From: Christos Tsantilas <chtsanti@users.sourceforge.net>
Date: Tue, 4 Dec 2012 14:29:02 +0000 (+0200)
Subject: SSL server certificate validator implementation
X-Git-Tag: SQUID_3_4_0_1~460
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d2dd8e4f45d627e672d33edaffa9fe7770060498;p=thirdparty%2Fsquid.git

SSL server certificate validator implementation

This patch implements the certificate validation helper interface described at:
  http://wiki.squid-cache.org/Features/SslServerCertValidator

The helper consulted after the internal OpenSSL validation, regardless of the
validation results. The helper will receive:
   1) the origin server certificate [chain],
   2) the intended domain name, and
   3) a list of OpenSSL validation errors (if any).

If the helper decides to honor an OpenSSL error or report another validation
error(s), the helper will return:
   1) A list of certificates.
   2) A list of items consists the the validation error name (see %err_name
      error page macro and %err_details logformat code), error reason
      (%ssl_lib_error macro), and the offending certificate.


The returned information mimics what the internal OpenSSL-based validation code
collects now. Returned errors, if any, fed to sslproxy_cert_error, triggering
the existing SSL error processing code.

The helper invocation controlled by the "sslcrtvalidator_program" and
"sslcrtvalidator_children" configurations options which are similar to the
ssl_crtd related options.

A simple testing cert validation helper developed in perl included in this
patch. This helper just echo back the certificate errors.

This is a Measurement Factory Project
---

d2dd8e4f45d627e672d33edaffa9fe7770060498