On 14.12.2015 22:26, Yuri Voinov wrote:
Hi all. Does anybody can tell me - is it possible to use subordinate secondary CA in squid for SSL Bumping purpose?
this is possible; I had this for several months this way;
no; but there you have to keep some steps, you wouldn't need if squid used a root CA certificate; *) you can replace the sub CA every month without extra work on client side because the clients have the root CA in their trust store;I.e., we have self-signed primary CA for issue subordinate CA, subordinate CA we install in squid's setup, primary CA certificate install to clients. For example. For mimicking we'll using subordinate CA, and, in case of subordinate key forgery, we can use primary CA to revoke subordinate CA and re-issue them without total replacement primary CA on clients. This will seriously increase bumping security procedure, hm?
I've tried this scheme with 3.5.11, but without success.
ok I was using this with 3.4.10*) this is more work than someone may think, because you must fake a complete CA, this means:
in the sub CA certificate there must be anything neccessary to validate it, this means that there must be an OCSP againt the root, and also a CRL link in the CA certificate attributes; and keep in mind the only user agent in windows honoring the CRL is google's chrome; so keep it up to date ...
also there must be link to the root CA inside the sub CA certificate; there must said something, when doing it this way:the symbol chrome is showing for SSL connections may be a normal one as when there is no MITM ...
Walter
<<attachment: smime.p7s>>
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
