On 08/19/2015 09:43 AM, Jeremie Rafin wrote: > # Non bumped list (only spliced): wellsfargo > acl splicelist ssl::server_name .wellsfargo.com > > # SSL configuration > acl step1 at_step SslBump1 > acl step2 at_step SslBump2 > ssl_bump peek step1 all > ssl_bump splice step2 splicelist > ssl_bump bump all > With this config file, https://revoked.grc.com/ is not rejected. On my test machine, "openssl verify -crl_check ..." does not reject that site's certificate either unless I manually download and set up the corresponding CRL. You should not expect much more vigilance from a stock Squid installation than you get from OpenSSL on the same box: Squid uses OpenSSL for certificate validation. FireFox does reject that URL with sec_error_revoked_certificate. This means that FireFox CRL lists maintenance is "better" than that of stock OpenSSL installation [on Ubuntu 14.04.3 LTS]. You might also find Squid's http_port crlfile option and the following answer useful: http://askubuntu.com/questions/448876/how-do-i-install-an-openssl-crl-file HTH, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
