Support for DistributionPoints in the dynamic creates certificate via sslbump

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Support for DistributionPoints in the dynamic creates certificate via sslbump

Dieter Bloms-2
Hello,

we use the sslbump feature of squid, and it works very well.
One of our http clients expect a CRL distribution point in the dynamic
generated certificate.
I've setup a http server, which delivers this crl list, but don't know
how to configure squid to set this distribution point in every
dynamic gererated certificate.

Does anybody know whether squid support this feature ?

Thank you very much.


--
Regards

  Dieter

--
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
From field.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Support for DistributionPoints in the dynamic creates certificate via sslbump

Amos Jeffries
Administrator
On 13/10/18 3:08 AM, Dieter Bloms wrote:

> Hello,
>
> we use the sslbump feature of squid, and it works very well.
> One of our http clients expect a CRL distribution point in the dynamic
> generated certificate.
> I've setup a http server, which delivers this crl list, but don't know
> how to configure squid to set this distribution point in every
> dynamic gererated certificate.
>
> Does anybody know whether squid support this feature ?


AFAIK you should set it in the CA certificate you are using to sign
those dynamic ones.

The dynamic certs are exactly that - dynamic, created as needed and
erased when done with. When the proxy CA is changed all the dynamic
certs also change completely. So there should never exist a case where
Squid is emitting a dynamic cert with stale/different CA - that is
definitely a bug.

That just leaves the problem of clients configured to trust the stale CA
after Squid stops using it. So a CRL is only necessary to expire that CA
cert.


If that does not work then AFAIK the helper generating certs would need
extending to add the CRL reference. BUT ... carefully so as not to clash
with upstream server CRL details. Squid may need an extension to also
present the CRL itself (like it does icons etc.)


HTH
Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users