On 02/18/2017 03:31 PM, L A Walsh wrote: > How does squid 'normally' handle security revocations, In the simplest case without SslBump, Squid does not see the server certificate at all and, hence, cannot validate it. Squid simply tunnels opaque bytes, including certificate bytes, from the server to the client. You cannot customize this aspect of Squid behavior. If an SslBump peeking or staring rule matches at step2, then Squid receives the server certificate and asks OpenSSL to validate it before sending/receiving any HTTP-level data to/from that server. If your OpenSSL installation considers the certificate revoked, Squid will treat it as such and, by default, terminate the connection to the origin server without receiving an HTTP response. You can customize that default using several configuration options and/or a certificate validation helper. Search squid.conf.documented for "certificate" and "sslcrtvalidator_program". > However, in the case of squid using https-interception to allow > breaking open otherwise uncacheable streams, my configuration doesn't > seem to check if a remote site is using a revoked cert. Squid does not validate server certificates that it does not see. For example, if you splice the intercepted connections at SslBump step1 or step2, then Squid will not see the server certificate and will just forward all certificate bytes to the client "as is". > And, ideally, _could_ squid interactively prompt the user about > whether or not the specific cert should be used/allowed anyway, > *and* whether or not the cert should be _stored_ as an "exception"? Upon receiving a revoked certificate, a _browser_ can do that. Squid is not a User Agent and does not talk to the user directly (although it can, in some cases, respond with an error page that a user will see). If you are bumping (rather than splicing) SSL connections, then the fake certificate generated by Squid will not be revoked even if the origin server certificate was -- I do not think Squid mimics that aspect of the origin server certificate. HTH, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
