[squid-users] Using subordinate CA for SSL Bump
Walter.H at mathemainzel.info
Thu Dec 17 18:54:16 UTC 2015
On 14.12.2015 22:26, Yuri Voinov wrote:
> Hi all.
> Does anybody can tell me - is it possible to use subordinate secondary
> CA in squid for SSL Bumping purpose?
this is possible; I had this for several months this way;
> I.e., we have self-signed primary CA for issue subordinate CA,
> subordinate CA we install in squid's setup,
> primary CA certificate install to clients.
> For example.
> For mimicking we'll using subordinate CA, and, in case of subordinate
> key forgery, we can use primary CA to revoke subordinate CA and re-issue
> them without total replacement primary CA on clients.
> This will seriously increase bumping security procedure, hm?
no; but there you have to keep some steps, you wouldn't need if squid
used a root CA certificate; *)
you can replace the sub CA every month without extra work on client side
because the clients have the root CA in their trust store;
> I've tried this scheme with 3.5.11, but without success.
ok I was using this with 3.4.10
*) this is more work than someone may think, because you must fake a
complete CA, this means:
in the sub CA certificate there must be anything neccessary to validate
it, this means that there must be
an OCSP againt the root, and also a CRL link in the CA certificate
attributes; and keep in mind
the only user agent in windows honoring the CRL is google's chrome; so
keep it up to date ...
also there must be link to the root CA inside the sub CA certificate;
there must said something, when doing it this way:
the symbol chrome is showing for SSL connections may be a normal one as
when there is no MITM ...
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4312 bytes
Desc: S/MIME Cryptographic Signature
More information about the squid-users