[squid-users] Alert unknown CA

[Amos Jeffries]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 4/02/2015 7:50 a.m., Yuri Voinov wrote:
> 
> Now I have:
> 
> root @ cthulhu /etc/opt/csw/ssl/certs # ls -al *.pem|wc -l 210
> 
> root and intermediate CA's. Most known I can found.
> 
> Note: all of them was wound in different places - in addition with 
> Mozilla's bundle, shipped with OpenSSL.
> 
> How I can found, which is absent?

Depends on your definition of "absent". If one was being really
serious about the security the Trusted CA list would be empty.**

All the domains using DANE and TLSA DNS records? I am hoping someday
to have Squid fetch and use those instead of the Trusted CA, but that
is a while off. (hint, hint sponsorship welcome etc. and so on).

> 
> And how to support this heap? In practice? Manually with CLI
> openssl? Ok, but how to identify problem URL, when Squid's load
> over 100 requests per second?

With the cert validator helper I think. Probably something custom.


** The point of the word "Trusted" in Trusted CA is that they have
passed through some difficult criteria to get listed and installed.
Just grabbing CA certs from all over the place is risking a huge
amount. The major well-known security flaw in the whole TLS/SSL system
is that any one of the Trusted CAs is capable of forging signatures on
other CAs clients. So dodgy list entries is a VERY big deal.

Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJU0Y8YAAoJELJo5wb/XPRjYzkH/0n9xKM6oi8Uk3h4PkJVHYg6
2fqVwPkXiSiqtxuD/DQ/IYJ04UQ0gxKz7KCWt4LaWoTBoAh8GdGnWciGCIcx1eYC
GUhxOWP04ak1CSTaOOsUzAnXofp5Vc3pqaYHZVVohzE4KNvHzSEoOTGEwZpF2gtP
yK559mi1g0wH8NVjzYaO/0oMEhIPuxjr2HyLBb3ZUWMG63JtlpQX35KGGm93A5Ws
/03NhWs/iZDLpPvFivm3WxZme85Hl4XIbsWXp/AJWgK/jqr/SpFjUBs11CclTd9n
zsTGiMMC+3RX/x1V/wzSrZ2wIdyAcfId2GRLKM4JaK7ABb0g3AMhQMesRv5JkDk=
=Sgg5
-----END PGP SIGNATURE-----