[squid-users] Buy Certificates for Squid 'man in the middle'

Yuri Voinov yvoinov at gmail.com
Wed Feb 1 21:10:51 UTC 2017 


02.02.2017 2:58, angelv пишет:
> Hi,
>
> I need your advice.
>
> I have a transparent proxy running with the self generated
> certificates 'myCA.pem', as it is not signed by a valid entity then I
> have to import the 'myCA.der' certificate in all web browsers ...
>
> I want to know where I can buy a valid certificate that work in Squid.
Nowhere. Due to CA's CPS.
>
> PD:
> The proxy is working great
>
>
> ----------------------------------------------------------------------------------------------
> Important information for clarity (FreeBSD, squid-3.5.23 and PF):
>
> Create self-signed certificate for Squid server
>
> # openssl req -new -newkey rsa:2048 -sha256 -days 36500 -nodes -x509
> -extensions v3_ca -keyout myCA.pem  -out
> /usr/local/etc/squid/ssl_cert/myCA.pem -config
> /usr/local/etc/squid/ssl_cert/openssl.cnf
>
> # openssl dhparam -outform PEM -out
> /usr/local/etc/squid/ssl_cert/dhparam.pem 2048
>
> Create a DER-encoded certificate to import into users' browsers
>
> # openssl x509 -in /usr/local/etc/squid/ssl_cert/myCA.pem -outform DER
> -out /usr/local/etc/squid/ssl_cert/myCA.der
>
>
> # edit /usr/local/etc/squid/squid.conf
> ...
> # Squid normally listens to port 3128
> http_port  3128
>
> # Intercept HTTPS CONNECT messages with SSL-Bump
> #
> http_port  3129 ssl-bump intercept \
>         cert=/usr/local/etc/squid/ssl_cert/myCA.pem \
>         generate-host-certificates=on dynamic_cert_mem_cache_size=4MB \
>         dhparams=/usr/local/etc/squid/ssl_cert/dhparam.pem
> #
> https_port 3130 ssl-bump intercept \
>         cert=/usr/local/etc/squid/ssl_cert/myCA.pem \
>         generate-host-certificates=on dynamic_cert_mem_cache_size=4MB \
>         dhparams=/usr/local/etc/squid/ssl_cert/dhparam.pem
> #
> sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s
> /usr/local/etc/squid/ssl_db -M 4MB
> #
> acl step1 at_step SslBump1
> #
> ssl_bump peek step1
> ssl_bump stare all
> ssl_bump bump all
> always_direct allow all
> #
> sslproxy_cert_error allow all
> sslproxy_flags DONT_VERIFY_PEER
> ...
>
> PF redirect the traffic to the Squid
>
> # edit /etc/pf.conf
> ...
> # Intercept HTTPS CONNECT messages with SSL-Bump
> rdr pass on $int_if inet  proto tcp from any to port https \
>         -> 127.0.0.1 port 3130
> rdr pass on $int_if inet6 proto tcp from any to port https \
>         -> ::1 port 3130
> ...
> ----------------------------------------------------------------------------------------------
> -- 
> Ángel Villa G.
> US +1 (786) 233-9240 | CO +57 (300) 283-6546
> angelvg at gmail.com <mailto:angelvg at gmail.com>
> https://google.com/+AngelVillaG
> https://angelcontents.blogspot.com
>
> "We are all atheists about most of the gods that societies have ever
> believed in. Some of us just go one god further" - Richard Dawkins
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-- 
Bugs to the Future
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170202/d4930710/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x613DEC46.asc
Type: application/pgp-keys
Size: 2437 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170202/d4930710/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170202/d4930710/attachment.sig>

More information about the squid-users mailing list