
<html>

  <head>

    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">

  </head>

  <body bgcolor="#FFFFFF" text="#000000">

    <br>

    -----BEGIN PGP SIGNED MESSAGE----- <br>

    Hash: SHA256 <br>

     <br>

    Hm. Interesting.<br>

    <br>

    You want to say, you uses ordinal server certificate, signed with

    external trusted CA?<br>

    <br>

    And users can't see MiTM?<br>

    <br>

    25.05.15 22:26, James Lay пишет:<br>

    <span style="white-space: pre;">> So following advice and

      instructions on this page:<br>

      ><br>

      > <a class="moz-txt-link-freetext" href="http://wiki.squid-cache.org/Features/DynamicSslCert">http://wiki.squid-cache.org/Features/DynamicSslCert</a><br>

      ><br>

      > I have set up my lab with explicit proxy by exporting

      http_proxy and<br>

      > https_proxy.  After creating the self-signed root CA

      certificate above<br>

      > and creating the .der file for the client, here are my

      results:<br>

      ><br>

      > From the squid side:<br>

      > 2015/05/25 10:02:20.161| Using certificate<br>

      > in /opt/etc/squid/certs/SquidCA.pem<br>

      > 2015/05/25 10:02:20.170| support.cc(1743)

      readSslX509CertificatesChain:<br>

      > Certificate is self-signed, will not be chained<br>

      > I get the below when I don't specify a CA with curl,

      otherwise when I do<br>

      > I get no error:<br>

      > 2015/05/25 09:21:02.229| Error negotiating SSL connection on

      FD 12:<br>

      > error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert

      unknown ca (1/0)<br>

      ><br>

      > And from the client side:<br>

      > root@kali:~/test# curl -v <a class="moz-txt-link-freetext" href="https://mail.slave-tothe-box.net">https://mail.slave-tothe-box.net</a><br>

      > * About to connect() to proxy 192.168.1.9 port 3129 (#0)<br>

      > *   Trying 192.168.1.9...<br>

      > * connected<br>

      > * Connected to 192.168.1.9 (192.168.1.9) port 3129 (#0)<br>

      > * Establish HTTP proxy tunnel to mail.slave-tothe-box.net:443<br>

      >> CONNECT mail.slave-tothe-box.net:443 HTTP/1.1<br>

      >> Host: mail.slave-tothe-box.net:443<br>

      >> User-Agent: curl/7.26.0<br>

      >> Proxy-Connection: Keep-Alive<br>

      >><br>

      > * Easy mode waiting response from proxy CONNECT<br>

      > < HTTP/1.1 200 Connection established<br>

      > < <br>

      > * Proxy replied OK to CONNECT request<br>

      > * successfully set certificate verify locations:<br>

      > *   CAfile: none<br>

      >   CApath: /etc/ssl/certs<br>

      > * SSLv3, TLS handshake, Client hello (1):<br>

      > * SSLv3, TLS handshake, Server hello (2):<br>

      > * SSLv3, TLS handshake, CERT (11):<br>

      > * SSLv3, TLS alert, Server hello (2):<br>

      > * SSL certificate problem: self signed certificate in

      certificate chain<br>

      > * Closing connection #0<br>

      ><br>

      > And testing with specifying the .der file:<br>

      > root@kali:~/test# curl --cacert /etc/ssl/certs/SquidCA.der -v<br>

      > <a class="moz-txt-link-freetext" href="https://mail.slave-tothe-box.net">https://mail.slave-tothe-box.net</a><br>

      > * About to connect() to proxy 192.168.1.9 port 3129 (#0)<br>

      > *   Trying 192.168.1.9...<br>

      > * connected<br>

      > * Connected to 192.168.1.9 (192.168.1.9) port 3129 (#0)<br>

      > * Establish HTTP proxy tunnel to mail.slave-tothe-box.net:443<br>

      >> CONNECT mail.slave-tothe-box.net:443 HTTP/1.1<br>

      >> Host: mail.slave-tothe-box.net:443<br>

      >> User-Agent: curl/7.26.0<br>

      >> Proxy-Connection: Keep-Alive<br>

      >><br>

      > * Easy mode waiting response from proxy CONNECT<br>

      > < HTTP/1.1 200 Connection established<br>

      > < <br>

      > * Proxy replied OK to CONNECT request<br>

      > * error setting certificate verify locations:<br>

      >   CAfile: /etc/ssl/certs/SquidCA.der<br>

      >   CApath: /etc/ssl/certs<br>

      ><br>

      > * Closing connection #0<br>

      > curl: (77) error setting certificate verify locations:<br>

      >   CAfile: /etc/ssl/certs/SquidCA.der<br>

      >   CApath: /etc/ssl/certs<br>

      ><br>

      ><br>

      > I can confirm that the server is using a bona-fide

      certificate issued<br>

      > from StartSSL and works, so at this point I'm open to

      suggestions.<br>

      > Thank you.<br>

      ><br>

      > James<br>

      ><br>

      ><br>

      ><br>

      > _______________________________________________<br>

      > squid-users mailing list<br>

      > <a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>

      > <a class="moz-txt-link-freetext" href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a></span><br>

    <br>

    -----BEGIN PGP SIGNATURE-----

<br>

    Version: GnuPG v2

<br>

     <br>

    iQEcBAEBCAAGBQJVY1MBAAoJENNXIZxhPexGlcYH/2T/L153ynVqn3s9epC7Pwvv

<br>

    FxjHoamGMum6XJFooUZvQA0kaRzqhQSHduU0i6n4zWEowA4HgLkWrVeRrV/jXhxT

<br>

    CbcZ+KYrO+UAMxrB04r+b4WQl6OZFcoj0ne+WecsJqgH108GGyrA+at6ibvFVNLl

<br>

    ruiDntnH7fGuFV/o0J/hQfcxuHNDS7uND4iji7rSih2hIIET1ohG7EkppIaKwUAq

<br>

    DHA9PtNTmF27eCZuNFXVXxbAjXsRy9NYGC+rwzmFT0Sw2A8KCKl/XBBylu+IRJqv

<br>

    0TscKQeb/LH9/Jkuh5v2KMLjGaoo7hyqY8q/sjnZVySYy2wKXuXolMbYb+vyla4=

<br>

    =XVIS

<br>

    -----END PGP SIGNATURE-----

<br>

    <br>

  </body>

</html>