<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <p>In three words:</p>
    <p>Forget about it.</p>
    <p>No one in the world permit you to do Man-In-The-Middle-Attack
      hidden from users.</p>
    <p>CAs in the event of such certificates immediately include it in
      the list of untrusted. And you can give up the problems up to
      prison for a long time. For violation of the privacy of users. In
      other words, users should be aware that there is a proxy hacking
      HTTPS in front of them. All other tricks are illegal, at least it
      is contrary to ethics.</p>
    <p>Forget about it.<br>
    </p>
    I'm seriously.<br>
    <br>
    <div class="moz-cite-prefix">02.02.2017 3:10, Yuri Voinov пишет:<br>
    </div>
    <blockquote
      cite="mid:564802ba-ce3b-d241-7b67-e1d4c45936e3@gmail.com"
      type="cite">
      <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
      <p><br>
      </p>
      <br>
      <div class="moz-cite-prefix">02.02.2017 2:58, angelv пишет:<br>
      </div>
      <blockquote
cite="mid:CA+wWuAxGYRCkEptmgQx6ezeH3O9MH5Z9QT4bNoo_Nnz+=G4Kig@mail.gmail.com"
        type="cite">
        <div dir="ltr">
          <div><span id="gmail-result_box" class="gmail-" lang="en"><span
                class="gmail-">Hi,<br>
              </span></span></div>
          <div><span id="gmail-result_box" class="gmail-" lang="en"><span
                class="gmail-"><br>
                I need your advice.<br>
                <br>
                I have a transparent proxy running with the self
                generated certificates 'myCA.pem', as it is not signed
                by a valid entity then I have to import the 'myCA.der'
                certificate in all web browsers ...<br>
                <br>
                I want to know where I can buy a valid certificate that
                work in Squid.</span></span></div>
        </div>
      </blockquote>
      Nowhere. Due to CA's CPS.<br>
      <blockquote
cite="mid:CA+wWuAxGYRCkEptmgQx6ezeH3O9MH5Z9QT4bNoo_Nnz+=G4Kig@mail.gmail.com"
        type="cite">
        <div dir="ltr">
          <div><span id="gmail-result_box" class="gmail-" lang="en"><span
                class="gmail-"></span></span></div>
          <div>
            <div>
              <div><br>
              </div>
              <div>PD:<br>
              </div>
              <div>The proxy is working great<br>
              </div>
              <div><br>
                <br>
----------------------------------------------------------------------------------------------<br>
              </div>
              <div>Important information for clarity (FreeBSD,
                squid-3.5.23 and PF):<br>
                <br>
              </div>
              <div>Create self-signed certificate for Squid server<br>
                <br>
                # openssl req -new -newkey rsa:2048 -sha256 -days 36500
                -nodes -x509 -extensions v3_ca -keyout myCA.pem  -out
                /usr/local/etc/squid/ssl_cert/myCA.pem -config
                /usr/local/etc/squid/ssl_cert/openssl.cnf<br>
                <br>
                # openssl dhparam -outform PEM -out
                /usr/local/etc/squid/ssl_cert/dhparam.pem 2048<br>
                <br>
                Create a DER-encoded certificate to import into users'
                browsers<br>
                <br>
                # openssl x509 -in
                /usr/local/etc/squid/ssl_cert/myCA.pem -outform DER -out
                /usr/local/etc/squid/ssl_cert/myCA.der<br>
                <br>
                <br>
              </div>
              <div># edit /usr/local/etc/squid/squid.conf<br>
                ...<br>
                # Squid normally listens to port 3128<br>
                http_port  3128<br>
                <br>
                # Intercept HTTPS CONNECT messages with SSL-Bump<br>
                #<br>
                http_port  3129 ssl-bump intercept \<br>
                        cert=/usr/local/etc/squid/ssl_cert/myCA.pem \<br>
                        generate-host-certificates=on
                dynamic_cert_mem_cache_size=4MB \<br>
                       
                dhparams=/usr/local/etc/squid/ssl_cert/dhparam.pem<br>
                #<br>
                https_port 3130 ssl-bump intercept \<br>
                        cert=/usr/local/etc/squid/ssl_cert/myCA.pem \<br>
                        generate-host-certificates=on
                dynamic_cert_mem_cache_size=4MB \<br>
                       
                dhparams=/usr/local/etc/squid/ssl_cert/dhparam.pem<br>
                #<br>
                sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s
                /usr/local/etc/squid/ssl_db -M 4MB<br>
                #<br>
                acl step1 at_step SslBump1<br>
                #<br>
                ssl_bump peek step1<br>
                ssl_bump stare all<br>
                ssl_bump bump all<br>
                always_direct allow all<br>
                #<br>
                sslproxy_cert_error allow all<br>
                sslproxy_flags DONT_VERIFY_PEER<br>
              </div>
              <div>...<br>
                <br>
              </div>
              <div>PF redirect the traffic to the Squid<br>
                <br>
                # edit /etc/pf.conf<br>
                ...<br>
                # Intercept HTTPS CONNECT messages with SSL-Bump<br>
                rdr pass on $int_if inet  proto tcp from any to port
                https \<br>
                        -> 127.0.0.1 port 3130<br>
                rdr pass on $int_if inet6 proto tcp from any to port
                https \<br>
                        -> ::1 port 3130<br>
              </div>
              <div>...<br>
----------------------------------------------------------------------------------------------<br>
                -- <br>
                <div class="gmail_signature">
                  <div dir="ltr">
                    <div>Ángel Villa G.<br>
                      US +1 (786) 233-9240 | CO +57 (300) 283-6546<br>
                      <a moz-do-not-send="true"
                        href="mailto:angelvg@gmail.com" target="_blank">angelvg@gmail.com</a><br>
                      <a moz-do-not-send="true"
                        href="https://google.com/+AngelVillaG"
                        target="_blank">https://google.com/+AngelVillaG</a><br>
                      <a moz-do-not-send="true"
                        href="https://angelcontents.blogspot.com"
                        target="_blank">https://angelcontents.blogspot.com</a><br>
                      <br>
                      "We are all atheists about most of the gods that
                      societies have ever believed in. Some of us just
                      go one god further" - Richard Dawkins</div>
                  </div>
                </div>
              </div>
            </div>
          </div>
        </div>
        <br>
        <fieldset class="mimeAttachmentHeader"></fieldset>
        <br>
        <pre wrap="">_______________________________________________
squid-users mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a>
</pre>
      </blockquote>
      <br>
      <div class="moz-signature">-- <br>
        Bugs to the Future</div>
    </blockquote>
    <br>
    <div class="moz-signature">-- <br>
      Bugs to the Future</div>
  </body>
</html>