Good catch - I don't think squid does CRL/OCSP checks I'm using the external_acl_type method to achieve that: it does the extra work and returns "ERR" for revoked certs - which (for me) causes squid to fallback on splice mode - so that the client browser can see the actual fault directly (ie I'm making sure revoked certs are never bumped) But this is a bug in squid - this means untrustworthy certs become trusted again - not a good look -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
