Tom, No problem. Make sure you have the latest version of Squid or at least version 3.3 to use server-first Jay On Mon, May 12, 2014 at 3:54 PM, Tom Holder <tom@xxxxxxxxxxxxxxx> wrote: > Thanks Jay, it's not the CA I have an issue with, I can easily get > that installed. > > On Mon, May 12, 2014 at 7:56 AM, Jay Jimenez <jay@xxxxxxxxxxxxxxx> wrote: >> Tom, >> >> If your proxy users and computers are members of Active Directory >> Domain, you might want to use your existing internal AD public key >> infrastructure. The reason for this is that domain computers already >> trust the CA of your AD. I can explain the setup a little bit if this >> is the kind of IT environment you have. The main advantage of this >> setup is you don't need to install a self-signed CA by squid in each >> computer. >> >> Jay >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> On Mon, May 12, 2014 at 2:41 PM, Tom Holder <tom@xxxxxxxxxxxxxxx> wrote: >>> Hi Amos, >>> >>> Thanks for that. Yes I understand the legalities, this isn't to >>> 'forge' anything. The users are well aware they're not looking at the >>> real sites. >>> >>> The CA will be installed on their systems and they will have to agree >>> to it. The issue is that the browser is complaining that the CN does >>> not match because my local web server that represents ANY site has a >>> catch all CN. Therefore I'm trying to determine a way to generate the >>> correct CN before Squid tries to bump the SSL so that the CN is nearly >>> correct. >>> >>> The certificates I generate don't need to look like the original >>> because I'm not trying to trick anyone, they just need not to error in >>> the browser. >>> >>> Thanks, >>> Tom >>> >>> On Mon, May 12, 2014 at 5:39 AM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: >>>> On 12/05/2014 9:42 a.m., Tom Holder wrote: >>>>> Thanks for your help Walter, problem is, which I wasn't too clear >>>>> about, site1.com was just an example. It could be any site that I >>>>> don't previously know the address for. >>>>> >>>>> Therefore, the only thing I can think of is to dynamically generate a >>>>> self-signed cert. >>>> >>>> One of the built-in problems with forgery is that one must have an >>>> original to work from in order to get even a vague resemblence of >>>> correctness. Don't fool yourself into thinking SSL-bump is anything >>>> other than high-tech forgery of the website ownser security credentials. >>>> >>>> OR ... with a blind individual doing the checking it does not matter. >>>> >>>> (Un)luckily the system design for SSL and TLS as widely used today >>>> places a huge blindfold (the trusted CA set) on the client software. So >>>> all one has to do is install the signing CA for the forged certificates >>>> as one of those CA and most anything becomes possible. >>>> ... check carefully the legalities of doing this before doing anything. >>>> In some places even experimenting is a criminal offence. >>>> >>>> Amos >>>> >>> >>> >>> >>> -- >>> Tom Holder >>> Systems Architect >>> >>> >>> Follow me on: [Twitter] [Linked In] >>> >>> www.Simpleweb.co.uk >>> >>> Tel: 0117 922 0448 >>> >>> Simpleweb Ltd. >>> Unit G, Albion Dockside Building, Hanover Place, Bristol, BS1 6UT >>> >>> Simpleweb Ltd. is registered in England. >>> Registration no: 5929003 : V.A.T. registration no: 891600913 > > > > -- > Tom Holder > Systems Architect > > > Follow me on: [Twitter] [Linked In] > > www.Simpleweb.co.uk > > Tel: 0117 922 0448 > > Simpleweb Ltd. > Unit G, Albion Dockside Building, Hanover Place, Bristol, BS1 6UT > > Simpleweb Ltd. is registered in England. > Registration no: 5929003 : V.A.T. registration no: 891600913
