Ok i'm really sorry, i don't understand the english very well... I read again the discussion but i am confused :/ Before this project i had not any knowledge about certificates and SSL connexions but i did several research on the subject, especially on squid wiki. I also read again the documentation here : http://wiki.squid-cache.org/Features/SslBump http://wiki.squid-cache.org/Features/DynamicSslCert http://wiki.squid-cache.org/Features/HTTPS But nothing concern trusted signed certificate :/ My company wishes to offer to its clients a public WIFI, i need to use squid for the delay pool, and possibly the cache. There is already a warning given on the connexion where we have to accept terms of use which warns the user. So, according to you, isn't it possible ? I think it's strange, because the WIFI is deployed, and the connexion of clients passes by the firewall which already decipher packets. I don't understand why do you speak about dynamic certificate generation, does it concern my problem ? Because finally i have the certificate signed by godaddy and the private key of this certificate. Anyway, thanks for your patience. :) 2014-05-29 17:14 GMT-04:00 Alex Crow <alex@xxxxxxxxxxxxxxx>: > Antoine, > > I really think you are completely missing the point of what everyone has > said to you on this list. > > 1. SSL bumping is effectively an MITM attack against users/clients and they > must be aware that it is happening and it must be legal in your country and > also comply with company policy (if this is for corporate use). > 2. You *CAN NOT* use a certificate issued by a commercial CA to do SSL > bumping with dynamic certificate generation, full stop. It *CANNOT* work - > if it did, SSL would be utterly useless. For everyone on the internet, not > just your clients. > 3. You *CAN NOT* prevent an SSL warning appearing for bumped connections > unless you are able to install on the clients *your own CA cert*, ie *the > very same CA* you use in Squid. Squid will need that CA's private key to be > able to generate certs for every https site your clients visit. > > Please read all the Squid docs about SSL and a lot of general info about how > SSL works (ie the trust model) as I feel we are all now at a loss in helping > you further! > > Alex > > > > On 29/05/14 20:02, Antoine Klein wrote: >> >> Thanks for your answers ! >> >> Alex your last answer is for me ? What is illegal ? >> >> Finally, i managed to install the certificate, in fact my boss had the >> private key... >> >> So i have another problem, squid start correctly with the certificate >> but on the client with firefox i have this error >> "ssl_error_bad_cert_domain" when i make an HTTPS connexion. >> Furthermore, Squid displays an error "2014/05/29 14:15:53 kid1| >> clientNegotiateSSL: Error negotiating SSL connection on FD 11: >> error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca >> (1/0)" >> >> Do you know these errors ? >> >> 2014-05-28 11:39 GMT-04:00 Alex Crow <alex@xxxxxxxxxxxxxxx>: >>> >>> You cannot generate on the fly new certs that are signed by a commercial >>> CA. >>> You need a generated cert for every site your clients visit. >>> >>> And if you are not in control of your clients this would be not only >>> unethical but also most likely illegal - and you won't get any further >>> help >>> from this list with either of those. >>> >>> On 28 May 2014 15:55:04 BST, Antoine Klein <klein.anto@xxxxxxxxx> wrote: >>>> >>>> I send back my post because i'm not sur it is sent... >>>> >>>> Ok thanks all ! >>>> >>>> I haven't in control of clients so it's the real problem, i can't >>>> install certificate on their smartphone ^^. >>>> >>>> So according to you, if i create a CA with openssl, and create a >>>> certification signing request (.csr) with a private key, and if i send >>>> my csr to a trusted authority to sign it, i could use it in squid >>>> without problem, then clients wouldn't have any warning ? >>>> I would like to be sure to avoid every problem. >>>> >>>> 2014-05-28 2:47 GMT-04:00 Alex Crow <alex@xxxxxxxxxxxxxxx>: >>>>> >>>>> >>>>> On 28/05/14 03:43, Amos Jeffries wrote: >>>>>> >>>>>> >>>>>> On 28/05/2014 8:19 a.m., Antoine Klein wrote: >>>>>>> >>>>>>> >>>>>>> I want to bump ssl connections, but without produce a warning of >>>>>>> course. >>>>>>> >>>>>>> I read it is possible to generate a request of certification with a >>>>>>> key and send this file to an authority to sign it, do you know that >>>>>>> ? >>>>>> >>>>>> >>>>>> Having your cert signed by a widely trusted certificate authority is >>>>>> one >>>>>> thing, and the basis of how TLS/SSL works. >>>>>> >>>>>> SSL-bump cannot be used with that type of key for the reasons Alex >>>>>> already mentioned. He also mentioned the steps you have to take >>>>>> instead >>>>>> to get it going. >>>>>> >>>>>> Amos >>>>> >>>>> >>>>> >>>>> Hi Antoine, >>>>> >>>>> You need to be a CA, ie have the CA private key, to be able to do >>>>> this. >>>>> If >>>>> you are in control of the clients and know how to use OpenSsl to >>>>> create >>>>> a CA >>>>> you can do this without paying any money to anyone. You simply create >>>>> the CA< >>>>> br /> >>>>> and use it and its private key in your ssl-bump configuration. >>>>> >>>>> >>>>> http_port 3128 sslBump generate-host-certificates=on >>>>> dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl_cert/proxy.pem >>>>> >>>>> proxy.pem is your private key and CA certificate concatenated. >>>>> >>>>> sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/lib/ssl_db -M 4MB >>>>> >>>>> The above line configures the crtd helpers that actually generate the >>>>> certs >>>>> for the requests, see >>>>> http://wiki.squid-cache.org/Features/DynamicSslCert >>>>> >>>>> Cheers >>>>> >>>>> Alex >>>> >>>> >>>> >>> -- >>> Sent from my Android device with K-9 Mail. Please excuse my brevity. >> >> >> > -- Antoine KLEIN
