On 21/01/19 11:02 am, Eliezer Croitoru wrote: > OK so from the real world: > > What's the best way to ban Let's encrypt based certificates? or > whitelist a very narrow list of Root and Intermediates CA? > Besides what Alex has answered to your first question. I think the simpler approach would be the second, and probably more what you need anyway... tls_outgoing_options default-ca=off cafile=X.pem cafile=Y.pem That makes Squid outgoing connections *not* use the global Trusted CA set. Then explicitly load the individual one(s) you *do* want to trust. A whitelist - but only for the root / self-signed CA certs. Intermediary CAs inherit their trust (or lack) from their root CA. If intermediary CA trust matters to your situation then a custom validator as mentioned by Alex would be necessary. NP: You can list cafile=... as many times as you wish to load multiple files and should be able to load multiple CA certs in any of the file(s). But have not confirmed that latter. cache_peer has matching options with "tls-" prefix. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
