On 06/26/2018 07:22 AM, Ahmad, Sarfaraz wrote: > I need to provide access to my clients to a service on the internet that > is using a private CA. > > I do not want to trust that CA outside the scope of that destination > domain. (The thought is to not just blindly trust a random CA, rather > if we have to, we limit it to the particular domain.) > > Can something like this be achieved without toying with the squid’s code ? I believe this can be done with a sslcrtvalidator_program helper: * http://www.squid-cache.org/Doc/config/sslcrtvalidator_program/ * https://wiki.squid-cache.org/Features/AddonHelpers#SSL_server_certificate_validator Alternatively, you may be able to block (wrong) responses signed by that CA using an external ACL that is supplied %ssl::>cert_issuer and origin domain information. The validator helper approach prevents untrusted HTTP messages from reaching Squid, but the external ACL approach is easier to implement. HTH, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users