On 23/02/22 07:11, Garbacik, Joe wrote:
When the squid proxy validates a certificate of a destination, does it
cache that certificate's status for a period of time or does it validate
the certificate each time? Would it log when it makes calls to a CRL or
OCSP server to validate the certificate or is it just part of the
process?
All of your questions answers depend on the library doing that validation.
AFAIK, Squid only performs AIA lookups to find missing chain
certificates. CRL/OSCP are part of the libraries internal validation
process and may not involve server lookups at all.
Also, does it support putting a CRL/IOCSP data in the
certificate provided to the client if doing SSL intercept?
The certificate sent to the client mimics the real server certificate
fields when available. It is an intentional security design *not* to
inject details, not even to fix brokenness.
The SSL-Bump signing cert is used as-is for the chain. You can place any
valid certificate fields you want when it is created.
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
