On 31/08/14 10:36, Eliezer Croitoru wrote: > Just wondering what have you done to rebuild the cert cache? > ssl_crtd is responsible for creating the fake server certs, and it stores them wherever the squid.conf "sslcrtd_program" directive tells it to
Each fake cert is a file, so I did the following to remove all boxcdn.net certs for i in * do DD=`openssl x509 -in $i -noout -text|grep -i boxcdn.net` if [ "$DD" != "" ]; then rm -f $i fi done ...then restart squid. Then going back to such a site will trigger ssl_crtd to create a new cert - one without the flaw fixed in squid-3.4.7 To "rebuild the cert cache" I guess you could make a note of all the sites in your cache, delete all the cert files and then use curl via the proxy to force squid to download the home page of each host - thus forcing new certs to be created. Of course, anyone using your proxy who has not installed the proxy CA cert and instead has been relying on manually providing an override on each fake cert will suddenly find their apps have broken as the cert has changed, hence my question regarding how to detect which certs need replacing and only replacing those ones -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
