On 7/10/2015 4:27 a.m., Alex Rousskov wrote: > On 10/06/2015 01:27 AM, Jason Haar wrote: >> Good catch - I don't think squid does CRL/OCSP checks > >> But this is a bug in squid - this means untrustworthy certs become >> trusted again - not a good look > > > IIRC, Squid relies on OpenSSL to perform CRL checks. OpenSSL is > difficult to configure to do CRL checks. If my recollection is correct, > then this is not exactly a Squid bug but more like a missing convenience > feature. Exactly. All thats missing is the squid.conf directive in Squid-3.x. That has been added in Squid-4. > > Squid does not know about OCSP. Another missing feature. > > One may perform all those checks using a custom certificate validator > helper, of course. > Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
