[squid-users] Using subordinate CA for SSL Bump

[Walter H.]

On 14.12.2015 22:26, Yuri Voinov wrote:
>
> Hi all.
>
> Does anybody can tell me - is it possible to use subordinate secondary
> CA in squid for SSL Bumping purpose?
this is possible; I had this for several months this way;
> I.e., we have self-signed primary CA for issue subordinate CA,
>
> subordinate CA we install in squid's setup,
>
> primary CA certificate install to clients.
>
> For example.
>
> For mimicking we'll using subordinate CA, and, in case of subordinate
> key forgery, we can use primary CA to revoke subordinate CA and re-issue
> them without total replacement primary CA on clients.
>
> This will seriously increase bumping security procedure, hm?
no; but there you have to keep some steps, you wouldn't need if squid 
used a root CA certificate; *)
you can replace the sub CA every month without extra work on client side 
because the clients have the root CA in their trust store;
> I've tried this scheme with 3.5.11, but without success.
ok I was using this with 3.4.10

*)  this is more work than someone may think, because you must fake a 
complete CA, this means:

in the sub CA certificate there must be anything neccessary to validate 
it, this means that there must be
an OCSP againt the root, and also a CRL link in the CA certificate 
attributes; and keep in mind
the only user agent in windows honoring the CRL is google's chrome; so 
keep it up to date ...

also there must be link to the root CA inside the sub CA certificate;

there must said something, when doing it this way:
the symbol chrome is showing for SSL connections may be a normal one as 
when there is no MITM ...

Walter


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4312 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20151217/2742c831/attachment.bin>