git.ipfire.org Git - thirdparty/squid.git/commit

sslproxy_cert_sign_hash configuration option

Browser vendors will get rid of SSL certificates that use SHA-1 to generate
the hash that is then signed by the CA. For example, Google Chrome will start
to show an "insecure" sign for certificates that are valid after 1.1.2016 and
will generate a warning page for certificates that are valid after 1.1.2017 [1],
[2],[4]. Microsoft will block certificates with SHA-1 after 1.1.2017 [3].

This patch:
  1) Add a new configuration option to select the signing hash for
     generated certificates: sslproxy_cert_sign_hash.

  2) If sslproxy_cert_sign_hash is not set, then use the sha256 hash.

[1] https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/2-R4XziFc7A/YO0ZSrX_X4wJ
[2] https://code.google.com/p/chromium/issues/detail?id=401365
[3] http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx
[4] http://googleonlinesecurity.blogspot.ch/2014/09/gradually-sunsetting-sha-1.html

This is a Measurement Factory project

author	Christos Tsantilas <chtsanti@users.sourceforge.net>
	Tue, 7 Oct 2014 14:11:12 +0000 (17:11 +0300)
committer	Christos Tsantilas <chtsanti@users.sourceforge.net>
	Tue, 7 Oct 2014 14:11:12 +0000 (17:11 +0300)
commit	3c26b00aa3a2d8b515af363d289113d5f4726049
tree	da005c4ed67f23e36059aa5e7b1cdd0f484d96ca	tree \| snapshot
parent	0796f998e4085aa9261a21ac33aa1607eee12b2d	commit \| diff

src/SquidConfig.h		diff \| blob \| blame \| history
src/cf.data.pre		diff \| blob \| blame \| history
src/client_side.cc		diff \| blob \| blame \| history
src/ssl/crtd_message.cc		diff \| blob \| blame \| history
src/ssl/crtd_message.h		diff \| blob \| blame \| history
src/ssl/gadgets.cc		diff \| blob \| blame \| history
src/ssl/gadgets.h		diff \| blob \| blame \| history
src/ssl/ssl_crtd.cc		diff \| blob \| blame \| history
src/ssl/support.cc		diff \| blob \| blame \| history
src/ssl/support.h		diff \| blob \| blame \| history