Search squid archive

Re: Buy Certificates for Squid 'man in the middle'

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



In three words:

Forget about it.

No one in the world permit you to do Man-In-The-Middle-Attack hidden from users.

CAs in the event of such certificates immediately include it in the list of untrusted. And you can give up the problems up to prison for a long time. For violation of the privacy of users. In other words, users should be aware that there is a proxy hacking HTTPS in front of them. All other tricks are illegal, at least it is contrary to ethics.

Forget about it.

I'm seriously.

02.02.2017 3:10, Yuri Voinov пишет:



02.02.2017 2:58, angelv пишет:
Hi,

I need your advice.

I have a transparent proxy running with the self generated certificates 'myCA.pem', as it is not signed by a valid entity then I have to import the 'myCA.der' certificate in all web browsers ...

I want to know where I can buy a valid certificate that work in Squid.
Nowhere. Due to CA's CPS.

PD:
The proxy is working great


----------------------------------------------------------------------------------------------
Important information for clarity (FreeBSD, squid-3.5.23 and PF):

Create self-signed certificate for Squid server

# openssl req -new -newkey rsa:2048 -sha256 -days 36500 -nodes -x509 -extensions v3_ca -keyout myCA.pem  -out /usr/local/etc/squid/ssl_cert/myCA.pem -config /usr/local/etc/squid/ssl_cert/openssl.cnf

# openssl dhparam -outform PEM -out /usr/local/etc/squid/ssl_cert/dhparam.pem 2048

Create a DER-encoded certificate to import into users' browsers

# openssl x509 -in /usr/local/etc/squid/ssl_cert/myCA.pem -outform DER -out /usr/local/etc/squid/ssl_cert/myCA.der


# edit /usr/local/etc/squid/squid.conf
...
# Squid normally listens to port 3128
http_port  3128

# Intercept HTTPS CONNECT messages with SSL-Bump
#
http_port  3129 ssl-bump intercept \
        cert=/usr/local/etc/squid/ssl_cert/myCA.pem \
        generate-host-certificates=on dynamic_cert_mem_cache_size=4MB \
        dhparams=/usr/local/etc/squid/ssl_cert/dhparam.pem
#
https_port 3130 ssl-bump intercept \
        cert=/usr/local/etc/squid/ssl_cert/myCA.pem \
        generate-host-certificates=on dynamic_cert_mem_cache_size=4MB \
        dhparams=/usr/local/etc/squid/ssl_cert/dhparam.pem
#
sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /usr/local/etc/squid/ssl_db -M 4MB
#
acl step1 at_step SslBump1
#
ssl_bump peek step1
ssl_bump stare all
ssl_bump bump all
always_direct allow all
#
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
...

PF redirect the traffic to the Squid

# edit /etc/pf.conf
...
# Intercept HTTPS CONNECT messages with SSL-Bump
rdr pass on $int_if inet  proto tcp from any to port https \
        -> 127.0.0.1 port 3130
rdr pass on $int_if inet6 proto tcp from any to port https \
        -> ::1 port 3130
...
----------------------------------------------------------------------------------------------
--
Ángel Villa G.
US +1 (786) 233-9240 | CO +57 (300) 283-6546
angelvg@xxxxxxxxx
https://google.com/+AngelVillaG
https://angelcontents.blogspot.com

"We are all atheists about most of the gods that societies have ever believed in. Some of us just go one god further" - Richard Dawkins


_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

--
Bugs to the Future

--
Bugs to the Future

Attachment: 0x613DEC46.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux