On 11/21/19 11:29 AM, Giles Coochey wrote: > I believe Palo Alto and Bluecoats have a feature mechanism to provide > the client with an appropriately broken cert , e.g. if the cert is > expired, but has a trusted chain then it uses an expired cert with a > trusted chain to the client, and if a cert is self signed, then it sends > a self-signed cert to the client. > I don't know whether Squid also has that mechanism Yes, Squid also tries to mimic various aspects of origin server certificate brokenness. Unfortunately, I do not think there is a wiki table that fully documents which problems are mimicked by default, and I do not remember all of the specifics. It would be great if somebody would build such a table (e.g., by observing what Squid does with broken certificates provided by various TLS testing web sites/services). Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
