-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Amos, this question is already ready for FAQ. Time to write article in Squid Wiki? :) This question popups every week. WBR, Yuri 30.01.2015 10:42, Amos Jeffries пишет: > On 30/01/2015 1:43 p.m., Christian Kundela wrote: >> Dear all, >> >> I have problems setting up explicit proxy. (interrcept tcp 80 no problem) >> >> If i doaself signed Cert, and i install it in Firefox or IE, no problem. >> >> but if i use a CA-Cert i am using a signed cert from cacert.org, SSl >> Site only TXT loaded and no pictures ... this i know, when something is >> wrong with keyor else ? >> (Install also all certs from cacert.org (also Firefox addons)) > > Something is definitely wrong with your understanding of TLS/SSL. > > You are not alone in this, we get people every few weeks asking about > this same "problem". > >> >> Key, CSR is generatedwith: >> openssl genrsa -out /etc/squid/squid.key 2048 >> openssl req -new -key /etc/squid/squid.key -out /etc/squid/squid.csr >> >> Signed on the sitecacert.org.TXT put into /etc/squid/squid.crt >> >> My question: what CA Cert Squid expects ? wildcard * ? as common name i >> choose www.mydomain.net (is an example, for csr i used my real domain >> name). > > SSL-Bump cert generator requires both public and *private* security key > for a CA which is eligible to generate signed certificates. > > To do what you are trying with a cacert.org signed certificate chain you > would need to have a copy of the private key belonging to cacert.org. > Or, to somehow convince them to grant *you* the same worldwide powers > and responsibilities that the global Trusted CA organisations have. > > I hope you can see why that is not possible? > > >> >> How can trace this Problem (debug)or is the Cert wrong ?i stuck here ... >> > > Use the self-signed cert in the way that you found works. > > There are two situations where certificate generation is potentially > legitimately used: > 1) if you have legal authority to install your self-signed CA into the > client browser, > - cacert.org and other Trusted CA organisations are unnecessary. > > 2) if you own the domain being visited and are only delivering the cert > cacert.org verified as belonging to you. > - interception of the traffic is unnecessary. > > In neither situation do a Trusted CA signed certificate and interception > happen together. > > > Definitely do check up your local laws. Some countries its outright > illegal to use that Squid feature, others require a govt license, etc. > > Amos > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBAgAGBQJUy2i8AAoJENNXIZxhPexGyV0H/R/uVgotfAKEUqrLdC5ieCHj A7M9Ef+4/3D8Z0l7GFb31TWEAA6L2H4q857QvmefA4Tgd4Jo14X1tA7oi5HQgv3G i0l+e7a0MBsxdKy5nO0vWBQEoghmj9qlhi5azfsKslINhlejmmrGhNNP2RQywZKK ZSFJvUjbpg0J2iofBSY1kG8nDAC3BEBTkHJxbdW3NYZyXDAIYonHY7+UjBtIPKR5 XKZDYKjPI0GcjjKDoaePCYOgfzfjz5SXtxK2yyg1yeU61BRSidVMH6NAwmMxgd8I TXpIslXQqmdZuwxuPo/HO4zdvLTwZxkBaZwKAi1OAPoYTBlO5JbkcaS38B7LUSI= =Q9Fc -----END PGP SIGNATURE----- _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
