This patch implements the certificate validation helper interface
described at:
http://wiki.squid-cache.org/Features/SslServerCertValidator
The helper consulted after the internal OpenSSL validation, regardless
of the validation results. The helper will receive:
1) the origin server certificate [chain],
2) the intended domain name, and
3) a list of OpenSSL validation errors (if any).
If the helper decides to honor an OpenSSL error or report another
validation error(s), the helper will return a
1) A list of certificates
2) a list of items consists the the validation error name (see %err_name
error page macro and %err_details logformat code), error reason
(%ssl_lib_error macro), and the offending certificate
The exact helper messages format described here:
http://wiki.squid-cache.org/Features/AddonHelpers#SSL_server_certificate_validator
The returned information mimics what the internal OpenSSL-based
validation code collects now. Returned errors, if any, fed to
sslproxy_cert_error, triggering the existing SSL error processing code.
The helper invocation controlled by the "sslcrtvalidator_program" and
"sslcrtvalidator_children" configurations options which are similar to
the ssl_crtd related options.
A simple testing cert validation helper developed in perl included in
this patch. This helper just echo back the certificate errors.
This is a Measurement Factory Project
This archive was generated by hypermail 2.2.0 : Thu Nov 22 2012 - 12:00:08 MST