On 06/15/2014 09:31 PM, Douglas Davenport wrote:
Interesting, I thought bump server first solved this type of problem.
I wonder how is google serving different certs for gmail.com vs
mail.google.com at the same IP is this SNI. Is that something squid is
likely to support one day?
There are couple types of certificates out-there.
a range of domains using a Joker like asterisk that validates the
certificate for usage on a whole bunch of subdomains of a specific domain.
There is another way to use one certificate for multiple domains(the
client must support it).
Maybe there are couple other forms of certificates but these are the
most commonly used as far as I understand and know.
From a server and client point of view the SNI can be used to allow the
server send a valid certificate which matches the request...
for example if you would use an ip address with https you will get the
same warning you are getting these days with ssl-bump on gmail.com.
The certificate by itself is a *good* certificate from the issuer side
but it's not matching 100% the expectation of the client request and
intelligence.
Once you have installed the certificate you are good to go on and surf
the site as you wish(in firefox).
There is another option which it is to use a reverse proxy for all the
clients in the LAN that will be a proxy for all *.google.com domain with
a certificate signed by the local rootCA.
you can use the same for *.gmail.com.
then you just need to use DNS(bad choice it is but it's what we have)
for the whole domain.
I remember that if i'm not wrong BlueCoat used this technique to do
couple tricks.
squid for now dosn't know how to work with SNI but the project I think
wants if possible to allow it later on.
I had an assumption that can verify if specific IP address was meant for
gmail or googlemail a specific certificate can be assigned to it by the
user and which by that can allow a more flexible way to overcome
specific issues.
Alex can be asked about this option.
Eliezer