Re: Trusted CA Certificate with ssl_bump

Yuri Voinov <yvoinov@xxxxxxxxx> · Tue, 15 Nov 2016 20:28:59 +0600



    15.11.2016 20:22, Sergio Belkin пишет:

    
        Hi,

          
        When using something like that:

          
          http_port 8080 intercept ssl-bump
          generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
          cert=/home/proxy/ssl_cert/example.com.cert
          key=/home/proxy/ssl_cert/example.com.private

          
        Is possible to use a certificate generated by a trusted CA?

      
    No. 

    
    In theory, if you can to force trusted CA to issue subordinate
    intermediate CA personally to you - yes, it possible. But to force
    trusted CA to issue subordinate CA personally to you is not possible
    due to trusted CA's CPS. To do this you should be trusted CA
    youself. I.e.: Pass audit, has PKI infrastructure, has much money
    and blah-blah-blah.

    
    So, you can't do SSL bump without users notification. 

    
              Thanks in advance!

              
              -- 

                
                      --

                        Sergio Belkin

                        LPIC-2 Certified - http://www.lpi.org
                    
                  
      _______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

    
    -- 

      Cats - delicious. You just do not know how to cook them.
  

Attachment:
0x613DEC46.asc

Description: application/pgp-keys
Attachment:
signature.asc

Description: OpenPGP digital signature
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users