On 28/05/14 03:43, Amos Jeffries wrote:
On 28/05/2014 8:19 a.m., Antoine Klein wrote:
I want to bump ssl connections, but without produce a warning of course.
I read it is possible to generate a request of certification with a
key and send this file to an authority to sign it, do you know that ?
Having your cert signed by a widely trusted certificate authority is one
thing, and the basis of how TLS/SSL works.
SSL-bump cannot be used with that type of key for the reasons Alex
already mentioned. He also mentioned the steps you have to take instead
to get it going.
Amos
Hi Antoine,
You need to be a CA, ie have the CA private key, to be able to do this.
If you are in control of the clients and know how to use OpenSsl to
create a CA you can do this without paying any money to anyone. You
simply create the CA and use it and its private key in your ssl-bump
configuration.
http_port 3128 sslBump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl_cert/proxy.pem
proxy.pem is your private key and CA certificate concatenated.
sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/lib/ssl_db -M 4MB
The above line configures the crtd helpers that actually generate the
certs for the requests, see
http://wiki.squid-cache.org/Features/DynamicSslCert
Cheers
Alex
