This work aims at providing SSL support for Squid when running
as an accelerator.
- 2003-04-17 DH support
- DH support has been added
- 2002-12-06 ssl update included in Squid-3
- The ssl update patch has been included in Squid-3
- 2002-11-29 ssl update available
- The ssl update patch is now available for both Squid-3 and Squid-2.5. This
- Client certificate support
- SSL encrypted peers
- https:// gatewaying for clients not supporting SSL
- Hardware SSL acceleration support
- SSL key/certificate now read early in the startup, before chaning userid or chroot, allowing the keys to be strongly protected in the filesystem.
- And a few minor bugfixes/optimizations
- 2002-11-20 hardware accelerator support
- Gianni Tedesco has contributed the needed glue to support SSL harware accelerators. Patch can be found on squid-users.
- 2002-04-06ssl-nohttp committed to HEAD
- ssl-nohttp has been committed to HEAD, allowing Squid to run without any http_port defined.
- 2001-10-20 Committed to HEAD
- The SSL tweaking options and POST bug fix has been committed to HEAD/2.5
- 2001-10-19 POST bug fix
- Noel Burton-Krahn kindly identified why some SSL requests hangs, and even provided an initial patch to address the problem. Based on his findings, a proper fix has been developed.
- 2001-08-30 SSL tweaking options
- A couple of SSL tweaking options has been added to make it possible
to work around certain buggy clients. This is the new https_port options
"version=", "cipher=", "options=" and the new directive ssl_unclean_shutdown.
- 2001-05-04 Committed to HEAD
- the support for multiple SSL certificates been committed to HEAD
- 2001-04-19 http_port optional
- The http_port directive has been made optional (ssl-nottp branch), to allow SSL-only accelerator configuration.
- 2001-04-18 Multiple SSL certificates
- Support for multiple SSL certificates has been implemented by extending the https_port directive with arguments for key and certificate
- 2001-04-14 Committed to HEAD
- The basic SSL accelerator support has been committed to HEAD
- Emperial RSA keys support
- To support certain export restrictions where the certicicate RSA key may only be used for signing support for emperial RSA keys needs to be added.
- DSA keys
- Need to add some glue to support DSA keys
- SSL session cache tuning
- There is need for options controlling the SSL session cache size. Maybe also interesting with support for an external (on-disk) SSL session cache but with todays memory prices I am not convinced about this.
- SSL renegotiation when required by acl processing
- Support delayed negotiation of a client certificate until required by acl processing, similar to how proxy_auth works.
- CRL processing
- The upcomding OpenSSL 0.9.7 includes CRL processing functions that we can probably make use of. (earlier versions of OpenSSL does not include CRL processing)
- Outgoing session reuse
- Session reuse is not yet implemented for SSL connections Squid initiate to peers or origin servers.
- OCSP processing
- OCSP is starting to supersed CRL in certificate verification and revocation checks. OpenSSL seems to have OCSP support in the current versions, but as for CRL processing some glue is needed in Squid to make use of the feature.
$Id: index.html,v 1.25 2003/08/08 07:25:13 hno Exp $