On 13/07/18 08:27, Eliezer Croitoru wrote: > Alex, > > Just to be sure: > Every RSA key and certificate pair regardless to the origin server and the > SSL-BUMP enabled proxy can be different. > If the key would be the exact same one then we will probably have a very big > security issue/risk to my understanding (leaving aside DH). > > Will it be more accurate to say that just as long as these 200 squid > instances(different squid.conf and couple other local variables) > use the same exact ssl_db cache directory then it's probable that they will > use the same certificate. > Or these 200 squid instances are in SMP mode with 200 workers... > If these 200 instances do not share memory and certificate cache then there > is a possibility that the same site from two different sources > will serve different certificates(due to the different RSA key which is > different). >
Instances (in terms of how we defined the term "Squid instance") cannot share memory. They are completely separate processes. Even when in SMP-aware operation, they are separate process groups. That is why you have to use the -n name command line parameter to direct signals at specific instances. In regards to the certs. The generating of a fake cert is a hard-coded algorithm - using the inputs Alex mentioned. The only way differences occur between any two Squid fake certs is when the real origin server cert given to each of them is different. In that case you *do* absolutely want the fake ones to differ as well - even (and especially) when they come from the same origin server. Think of Squid as copy-n-pasting cert field values from the origin cert to the fake cert. You wont be far off whats really happening. Amos _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
