Thanks for your answers ! Alex your last answer is for me ? What is illegal ? Finally, i managed to install the certificate, in fact my boss had the private key... So i have another problem, squid start correctly with the certificate but on the client with firefox i have this error "ssl_error_bad_cert_domain" when i make an HTTPS connexion. Furthermore, Squid displays an error "2014/05/29 14:15:53 kid1| clientNegotiateSSL: Error negotiating SSL connection on FD 11: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (1/0)" Do you know these errors ? 2014-05-28 11:39 GMT-04:00 Alex Crow <alex@xxxxxxxxxxxxxxx>: > You cannot generate on the fly new certs that are signed by a commercial CA. > You need a generated cert for every site your clients visit. > > And if you are not in control of your clients this would be not only > unethical but also most likely illegal - and you won't get any further help > from this list with either of those. > > On 28 May 2014 15:55:04 BST, Antoine Klein <klein.anto@xxxxxxxxx> wrote: >> >> I send back my post because i'm not sur it is sent... >> >> Ok thanks all ! >> >> I haven't in control of clients so it's the real problem, i can't >> install certificate on their smartphone ^^. >> >> So according to you, if i create a CA with openssl, and create a >> certification signing request (.csr) with a private key, and if i send >> my csr to a trusted authority to sign it, i could use it in squid >> without problem, then clients wouldn't have any warning ? >> I would like to be sure to avoid every problem. >> >> 2014-05-28 2:47 GMT-04:00 Alex Crow <alex@xxxxxxxxxxxxxxx>: >>> >>> >>> On 28/05/14 03:43, Amos Jeffries wrote: >>>> >>>> >>>> On 28/05/2014 8:19 a.m., Antoine Klein wrote: >>>>> >>>>> >>>>> I want to bump ssl connections, but without produce a warning of >>>>> course. >>>>> >>>>> I read it is possible to generate a request of certification with a >>>>> key and send this file to an authority to sign it, do you know that ? >>>> >>>> >>>> Having your cert signed by a widely trusted certificate authority is >>>> one >>>> thing, and the basis of how TLS/SSL works. >>>> >>>> SSL-bump cannot be used with that type of key for the reasons Alex >>>> already mentioned. He also mentioned the steps you have to take instead >>>> to get it going. >>>> >>>> Amos >>> >>> >>> >>> Hi Antoine, >>> >>> You need to be a CA, ie have the CA private key, to be able to do this. >>> If >>> you are in control of the clients and know how to use OpenSsl to create >>> a CA >>> you can do this without paying any money to anyone. You simply create >>> the CA< >>> br /> >>> and use it and its private key in your ssl-bump configuration. >>> >>> >>> http_port 3128 sslBump generate-host-certificates=on >>> dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl_cert/proxy.pem >>> >>> proxy.pem is your private key and CA certificate concatenated. >>> >>> sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/lib/ssl_db -M 4MB >>> >>> The above line configures the crtd helpers that actually generate the >>> certs >>> for the requests, see >>> http://wiki.squid-cache.org/Features/DynamicSslCert >>> >>> Cheers >>> >>> Alex >> >> >> > > -- > Sent from my Android device with K-9 Mail. Please excuse my brevity. -- Antoine KLEIN
