--------------------- PatchSet 6097 Date: 2007/11/06 18:17:24 Author: rousskov Branch: ssl-bump Tag: (none) Log: Removed DEFAULT_IF_NONE from sslproxy_cert_error because it creates an ACL which we do not need by default. Polished sslproxy_cert_error-related documentation. Members: src/cf.data.pre:1.157.2.3->1.157.2.4 Index: squid3/src/cf.data.pre =================================================================== RCS file: /cvsroot/squid-sf//squid3/src/cf.data.pre,v retrieving revision 1.157.2.3 retrieving revision 1.157.2.4 diff -u -r1.157.2.3 -r1.157.2.4 --- squid3/src/cf.data.pre 6 Nov 2007 16:01:04 -0000 1.157.2.3 +++ squid3/src/cf.data.pre 6 Nov 2007 18:17:24 -0000 1.157.2.4 @@ -1,6 +1,6 @@ # -# $Id: cf.data.pre,v 1.157.2.3 2007/11/06 16:01:04 rousskov Exp $ +# $Id: cf.data.pre,v 1.157.2.4 2007/11/06 18:17:24 rousskov Exp $ # # SQUID Web Proxy Cache http://www.squid-cache.org/ # ---------------------------------------------------------- @@ -1222,8 +1222,8 @@ TYPE: string DOC_START Various flags modifying the use of SSL while proxying https:// URLs: - DONT_VERIFY_PEER Accept certificates even if they fail to - verify. + DONT_VERIFY_PEER Accept certificates that fail verification. + For refined control, see sslproxy_cert_error. NO_DEFAULT_CA Don't use the default CA list built in to OpenSSL. DOC_END @@ -1232,23 +1232,27 @@ NAME: sslproxy_cert_error IFDEF: USE_SSL DEFAULT: none -DEFAULT_IF_NONE: deny all LOC: Config.ssl_client.cert_error TYPE: acl_access DOC_START Use this ACL to bypass server certificate validation errors. - For example: + + For example, the following lines will bypass all validation errors + when talking to servers located at 172.16.0.0/16. All other + validation errors will result in ERR_SECURE_CONNECT_FAIL error. acl BrokenServersAtTrustedIP dst 172.16.0.0/16 sslproxy_cert_error allow BrokenServersAtTrustedIP sslproxy_cert_error deny all - This option must only use fast (a.k.a., blocking) ACL expressions. - - By default, all server certificate validation errors terminate the - transaction. Bypassing most validation errors is dangerous because an - error usually implies that the server cannot be trusted and the - connection may be insecure. + This option must use fast ACL expressions only. Expressions that use + external lookups or communication result in unpredictable behavior or + crashes. + + Without this option, all server certificate validation errors + terminate the transaction. Bypassing validation errors is dangerous + because an error usually implies that the server cannot be trusted and + the connection may be insecure. See also: sslproxy_flags and DONT_VERIFY_PEER.