Bug #7871

Add squid validation for selected CA when MITM is enabled

Added by Kill Bill 6 months ago. Updated 5 months ago.

Target version:
Start date:
Due date:
% Done:


Affected Version:
Affected Architecture:


Obviously, this needs to be a CA we have a private key to so that it can issue certificates on the fly to prevent PEBKAC cases such as [1]. The current validation does not check this. [2]

@jimp: Any chance you can hack a quick check for this? Otherwise please re-assign to myself and I'll dig into the later, not exactly something I'd be familiar with. The other relevant code is here [3] - so it basically adds the required bits to squid.conf if we can get the private key, if not, it results in broken config as in [1]. I guess there's no need to touch that once the validation is in place though.



#1 Updated by Kill Bill 6 months ago

P.S. There's that's been sitting there for about a month, would be nice to get both done at the same time.

#2 Updated by Jim Pingle 5 months ago

  • Status changed from New to Feedback
  • Target version deleted (2.4.1)

OK I added two different sets of protection:

1. Input validation to warn if a user selected a CA without a private key
2. I changed it so the CA list does not include entries without a private key

I added #1 in case somehow the user manages to submit the form with an old/invalid setting, but really #2 should make #1 unnecessary. Since it impacts squid so severely, I felt both were warranted.

Removing target version since this is a package and not tied to a specific release.

#3 Updated by Kill Bill 5 months ago

Looks good here, only usable CAs are being offered in the Squid GUI with 0.4.42. Thanks!

#4 Updated by Jim Pingle 5 months ago

  • Status changed from Feedback to Resolved

Great, thanks for testing!

Also available in: Atom PDF