Squid configuration directive sslproxy_cert_adapt

Available in: 4   3.5   3.4   3.3  


Changes to sslproxy_cert_adapt in Squid-3.3:

New option to adapt certain properties of outgoing SSL certificates generated for use when bumping SSL to an upstream server.

For older versions than 3.3 see the linked pages above

Configuration Details:

Option Name:sslproxy_cert_adapt
Default Value:none
Suggested Config:

	sslproxy_cert_adapt <adaptation algorithm> acl ...

	The following certificate adaptation algorithms are supported:

		Sets the "Not After" property to the "Not After" property of
		the CA certificate used to sign generated certificates.

		Sets the "Not Before" property to the "Not Before" property of
		the CA certificate used to sign generated certificates.

	   setCommonName or setCommonName{CN}
		Sets Subject.CN property to the host name specified as a 
		CN parameter or, if no explicit CN parameter was specified,
		extracted from the CONNECT request. It is a misconfiguration
		to use setCommonName without an explicit parameter for
		intercepted or tproxied SSL connections.
	This clause only supports fast acl types.

	Squid first groups sslproxy_cert_adapt options by adaptation algorithm.
	Within a group, when sslproxy_cert_adapt acl(s) match, Squid uses the
	corresponding adaptation algorithm to generate the certificate and
	ignores all subsequent sslproxy_cert_adapt options in that algorithm's
	group (i.e., the first match wins within each algorithm group). If no
	acl(s) match, the default mimicking action takes place.

	WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can
	be used with sslproxy_cert_adapt, but if and only if Squid is bumping a
	CONNECT request that carries a domain name. In all other cases (CONNECT
	to an IP address or an intercepted SSL connection), Squid cannot detect
	the domain mismatch at certificate generation time when
	bump-server-first is used.








Web Site Translations