[squid-users] Trusted CA Certificate with ssl_bump
Yuri Voinov
yvoinov at gmail.com
Tue Nov 15 14:28:59 UTC 2016
15.11.2016 20:22, Sergio Belkin пишет:
> Hi,
>
> When using something like that:
>
> http_port 8080 intercept ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB
> cert=/home/proxy/ssl_cert/example.com.cert
> key=/home/proxy/ssl_cert/example.com.private
>
>
> Is possible to use a certificate generated by a trusted CA?
No.
In theory, if you can to force trusted CA to issue subordinate
intermediate CA personally to you - yes, it possible. But to force
trusted CA to issue subordinate CA personally to you is not possible due
to trusted CA's CPS. To do this you should be trusted CA youself. I.e.:
Pass audit, has PKI infrastructure, has much money and blah-blah-blah.
So, you can't do SSL bump without users notification.
>
>
> Thanks in advance!
> --
> --
> Sergio Belkin
> LPIC-2 Certified - http://www.lpi.org
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
--
Cats - delicious. You just do not know how to cook them.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20161115/489b922e/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x613DEC46.asc
Type: application/pgp-keys
Size: 2437 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20161115/489b922e/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20161115/489b922e/attachment.sig>
More information about the squid-users
mailing list