Squid SSL "accelerator" support

This work aims at providing SSL support for Squid when running as an accelerator.

Progress

2003-04-17 DH support

DH support has been added

2002-12-06 ssl update included in Squid-3

The ssl update patch has been included in Squid-3

2002-11-29 ssl update available

The ssl update patch is now available for both Squid-3 and Squid-2.5. This update includes

1. Client certificate support
2. SSL encrypted peers
3. https:// gatewaying for clients not supporting SSL
4. Hardware SSL acceleration support
5. SSL key/certificate now read early in the startup, before chaning userid or chroot, allowing the keys to be strongly protected in the filesystem.
6. And a few minor bugfixes/optimizations

2002-11-20 hardware accelerator support

Gianni Tedesco has contributed the needed glue to support SSL harware accelerators. Patch can be found on squid-users.

2002-04-06ssl-nohttp committed to HEAD

ssl-nohttp has been committed to HEAD, allowing Squid to run without any http_port defined.

2001-10-20 Committed to HEAD

The SSL tweaking options and POST bug fix has been committed to HEAD/2.5

2001-10-19 POST bug fix

Noel Burton-Krahn kindly identified why some SSL requests hangs, and even provided an initial patch to address the problem. Based on his findings, a proper fix has been developed.

2001-08-30 SSL tweaking options

A couple of SSL tweaking options has been added to make it possible to work around certain buggy clients. This is the new https_port options "version=", "cipher=", "options=" and the new directive ssl_unclean_shutdown.

2001-05-04 Committed to HEAD

the support for multiple SSL certificates been committed to HEAD

2001-04-19 http_port optional

The http_port directive has been made optional (ssl-nottp branch), to allow SSL-only accelerator configuration.

2001-04-18 Multiple SSL certificates

Support for multiple SSL certificates has been implemented by extending the https_port directive with arguments for key and certificate

2001-04-14 Committed to HEAD

The basic SSL accelerator support has been committed to HEAD

To-Do list

Emperial RSA keys support

To support certain export restrictions where the certicicate RSA key may only be used for signing support for emperial RSA keys needs to be added.

DSA keys

Need to add some glue to support DSA keys

SSL session cache tuning

There is need for options controlling the SSL session cache size. Maybe also interesting with support for an external (on-disk) SSL session cache but with todays memory prices I am not convinced about this.

SSL renegotiation when required by acl processing

Support delayed negotiation of a client certificate until required by acl processing, similar to how proxy_auth works.

CRL processing

The upcomding OpenSSL 0.9.7 includes CRL processing functions that we can probably make use of. (earlier versions of OpenSSL does not include CRL processing)

Outgoing session reuse

Session reuse is not yet implemented for SSL connections Squid initiate to peers or origin servers.

OCSP processing

OCSP is starting to supersed CRL in certificate verification and revocation checks. OpenSSL seems to have OCSP support in the current versions, but as for CRL processing some glue is needed in Squid to make use of the feature.