On 13/10/18 3:08 AM, Dieter Bloms wrote: > Hello, > > we use the sslbump feature of squid, and it works very well. > One of our http clients expect a CRL distribution point in the dynamic > generated certificate. > I've setup a http server, which delivers this crl list, but don't know > how to configure squid to set this distribution point in every > dynamic gererated certificate. > > Does anybody know whether squid support this feature ? AFAIK you should set it in the CA certificate you are using to sign those dynamic ones. The dynamic certs are exactly that - dynamic, created as needed and erased when done with. When the proxy CA is changed all the dynamic certs also change completely. So there should never exist a case where Squid is emitting a dynamic cert with stale/different CA - that is definitely a bug. That just leaves the problem of clients configured to trust the stale CA after Squid stops using it. So a CRL is only necessary to expire that CA cert. If that does not work then AFAIK the helper generating certs would need extending to add the CRL reference. BUT ... carefully so as not to clash with upstream server CRL details. Squid may need an extension to also present the CRL itself (like it does icons etc.) HTH Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
