Search squid archive

Re: Install Godaddy certificate on squid to use ssl-bumping functionnality

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Antoine,

I really think you are completely missing the point of what everyone has said to you on this list.

1. SSL bumping is effectively an MITM attack against users/clients and they must be aware that it is happening and it must be legal in your country and also comply with company policy (if this is for corporate use). 2. You *CAN NOT* use a certificate issued by a commercial CA to do SSL bumping with dynamic certificate generation, full stop. It *CANNOT* work - if it did, SSL would be utterly useless. For everyone on the internet, not just your clients. 3. You *CAN NOT* prevent an SSL warning appearing for bumped connections unless you are able to install on the clients *your own CA cert*, ie *the very same CA* you use in Squid. Squid will need that CA's private key to be able to generate certs for every https site your clients visit.

Please read all the Squid docs about SSL and a lot of general info about how SSL works (ie the trust model) as I feel we are all now at a loss in helping you further!

Alex


On 29/05/14 20:02, Antoine Klein wrote:
Thanks for your answers !

Alex your last answer is for me ? What is illegal ?

Finally, i managed to install the certificate, in fact my boss had the
private key...

So i have another problem, squid start correctly with the certificate
but on the client with firefox i have this error
"ssl_error_bad_cert_domain" when i make an HTTPS connexion.
Furthermore, Squid displays an error "2014/05/29 14:15:53 kid1|
clientNegotiateSSL: Error negotiating SSL connection on FD 11:
error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
(1/0)"

Do you know these errors ?

2014-05-28 11:39 GMT-04:00 Alex Crow <alex@xxxxxxxxxxxxxxx>:
You cannot generate on the fly new certs that are signed by a commercial CA.
You need a generated cert for every site your clients visit.

And if you are not in control of your clients this would be not only
unethical but also most likely illegal - and you won't get any further help
from this list with either of those.

On 28 May 2014 15:55:04 BST, Antoine Klein <klein.anto@xxxxxxxxx> wrote:
I send back my post because i'm not sur it is sent...

Ok thanks all !

I haven't in control of clients so it's the real problem, i can't
install certificate on their smartphone ^^.

So according to you, if i create a CA with openssl, and create a
certification signing request (.csr) with a private key, and if i send
my csr to a trusted authority to sign it, i could use it in squid
without problem, then clients wouldn't have any warning ?
I would like to be sure to avoid every problem.

2014-05-28 2:47 GMT-04:00 Alex Crow <alex@xxxxxxxxxxxxxxx>:

  On 28/05/14 03:43, Amos Jeffries wrote:

  On 28/05/2014 8:19 a.m., Antoine Klein wrote:

  I want to bump ssl connections, but without produce a warning of
course.

  I read it is possible to generate a request of certification with a
  key and send this file to an authority to sign it, do you know that ?

  Having your cert signed by a widely trusted certificate authority is
one
  thing, and the basis of how TLS/SSL works.

  SSL-bump cannot be used with that type of key for the reasons Alex
  already mentioned. He also mentioned the steps you have to take instead
  to get it going.

  Amos


  Hi Antoine,

  You need to be a CA, ie have the CA private key, to be able to do this.
If
  you are in control of the clients and know how to use OpenSsl to create
a CA
  you can do this without paying any money to anyone. You simply create
the CA<
  br />
and use it and its private key in your ssl-bump configuration.


  http_port 3128 sslBump generate-host-certificates=on
  dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl_cert/proxy.pem

  proxy.pem is your private key and CA certificate concatenated.

  sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/lib/ssl_db -M 4MB

  The above line configures the crtd helpers that actually generate the
certs
  for the requests, see
http://wiki.squid-cache.org/Features/DynamicSslCert

  Cheers

  Alex


--
Sent from my Android device with K-9 Mail. Please excuse my brevity.







[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux