On 11/13/2017 03:21 AM, Niklas Bachmaier wrote: > The last post I found on OCSP with Squid is from 2015 where it says > that Squid does not support OCSP by any means. For the record, here is that 2015 thread: http://lists.squid-cache.org/pipermail/squid-users/2015-October/005831.html > For certificate revocation checking we would like to make use of the > OCSP must-staple feature (defined in RFC 7633). We are asking > ourselves if OCSP stapling and especially must-staple is now supported > by Squid and, if it is, if there is any special configuration needed > to activate it. AFAIK, OpenSSL does not automatically validate OCSP-related parts of the server Hello. Squid does not do that either (yet?). As I said in 2015, it may be possible to do the required validation using an external certificate validator (sslcrtvalidator_program). If not already possible "as is", it is probably not difficult to add the missing bits to Squid to enable such external OCSP validation. HTH, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
