On 26/03/18 11:11, Yuri wrote: > By the way, Amos. I have an idea spinning around. Is it possible to > specify the SSL error of the unknown certificate issuer for the correct > processing of the situation when the client does not have a proxy > certificate installed? This would greatly facilitate the task that we > are discussing. > > We're can, in this case, just use deny_info to redirect client to proxy > page. ;-) > "error of the unknown issuer" is an implementation detail of the SSL/TLS library used by the client-end software. Is that clear enough about why Squid cannot do anything? Squid can change the cert issuer from X to A or X to Y. But cannot make any specific issuer A or Y known when it is not already known** by the client. ** intermediate certs that can be D/L by the client can be considered "known" when (and only when) their root CA is already trusted. Unless the client does not download missing intermediates. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
