If there is not any objection I will commit this patch plus the "cert
validation cache" patches to trunk
On 11/14/2012 01:59 PM, Tsantilas Christos wrote:
> This patch implements the certificate validation helper interface
> described at:
> http://wiki.squid-cache.org/Features/SslServerCertValidator
>
> The helper consulted after the internal OpenSSL validation, regardless
> of the validation results. The helper will receive:
>
> 1) the origin server certificate [chain],
> 2) the intended domain name, and
> 3) a list of OpenSSL validation errors (if any).
>
> If the helper decides to honor an OpenSSL error or report another
> validation error(s), the helper will return a
> 1) A list of certificates
> 2) a list of items consists the the validation error name (see %err_name
> error page macro and %err_details logformat code), error reason
> (%ssl_lib_error macro), and the offending certificate
>
> The exact helper messages format described here:
>
> http://wiki.squid-cache.org/Features/AddonHelpers#SSL_server_certificate_validator
>
> The returned information mimics what the internal OpenSSL-based
> validation code collects now. Returned errors, if any, fed to
> sslproxy_cert_error, triggering the existing SSL error processing code.
>
> The helper invocation controlled by the "sslcrtvalidator_program" and
> "sslcrtvalidator_children" configurations options which are similar to
> the ssl_crtd related options.
>
> A simple testing cert validation helper developed in perl included in
> this patch. This helper just echo back the certificate errors.
>
> This is a Measurement Factory Project
>
Received on Wed Nov 21 2012 - 20:15:07 MST
This archive was generated by hypermail 2.2.0 : Thu Nov 22 2012 - 12:00:08 MST