On 2025-09-16 09:49, Michal Rybarik wrote:
I’ve created several patches to improve dynamic SSL certificate
generation for modern browser compatibility. The patches are for Squid
4, but most should also apply to Squid 5 and 6. Would you be interested
in reviewing and possibly merging them (with adjustments if needed)?
Yes, especially if they are posted as well-tested minimal pull requests
(i.e. one change/feature per PR) against the current master branch on
GitHub. Some of the changes you mentioned may have been implemented
recently (e.g., commit 22b2a7a0 deals with IP-based SANs).
For general notes about Squid pull requests, please see
https://wiki.squid-cache.org/MergeProcedure#pull-request
Thank you,
Alex.
Main improvements:
- Correct generation of certificates mimicked from self-signed certs
(use |CA:FALSE| instead of |CA:TRUE|).
- Add SAN when missing (derived from CN), as modern browsers require SAN.
- Proper generation of certificates for IP addresses.
- Improved setCommonName functionality, so valid certificates for DNS/IP
are generated in intercept/tproxy modes too.
Thank you again, and I wish you all the best.
--
Regards,
Michal Rybarik
_______________________________________________
squid-dev mailing list
[email protected]
https://lists.squid-cache.org/listinfo/squid-dev
_______________________________________________
squid-dev mailing list
[email protected]
https://lists.squid-cache.org/listinfo/squid-dev
