Thanks Jay, it's not the CA I have an issue with, I can easily get that installed. On Mon, May 12, 2014 at 7:56 AM, Jay Jimenez <jay@xxxxxxxxxxxxxxx> wrote: > Tom, > > If your proxy users and computers are members of Active Directory > Domain, you might want to use your existing internal AD public key > infrastructure. The reason for this is that domain computers already > trust the CA of your AD. I can explain the setup a little bit if this > is the kind of IT environment you have. The main advantage of this > setup is you don't need to install a self-signed CA by squid in each > computer. > > Jay > > > > > > > > > > > > > > > On Mon, May 12, 2014 at 2:41 PM, Tom Holder <tom@xxxxxxxxxxxxxxx> wrote: >> Hi Amos, >> >> Thanks for that. Yes I understand the legalities, this isn't to >> 'forge' anything. The users are well aware they're not looking at the >> real sites. >> >> The CA will be installed on their systems and they will have to agree >> to it. The issue is that the browser is complaining that the CN does >> not match because my local web server that represents ANY site has a >> catch all CN. Therefore I'm trying to determine a way to generate the >> correct CN before Squid tries to bump the SSL so that the CN is nearly >> correct. >> >> The certificates I generate don't need to look like the original >> because I'm not trying to trick anyone, they just need not to error in >> the browser. >> >> Thanks, >> Tom >> >> On Mon, May 12, 2014 at 5:39 AM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: >>> On 12/05/2014 9:42 a.m., Tom Holder wrote: >>>> Thanks for your help Walter, problem is, which I wasn't too clear >>>> about, site1.com was just an example. It could be any site that I >>>> don't previously know the address for. >>>> >>>> Therefore, the only thing I can think of is to dynamically generate a >>>> self-signed cert. >>> >>> One of the built-in problems with forgery is that one must have an >>> original to work from in order to get even a vague resemblence of >>> correctness. Don't fool yourself into thinking SSL-bump is anything >>> other than high-tech forgery of the website ownser security credentials. >>> >>> OR ... with a blind individual doing the checking it does not matter. >>> >>> (Un)luckily the system design for SSL and TLS as widely used today >>> places a huge blindfold (the trusted CA set) on the client software. So >>> all one has to do is install the signing CA for the forged certificates >>> as one of those CA and most anything becomes possible. >>> ... check carefully the legalities of doing this before doing anything. >>> In some places even experimenting is a criminal offence. >>> >>> Amos >>> >> >> >> >> -- >> Tom Holder >> Systems Architect >> >> >> Follow me on: [Twitter] [Linked In] >> >> www.Simpleweb.co.uk >> >> Tel: 0117 922 0448 >> >> Simpleweb Ltd. >> Unit G, Albion Dockside Building, Hanover Place, Bristol, BS1 6UT >> >> Simpleweb Ltd. is registered in England. >> Registration no: 5929003 : V.A.T. registration no: 891600913 -- Tom Holder Systems Architect Follow me on: [Twitter] [Linked In] www.Simpleweb.co.uk Tel: 0117 922 0448 Simpleweb Ltd. Unit G, Albion Dockside Building, Hanover Place, Bristol, BS1 6UT Simpleweb Ltd. is registered in England. Registration no: 5929003 : V.A.T. registration no: 891600913