Search squid archive

Re: Alert unknown CA

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Amos Wrote:
The major well-known security flaw in the whole TLS/SSL system
is that any one of the Trusted CAs is capable of forging signatures on
other CAs clients.

And happens to be one that squid desperately needs to remain in order to continue ssl bumping..


-----------
Daniel I Greenwald



On Tue, Feb 3, 2015 at 7:16 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 4/02/2015 7:50 a.m., Yuri Voinov wrote:
>
> Now I have:
>
> root @ cthulhu /etc/opt/csw/ssl/certs # ls -al *.pem|wc -l 210
>
> root and intermediate CA's. Most known I can found.
>
> Note: all of them was wound in different places - in addition with
> Mozilla's bundle, shipped with OpenSSL.
>
> How I can found, which is absent?

Depends on your definition of "absent". If one was being really
serious about the security the Trusted CA list would be empty.**

All the domains using DANE and TLSA DNS records? I am hoping someday
to have Squid fetch and use those instead of the Trusted CA, but that
is a while off. (hint, hint sponsorship welcome etc. and so on).

>
> And how to support this heap? In practice? Manually with CLI
> openssl? Ok, but how to identify problem URL, when Squid's load
> over 100 requests per second?

With the cert validator helper I think. Probably something custom.


** The point of the word "Trusted" in Trusted CA is that they have
passed through some difficult criteria to get listed and installed.
Just grabbing CA certs from all over the place is risking a huge
amount. The major well-known security flaw in the whole TLS/SSL system
is that any one of the Trusted CAs is capable of forging signatures on
other CAs clients. So dodgy list entries is a VERY big deal.

Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJU0Y8YAAoJELJo5wb/XPRjYzkH/0n9xKM6oi8Uk3h4PkJVHYg6
2fqVwPkXiSiqtxuD/DQ/IYJ04UQ0gxKz7KCWt4LaWoTBoAh8GdGnWciGCIcx1eYC
GUhxOWP04ak1CSTaOOsUzAnXofp5Vc3pqaYHZVVohzE4KNvHzSEoOTGEwZpF2gtP
yK559mi1g0wH8NVjzYaO/0oMEhIPuxjr2HyLBb3ZUWMG63JtlpQX35KGGm93A5Ws
/03NhWs/iZDLpPvFivm3WxZme85Hl4XIbsWXp/AJWgK/jqr/SpFjUBs11CclTd9n
zsTGiMMC+3RX/x1V/wzSrZ2wIdyAcfId2GRLKM4JaK7ABb0g3AMhQMesRv5JkDk=
=Sgg5
-----END PGP SIGNATURE-----
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux