[squid-users] Buy Certificates for Squid 'man in the middle'
odhiambo at gmail.com
Thu Feb 2 08:49:05 UTC 2017
So we can't even use the free certs from letsencrypt with Squid??
On 2 February 2017 at 11:35, FredB <fredbmail at free.fr> wrote:
> From: http://wiki.squid-cache.org/Features/DynamicSslCert
> "In theory, you must either import your root certificate into browsers or
> instruct users on how to do that. Unfortunately, it is apparently a common
> practice among well-known Root CAs to issue subordinate root certificates.
> If you have obtained such a subordinate root certificate from a Root CA
> already trusted by your users, you do not need to import your certificate
> into browsers. However, going down this path may result in removal of the
> well-known Root CA certificate from browsers around the world. Such a
> removal will make your local SslBump-based infrastructure inoperable until
> you import your certificate, but that may only be the beginning of your
> troubles. Will the affected Root CA go after you to recoup their world-wide
> damages? What will your users do when they learn that you have been
> decrypting their traffic without their consent?"
> The last sentence is ambiguous the users can known, you can inform that
> you have been decrypting their traffic.
> There is no difference (from user point of view I mean) between a
> well-known Root CAs or a self-signed certificate with a CA injected by a
> local GPO.
> But in practice I don't how how you can do that, just hello I want a
> subordinate root certificates ?
> squid-users mailing list
> squid-users at lists.squid-cache.org
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the squid-users