Squid configuration directive sslproxy_cert_sign

Available in: 4   3.5   3.4   3.3  


Changes to sslproxy_cert_sign in Squid-3.3:

New option to determine how the client certificate sent to upstream servers is signed.

For older versions than 3.3 see the linked pages above

Configuration Details:

Option Name:sslproxy_cert_sign
Default Value:none
Suggested Config:

        sslproxy_cert_sign <signing algorithm> acl ...

        The following certificate signing algorithms are supported:

		Sign using the configured CA certificate which is usually
		placed in and trusted by end-user browsers. This is the
		default for trusted origin server certificates.

		Sign to guarantee an X509_V_ERR_CERT_UNTRUSTED browser error.
		This is the default for untrusted origin server certificates
		that are not self-signed (see ssl::certUntrusted).

		Sign using a self-signed certificate with the right CN to
		generate a X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT error in the
		browser. This is the default for self-signed origin server
		certificates (see ssl::certSelfSigned).

	This clause only supports fast acl types.

	When sslproxy_cert_sign acl(s) match, Squid uses the corresponding
	signing algorithm to generate the certificate and ignores all
	subsequent sslproxy_cert_sign options (the first match wins). If no
	acl(s) match, the default signing algorithm is determined by errors
	detected when obtaining and validating the origin server certificate.

	WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can
	be used with sslproxy_cert_adapt, but if and only if Squid is bumping a
	CONNECT request that carries a domain name. In all other cases (CONNECT
	to an IP address or an intercepted SSL connection), Squid cannot detect
	the domain mismatch at certificate generation time when
	bump-server-first is used.








Web Site Translations