If there is not any objection I will commit this patch plus the "cert validation cache" patches to trunk
On 11/14/2012 01:59 PM, Tsantilas Christos wrote: > This patch implements the certificate validation helper interface > described at: > http://wiki.squid-cache.org/Features/SslServerCertValidator > > The helper consulted after the internal OpenSSL validation, regardless > of the validation results. The helper will receive: > > 1) the origin server certificate [chain], > 2) the intended domain name, and > 3) a list of OpenSSL validation errors (if any). > > If the helper decides to honor an OpenSSL error or report another > validation error(s), the helper will return a > 1) A list of certificates > 2) a list of items consists the the validation error name (see %err_name > error page macro and %err_details logformat code), error reason > (%ssl_lib_error macro), and the offending certificate > > The exact helper messages format described here: > > http://wiki.squid-cache.org/Features/AddonHelpers#SSL_server_certificate_validator > > The returned information mimics what the internal OpenSSL-based > validation code collects now. Returned errors, if any, fed to > sslproxy_cert_error, triggering the existing SSL error processing code. > > The helper invocation controlled by the "sslcrtvalidator_program" and > "sslcrtvalidator_children" configurations options which are similar to > the ssl_crtd related options. > > A simple testing cert validation helper developed in perl included in > this patch. This helper just echo back the certificate errors. > > This is a Measurement Factory Project >
