On 31/08/14 10:36, Eliezer Croitoru wrote:
> Just wondering what have you done to rebuild the cert cache?
>
ssl_crtd is responsible for creating the fake server certs, and it
stores them wherever the squid.conf "sslcrtd_program" directive tells it to
Each fake cert is a file, so I did the following to remove all
boxcdn.net certs
for i in *
do
DD=`openssl x509 -in $i -noout -text|grep -i boxcdn.net`
if [ "$DD" != "" ]; then
rm -f $i
fi
done
...then restart squid. Then going back to such a site will trigger
ssl_crtd to create a new cert - one without the flaw fixed in squid-3.4.7
To "rebuild the cert cache" I guess you could make a note of all the
sites in your cache, delete all the cert files and then use curl via the
proxy to force squid to download the home page of each host - thus
forcing new certs to be created. Of course, anyone using your proxy who
has not installed the proxy CA cert and instead has been relying on
manually providing an override on each fake cert will suddenly find
their apps have broken as the cert has changed, hence my question
regarding how to detect which certs need replacing and only replacing
those ones
-- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1Received on Sat Aug 30 2014 - 23:15:44 MDT
This archive was generated by hypermail 2.2.0 : Sun Aug 31 2014 - 12:00:06 MDT