[prev in list] [next in list] [prev in thread] [next in thread]
List: squid-users
Subject: Re: [squid-users] Trust a particular CA only for a limited domain
From: Alex Rousskov <rousskov () measurement-factory ! com>
Date: 2018-06-26 18:37:27
Message-ID: f8e6b127-3878-d9e1-8e32-ac2483338e68 () measurement-factory ! com
[Download RAW message or body]
On 06/26/2018 07:22 AM, Ahmad, Sarfaraz wrote:
> I need to provide access to my clients to a service on the internet that
> is using a private CA.
>
> I do not want to trust that CA outside the scope of that destination
> domain. (The thought is to not just blindly trust a random CA, rather
> if we have to, we limit it to the particular domain.)
>
> Can something like this be achieved without toying with the squid's code ?
I believe this can be done with a sslcrtvalidator_program helper:
* http://www.squid-cache.org/Doc/config/sslcrtvalidator_program/
*
https://wiki.squid-cache.org/Features/AddonHelpers#SSL_server_certificate_validator
Alternatively, you may be able to block (wrong) responses signed by that
CA using an external ACL that is supplied %ssl::>cert_issuer and origin
domain information.
The validator helper approach prevents untrusted HTTP messages from
reaching Squid, but the external ACL approach is easier to implement.
HTH,
Alex.
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic