|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 04.02.2015 9:16, Amos Jeffries пишет: > On 4/02/2015 7:50 a.m., Yuri Voinov wrote: > > > Now I have: > > > root @ cthulhu /etc/opt/csw/ssl/certs # ls -al *.pem|wc -l 210 > > > root and intermediate CA's. Most known I can found. > > > Note: all of them was wound in different places - in addition with > > Mozilla's bundle, shipped with OpenSSL. > > > How I can found, which is absent? > > Depends on your definition of "absent". If one was being really > serious about the security the Trusted CA list would be empty.** It not my definition. Squid tells this. :) It indicates it as unknown CA. > > All the domains using DANE and TLSA DNS records? I am hoping someday > to have Squid fetch and use those instead of the Trusted CA, but that > is a while off. (hint, hint sponsorship welcome etc. and so on). > > > > And how to support this heap? In practice? Manually with CLI > > openssl? Ok, but how to identify problem URL, when Squid's load > > over 100 requests per second? > > With the cert validator helper I think. Probably something custom. Agrrrrrrrrrrrrrrhhhhhhhhhhhhhhhhh........ Will think. > > > ** The point of the word "Trusted" in Trusted CA is that they have > passed through some difficult criteria to get listed and installed. > Just grabbing CA certs from all over the place is risking a huge > amount. The major well-known security flaw in the whole TLS/SSL system > is that any one of the Trusted CAs is capable of forging signatures on > other CAs clients. So dodgy list entries is a VERY big deal. Agreed. Of course, CA's cant be get anywhere. As minimum, from provider's sites. On the other hand, every of them cannot be checked (and could not be) in deep. We just get it and trast. This is wrong concept, but we haven't anything else.... > > Amos > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBAgAGBQJU0d3fAAoJENNXIZxhPexGozoH/Ri2ljZrROkZ+9RLqr6gY0U+ ckpX1bZUp3hmOw+i6fdASJHL2Wj4mXe7LMvTOr9P7oKiW8H0r/sAfh2zlcss2WIA aQA+TntAyWJG66NH0MBJbTWtnlmDGMV11i2g5B30jUg7G1KPIAGd2IW1fi/Uf3Kb bNuT5lFz6peG2l04qMjwY26xhaM+IQIh0b1JyKtpiqNnwjLw/gLpESvJB1Ah8LST CgLsM+j5w/2sTPeg/K+SIvYwfRpng/XgvedONY0eL6RTWY1xnWS4zWmn29ZmRqkx tAJZVHHQl4NhpJ8ulYUi1ILgWLK2FYIqTZ0ctXOpRBmNwGqPFhvA1SY7K43d5ew= =HwCL -----END PGP SIGNATURE----- |
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
