<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>In three words:</p>
<p>Forget about it.</p>
<p>No one in the world permit you to do Man-In-The-Middle-Attack
hidden from users.</p>
<p>CAs in the event of such certificates immediately include it in
the list of untrusted. And you can give up the problems up to
prison for a long time. For violation of the privacy of users. In
other words, users should be aware that there is a proxy hacking
HTTPS in front of them. All other tricks are illegal, at least it
is contrary to ethics.</p>
<p>Forget about it.<br>
</p>
I'm seriously.<br>
<br>
<div class="moz-cite-prefix">02.02.2017 3:10, Yuri Voinov пишет:<br>
</div>
<blockquote
cite="mid:564802ba-ce3b-d241-7b67-e1d4c45936e3@gmail.com"
type="cite">
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
<p><br>
</p>
<br>
<div class="moz-cite-prefix">02.02.2017 2:58, angelv пишет:<br>
</div>
<blockquote
cite="mid:CA+wWuAxGYRCkEptmgQx6ezeH3O9MH5Z9QT4bNoo_Nnz+=G4Kig@mail.gmail.com"
type="cite">
<div dir="ltr">
<div><span id="gmail-result_box" class="gmail-" lang="en"><span
class="gmail-">Hi,<br>
</span></span></div>
<div><span id="gmail-result_box" class="gmail-" lang="en"><span
class="gmail-"><br>
I need your advice.<br>
<br>
I have a transparent proxy running with the self
generated certificates 'myCA.pem', as it is not signed
by a valid entity then I have to import the 'myCA.der'
certificate in all web browsers ...<br>
<br>
I want to know where I can buy a valid certificate that
work in Squid.</span></span></div>
</div>
</blockquote>
Nowhere. Due to CA's CPS.<br>
<blockquote
cite="mid:CA+wWuAxGYRCkEptmgQx6ezeH3O9MH5Z9QT4bNoo_Nnz+=G4Kig@mail.gmail.com"
type="cite">
<div dir="ltr">
<div><span id="gmail-result_box" class="gmail-" lang="en"><span
class="gmail-"></span></span></div>
<div>
<div>
<div><br>
</div>
<div>PD:<br>
</div>
<div>The proxy is working great<br>
</div>
<div><br>
<br>
----------------------------------------------------------------------------------------------<br>
</div>
<div>Important information for clarity (FreeBSD,
squid-3.5.23 and PF):<br>
<br>
</div>
<div>Create self-signed certificate for Squid server<br>
<br>
# openssl req -new -newkey rsa:2048 -sha256 -days 36500
-nodes -x509 -extensions v3_ca -keyout myCA.pem -out
/usr/local/etc/squid/ssl_cert/myCA.pem -config
/usr/local/etc/squid/ssl_cert/openssl.cnf<br>
<br>
# openssl dhparam -outform PEM -out
/usr/local/etc/squid/ssl_cert/dhparam.pem 2048<br>
<br>
Create a DER-encoded certificate to import into users'
browsers<br>
<br>
# openssl x509 -in
/usr/local/etc/squid/ssl_cert/myCA.pem -outform DER -out
/usr/local/etc/squid/ssl_cert/myCA.der<br>
<br>
<br>
</div>
<div># edit /usr/local/etc/squid/squid.conf<br>
...<br>
# Squid normally listens to port 3128<br>
http_port 3128<br>
<br>
# Intercept HTTPS CONNECT messages with SSL-Bump<br>
#<br>
http_port 3129 ssl-bump intercept \<br>
cert=/usr/local/etc/squid/ssl_cert/myCA.pem \<br>
generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB \<br>
dhparams=/usr/local/etc/squid/ssl_cert/dhparam.pem<br>
#<br>
https_port 3130 ssl-bump intercept \<br>
cert=/usr/local/etc/squid/ssl_cert/myCA.pem \<br>
generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB \<br>
dhparams=/usr/local/etc/squid/ssl_cert/dhparam.pem<br>
#<br>
sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s
/usr/local/etc/squid/ssl_db -M 4MB<br>
#<br>
acl step1 at_step SslBump1<br>
#<br>
ssl_bump peek step1<br>
ssl_bump stare all<br>
ssl_bump bump all<br>
always_direct allow all<br>
#<br>
sslproxy_cert_error allow all<br>
sslproxy_flags DONT_VERIFY_PEER<br>
</div>
<div>...<br>
<br>
</div>
<div>PF redirect the traffic to the Squid<br>
<br>
# edit /etc/pf.conf<br>
...<br>
# Intercept HTTPS CONNECT messages with SSL-Bump<br>
rdr pass on $int_if inet proto tcp from any to port
https \<br>
-> 127.0.0.1 port 3130<br>
rdr pass on $int_if inet6 proto tcp from any to port
https \<br>
-> ::1 port 3130<br>
</div>
<div>...<br>
----------------------------------------------------------------------------------------------<br>
-- <br>
<div class="gmail_signature">
<div dir="ltr">
<div>Ángel Villa G.<br>
US +1 (786) 233-9240 | CO +57 (300) 283-6546<br>
<a moz-do-not-send="true"
href="mailto:angelvg@gmail.com" target="_blank">angelvg@gmail.com</a><br>
<a moz-do-not-send="true"
href="https://google.com/+AngelVillaG"
target="_blank">https://google.com/+AngelVillaG</a><br>
<a moz-do-not-send="true"
href="https://angelcontents.blogspot.com"
target="_blank">https://angelcontents.blogspot.com</a><br>
<br>
"We are all atheists about most of the gods that
societies have ever believed in. Some of us just
go one god further" - Richard Dawkins</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
squid-users mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a>
</pre>
</blockquote>
<br>
<div class="moz-signature">-- <br>
Bugs to the Future</div>
</blockquote>
<br>
<div class="moz-signature">-- <br>
Bugs to the Future</div>
</body>
</html>