squid-cache.org

	sslproxy_cert_adapt <adaptation algorithm> acl ...

	The following certificate adaptation algorithms are supported:

	   setValidAfter
		Sets the "Not After" property to the "Not After" property of
		the CA certificate used to sign generated certificates.

	   setValidBefore
		Sets the "Not Before" property to the "Not Before" property of
		the CA certificate used to sign generated certificates.

	   setCommonName or setCommonName{CN}
		Sets Subject.CN property to the host name specified as a
		CN parameter or, if no explicit CN parameter was specified,
		extracted from the CONNECT request. It is a misconfiguration
		to use setCommonName without an explicit parameter for
		intercepted or tproxied SSL connections.

	This clause only supports fast acl types.

	Squid first groups sslproxy_cert_adapt options by adaptation algorithm.
	Within a group, when sslproxy_cert_adapt acl(s) match, Squid uses the
	corresponding adaptation algorithm to generate the certificate and
	ignores all subsequent sslproxy_cert_adapt options in that algorithm's
	group (i.e., the first match wins within each algorithm group). If no
	acl(s) match, the default mimicking action takes place.

	WARNING: SQUID_X509_V_ERR_DOMAIN_MISMATCH and ssl:certDomainMismatch can
	be used with sslproxy_cert_adapt, but if and only if Squid is bumping a
	CONNECT request that carries a domain name. In all other cases (CONNECT
	to an IP address or an intercepted SSL connection), Squid cannot detect
	the domain mismatch at certificate generation time when
	bump-server-first is used.