The ssl-update is mainly of interest when Squid acts as a ssl-gateway.
CONNECT has always been available in Squid and does not really care
the least about about SSL. CONNECT just establishes a tunnel via the
proxy. How this tunnel is used is mainly up to the client and server.
The intention is that CONNECT should be used for tunneling of SSL
connections via a HTTP proxy but it does not enforce that SSL is what
is being tunneled.
The ssl-update allows Squid to both act as a SSL server requesting
client certificates and to act as a SSL client optionally providing
its client certificate to upstream servers.
The parameters you can specify in the https_port directive relates to
the SSL server capability of Squid. If you want Squid to request
certificates you must tell which CAs these may belong to.
The parameters you can specify in the cache_peer directive relates to
the SSL client capabilities while talking to SSL enabled cache peers
such as the https_port of another Squid.
The ssl_proxy_.. directives relates to Squid acting as a SSL client
when requested to retrieve a https://... URL. Note that this is NOT
related to the CONNECT method.
Regards
Henrik
On Friday 13 December 2002 07.39, alp wrote:
> hi,
> i am not sure if i have understood this correctly.
> the ssl-update: is it for ssl-tunneling (via connect method) or
> also for squid acting as a ssl-gateway.
> can i use with the ssl-update (and squid as ssl-gateway) not only
> server certificates on squid but also accepting client
> certificates. or is the update only useful for ssl-tunneling?
>
> moreover: i installed the ssl-patch and saw that a lot of new
> ssl-parameters have been added together with a brief description.
> but is there anywhere a documentation how to use them? e.g.:
> "clientca" in relation to the https_port directive. (how have these
> cas to be used in squid.conf???)
> so it means to me that these client certificates may be used
> together with ssl-gateway functionality!?
>
> in addition, there are a lot new directives (ssl_proxy...). what is
> the difference between these and the above mentioned concerning
> ssl-gateway (cleintca, capath,...)
>
> sorry for all these questions...but thx in advance,
> alp
Received on Fri Dec 13 2002 - 01:06:50 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:12:04 MST