|
In three words:
Forget about it.
No one in the world permit you to do Man-In-The-Middle-Attack
hidden from users.
CAs in the event of such certificates immediately include it in
the list of untrusted. And you can give up the problems up to
prison for a long time. For violation of the privacy of users. In
other words, users should be aware that there is a proxy hacking
HTTPS in front of them. All other tricks are illegal, at least it
is contrary to ethics.
Forget about it.
I'm seriously.
02.02.2017 3:10, Yuri Voinov пишет:
02.02.2017 2:58, angelv пишет:
Hi,
I need your advice.
I have a transparent proxy running with the self
generated certificates 'myCA.pem', as it is not signed
by a valid entity then I have to import the 'myCA.der'
certificate in all web browsers ...
I want to know where I can buy a valid certificate that
work in Squid.
Nowhere. Due to CA's CPS.
PD:
The proxy is working great
----------------------------------------------------------------------------------------------
Important information for clarity (FreeBSD,
squid-3.5.23 and PF):
Create self-signed certificate for Squid server
# openssl req -new -newkey rsa:2048 -sha256 -days 36500
-nodes -x509 -extensions v3_ca -keyout myCA.pem -out
/usr/local/etc/squid/ssl_cert/myCA.pem -config
/usr/local/etc/squid/ssl_cert/openssl.cnf
# openssl dhparam -outform PEM -out
/usr/local/etc/squid/ssl_cert/dhparam.pem 2048
Create a DER-encoded certificate to import into users'
browsers
# openssl x509 -in
/usr/local/etc/squid/ssl_cert/myCA.pem -outform DER -out
/usr/local/etc/squid/ssl_cert/myCA.der
# edit /usr/local/etc/squid/squid.conf
...
# Squid normally listens to port 3128
http_port 3128
# Intercept HTTPS CONNECT messages with SSL-Bump
#
http_port 3129 ssl-bump intercept \
cert=/usr/local/etc/squid/ssl_cert/myCA.pem \
generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB \
dhparams=/usr/local/etc/squid/ssl_cert/dhparam.pem
#
https_port 3130 ssl-bump intercept \
cert=/usr/local/etc/squid/ssl_cert/myCA.pem \
generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB \
dhparams=/usr/local/etc/squid/ssl_cert/dhparam.pem
#
sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s
/usr/local/etc/squid/ssl_db -M 4MB
#
acl step1 at_step SslBump1
#
ssl_bump peek step1
ssl_bump stare all
ssl_bump bump all
always_direct allow all
#
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
...
PF redirect the traffic to the Squid
# edit /etc/pf.conf
...
# Intercept HTTPS CONNECT messages with SSL-Bump
rdr pass on $int_if inet proto tcp from any to port
https \
-> 127.0.0.1 port 3130
rdr pass on $int_if inet6 proto tcp from any to port
https \
-> ::1 port 3130
...
----------------------------------------------------------------------------------------------
--
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
--
Bugs to the Future
--
Bugs to the Future
|
Attachment:
0x613DEC46.asc
Description: application/pgp-keys
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
