On 2/03/20 11:32 am, GeorgeShen wrote: > > Sorry, I should have said 'Trusted self-signed' CA vs non-Trusted. I was in > one enterprise, they use proxy server, when I went to a non-trusted CA > server, I got TLS handshaking error; but it worked fine when going to a > 'trusted' CA server. And I know my connection on the proxy was not a > SSL-Bump. I was trying to see how does the proxy server decide a server is a > trusted, vs non-trusted in splice. If I were going to implement this on the > squid, how to configure such a policy. > *IF* that error was from the proxy and the proxy was a Squid, then it can be done at step 3 with a helper after a peek or stare at step 2. There should not need to be anything configured though. Rejecting unknown root CAs is how TLS is designed to work. With splice the error should be produced by your UA/Browser. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
