Hello,

is there a plan for implementing CRL checking in Squid?

Regards,
David

[ Post a follow-up to this message ]

=20
>=20
> Hello,
>=20
> is there a plan for implementing CRL checking in Squid?
>=20
=20
What is 'CRL' ?

M.

[ Post a follow-up to this message ]

CRL stands for "Certificate Revocation List (CRL) Management". Using this
list you can check whether some certificate is revoked.

> -----Original Message-----
> From: Elsen Marc [mailto:elsen@imec.be]
> Sent: Thursday, April 29, 2004 11:03 AM
> To: David Hajek; squid-users@squid-cache.org
> Subject: RE: [squid-users] CRL status in squid
>
>
> 
>
>  What is 'CRL' ?
>
>  M.
>

[ Post a follow-up to this message ]

On Thu, 29 Apr 2004, David Hajek wrote:

> is there a plan for implementing CRL checking in Squid?

Yes, when there is a paying customer requiring the feature.

Regards
Henrik

[ Post a follow-up to this message ]

Hm. Seems strange to me. Can't believe that anyone from opensource world
don't use certificate authentication.


-D

> -----Original Message-----
> From: Henrik Nordstrom [mailto:hno@squid-cache.org]
> Sent: Thursday, April 29, 2004 12:14 PM
> To: David Hajek
> Cc: squid-users@squid-cache.org
> Subject: Re: [squid-users] CRL status in squid
>
> On Thu, 29 Apr 2004, David Hajek wrote:
> 
>
> Yes, when there is a paying customer requiring the feature.
>
> Regards
> Henrik
>
>

[ Post a follow-up to this message ]

On Thu, 29 Apr 2004, David Hajek wrote:

> Hm. Seems strange to me. Can't believe that anyone from opensource world
> don't use certificate authentication.

I developed the simple client certificate authentication you can find in
Squid-3.0 as a prototype for a customer investigating the use of client
certificates, they however concluded that password authentication was
sufficient for now and CRL never got implemented.

As in all other Open Source projects the bulk of the Squid development is
driven by people having needs and making sure their needs is fulfilled.
This is how the Open Source world works.

The main difference from proprietary software is that you have the choice
to see things implemented and are not locked down by the product plan of
the provider.

In Free Software (which Squid classifies as, together with any other GPL
software) there is also some restrictions in how modifications may be done
if not done direcly by the end-user to guarantee that a Open Source
provider does not lock down his customers.

You can find more information about the history and status of the SSL
support in Squid at http://devel.squid-cache.org/ssl/

Regards
Henrik

[ Post a follow-up to this message ]

Thanks for the answer. I think I have to choose from one of these: ;)

1/ write a CRL patch myself
2/ become a paying customer
3/ explore newest stunnel, which seems to have CRL checking implemented

-D

> -----Original Message-----
> From: Henrik Nordstrom [mailto:hno@squid-cache.org]
> Sent: Thursday, April 29, 2004 4:49 PM
> To: David Hajek
> Cc: squid-users@squid-cache.org
> Subject: RE: [squid-users] CRL status in squid
>
> On Thu, 29 Apr 2004, David Hajek wrote:
> 
>
> I developed the simple client certificate authentication you
> can find in Squid-3.0 as a prototype for a customer
> investigating the use of client certificates, they however
> concluded that password authentication was sufficient for now
> and CRL never got implemented.
>
> As in all other Open Source projects the bulk of the Squid
> development is driven by people having needs and making sure
> their needs is fulfilled.
> This is how the Open Source world works.
>
> The main difference from proprietary software is that you
> have the choice to see things implemented and are not locked
> down by the product plan of the provider.
>
> In Free Software (which Squid classifies as, together with
> any other GPL
> software) there is also some restrictions in how
> modifications may be done if not done direcly by the end-user
> to guarantee that a Open Source provider does not lock down
> his customers.
>
> You can find more information about the history and status of
> the SSL support in Squid at http://devel.squid-cache.org/ssl/
>
> Regards
> Henrik
>
>

[ Post a follow-up to this message ]

On Thu, 29 Apr 2004, David Hajek wrote:

> Thanks for the answer. I think I have to choose from one of these: ;)
>
> 1/ write a CRL patch myself
> 2/ become a paying customer
> 3/ explore newest stunnel, which seems to have CRL checking implemented

Or

4/ Wait for some one else to have a CRL patch to Squid developed and
published.


Drawback of '4' is that you do not know when this will happen, only that
it quite likely will happen at some time in the future as you probably is
not the only one interested in client certificate support and CRL
processing in Squid.

What I do know is that I am not likely to implement CRL processing on my
spare time just for the fun of it, but you never know...

Regards
Henrik

[ Post a follow-up to this message ]