Squid SSL "accelerator" support

This work aims at providing SSL support for Squid when running as an accelerator.


2003-04-17 DH support
DH support has been added
2002-12-06 ssl update included in Squid-3
The ssl update patch has been included in Squid-3
2002-11-29 ssl update available
The ssl update patch is now available for both Squid-3 and Squid-2.5. This update includes
  1. Client certificate support
  2. SSL encrypted peers
  3. https:// gatewaying for clients not supporting SSL
  4. Hardware SSL acceleration support
  5. SSL key/certificate now read early in the startup, before chaning userid or chroot, allowing the keys to be strongly protected in the filesystem.
  6. And a few minor bugfixes/optimizations
2002-11-20 hardware accelerator support
Gianni Tedesco has contributed the needed glue to support SSL harware accelerators. Patch can be found on squid-users.
2002-04-06ssl-nohttp committed to HEAD
ssl-nohttp has been committed to HEAD, allowing Squid to run without any http_port defined.
2001-10-20 Committed to HEAD
The SSL tweaking options and POST bug fix has been committed to HEAD/2.5
2001-10-19 POST bug fix
Noel Burton-Krahn kindly identified why some SSL requests hangs, and even provided an initial patch to address the problem. Based on his findings, a proper fix has been developed.
2001-08-30 SSL tweaking options
A couple of SSL tweaking options has been added to make it possible to work around certain buggy clients. This is the new https_port options "version=", "cipher=", "options=" and the new directive ssl_unclean_shutdown.
2001-05-04 Committed to HEAD
the support for multiple SSL certificates been committed to HEAD
2001-04-19 http_port optional
The http_port directive has been made optional (ssl-nottp branch), to allow SSL-only accelerator configuration.
2001-04-18 Multiple SSL certificates
Support for multiple SSL certificates has been implemented by extending the https_port directive with arguments for key and certificate
2001-04-14 Committed to HEAD
The basic SSL accelerator support has been committed to HEAD

To-Do list

Emperial RSA keys support
To support certain export restrictions where the certicicate RSA key may only be used for signing support for emperial RSA keys needs to be added.
DSA keys
Need to add some glue to support DSA keys
SSL session cache tuning
There is need for options controlling the SSL session cache size. Maybe also interesting with support for an external (on-disk) SSL session cache but with todays memory prices I am not convinced about this.
SSL renegotiation when required by acl processing
Support delayed negotiation of a client certificate until required by acl processing, similar to how proxy_auth works.
CRL processing
The upcomding OpenSSL 0.9.7 includes CRL processing functions that we can probably make use of. (earlier versions of OpenSSL does not include CRL processing)
Outgoing session reuse
Session reuse is not yet implemented for SSL connections Squid initiate to peers or origin servers.
OCSP processing
OCSP is starting to supersed CRL in certificate verification and revocation checks. OpenSSL seems to have OCSP support in the current versions, but as for CRL processing some glue is needed in Squid to make use of the feature.

Squid Now! Cache Now! Valid HTML 4.0! SourceForge
$Id: index.html,v 1.25 2003/08/08 07:25:13 hno Exp $