squid-cache.org

Optimising Web Delivery

• Docs
• Download
• Donate
• Support
• About
• Contact
• Shop
• Blog

Squid configuration directive sslproxy_cert_error

Available in: 3.3   3.2   3.1   3.HEAD  

History:

Changes in 3.1 sslproxy_cert_error

New Access Control to selectively bypass server certificate validation errors. DEFAULT: None bypassed.

        For example, the following lines will bypass all validation errors
        when talking to servers located at 172.16.0.0/16. All other
        validation errors will result in ERR_SECURE_CONNECT_FAIL error.

                acl BrokenServersAtTrustedIP dst 172.16.0.0/16
                sslproxy_cert_error allow BrokenServersAtTrustedIP
                sslproxy_cert_error deny all

        This option must use fast ACL expressions only. Expressions that use
        external lookups or communication result in unpredictable behavior or
        crashes.

        Without this option, all server certificate validation errors
        terminate the transaction. Bypassing validation errors is dangerous
        because an error usually implies that the server cannot be trusted and
        the connection may be insecure.
        

Configuration Details:

	Use this ACL to bypass server certificate validation errors.

	For example, the following lines will bypass all validation errors
	when talking to servers for example.com. All other
	validation errors will result in ERR_SECURE_CONNECT_FAIL error.

		acl BrokenButTrustedServers dstdomain example.com
		sslproxy_cert_error allow BrokenButTrustedServers
		sslproxy_cert_error deny all

	This clause only supports fast acl types.
	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
	Using slow acl types may result in server crashes

	Without this option, all server certificate validation errors
	terminate the transaction. Bypassing validation errors is dangerous
	because an error usually implies that the server cannot be trusted and
	the connection may be insecure.

	See also: sslproxy_flags and DONT_VERIFY_PEER.

	Default setting:  sslproxy_cert_error deny all

Back

Search

Introduction

• About Squid
• Why Squid?
• Squid Developers
• How to Help Out or Donate
• Getting Squid
• Squid Source Packages
• Squid Deployment Case-Studies
• Squid Software Foundation

Documentation

• Configuration:
  • Reference
  • Examples
• FAQ and Wiki
• Guide Books:
  • Beginners
  • Definitive
• Non-English
• More...

Support

• Security Advisories
• Bugzilla Database
• Mailing lists
• Contacting us
• Commercial services
• Project Sponsors
• Squid-based products

Miscellaneous

• Developer Resources
• Related Writings
• Related Software:
  • Authenticators
  • Icap
  • Ident
  • Log Analysis
  • Monitor
  • Proxies
  • Redirectors
  • General
• Squid Artwork

Web Site Translations

• Japanese

Mirrors

• Website:
• at dk eu gr gr il is it jp nl pl pl tr tw us us za ... full list
• 
  
• FTP Package Archive