Search squid archive

Re: SSL Bump and dynamic SSL generation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I for one would welcome you explaining this set up a little bit. Definitely relevant to my interests.

Thanks!
Dan

On 12 May 2014, at 4:56 pm, Jay Jimenez <jay@xxxxxxxxxxxxxxx> wrote:

> Tom,
> 
> If your proxy users and computers are members of Active Directory
> Domain, you might want to use your existing internal AD public key
> infrastructure. The reason for this is that domain computers already
> trust the CA of your AD. I can explain the setup a little bit if this
> is the kind of IT environment you have. The main advantage of this
> setup is you don't need to install a self-signed CA by squid in each
> computer.
> 
> Jay
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> On Mon, May 12, 2014 at 2:41 PM, Tom Holder <tom@xxxxxxxxxxxxxxx> wrote:
>> Hi Amos,
>> 
>> Thanks for that. Yes I understand the legalities, this isn't to
>> 'forge' anything. The users are well aware they're not looking at the
>> real sites.
>> 
>> The CA will be installed on their systems and they will have to agree
>> to it. The issue is that the browser is complaining that the CN does
>> not match because my local web server that represents ANY site has a
>> catch all CN. Therefore I'm trying to determine a way to generate the
>> correct CN before Squid tries to bump the SSL so that the CN is nearly
>> correct.
>> 
>> The certificates I generate don't need to look like the original
>> because I'm not trying to trick anyone, they just need not to error in
>> the browser.
>> 
>> Thanks,
>> Tom
>> 
>> On Mon, May 12, 2014 at 5:39 AM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
>>> On 12/05/2014 9:42 a.m., Tom Holder wrote:
>>>> Thanks for your help Walter, problem is, which I wasn't too clear
>>>> about, site1.com was just an example. It could be any site that I
>>>> don't previously know the address for.
>>>> 
>>>> Therefore, the only thing I can think of is to dynamically generate a
>>>> self-signed cert.
>>> 
>>> One of the built-in problems with forgery is that one must have an
>>> original to work from in order to get even a vague resemblence of
>>> correctness. Don't fool yourself into thinking SSL-bump is anything
>>> other than high-tech forgery of the website ownser security credentials.
>>> 
>>> OR ... with a blind individual doing the checking it does not matter.
>>> 
>>> (Un)luckily the system design for SSL and TLS as widely used today
>>> places a huge blindfold (the trusted CA set) on the client software. So
>>> all one has to do is install the signing CA for the forged certificates
>>> as one of those CA and most anything becomes possible.
>>> ... check carefully the legalities of doing this before doing anything.
>>> In some places even experimenting is a criminal offence.
>>> 
>>> Amos
>>> 
>> 
>> 
>> 
>> --
>> Tom Holder
>> Systems Architect
>> 
>> 
>> Follow me on: [Twitter] [Linked In]
>> 
>> www.Simpleweb.co.uk
>> 
>> Tel: 0117 922 0448
>> 
>> Simpleweb Ltd.
>> Unit G, Albion Dockside Building, Hanover Place, Bristol, BS1 6UT
>> 
>> Simpleweb Ltd. is registered in England.
>> Registration no: 5929003 : V.A.T. registration no: 891600913






[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux