.foo.com. Is it possible to cache the generated > certificates by the host and signing key? Alex Not in the current design. You could assign two workers, each with a different http_port and ssl_crtd helper using different cert databases. What is the point of this anyway? Why do you want to make your users face a constant stream of nasty certificate-changed errors? Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
