[squid-users] Alert unknown CA

Daniel Greenwald dig at digcorp.net
Wed Feb 4 05:47:50 UTC 2015


Amos Wrote:
The major well-known security flaw in the whole TLS/SSL system
is that any one of the Trusted CAs is capable of forging signatures on
other CAs clients.

And happens to be one that squid desperately needs to remain in order to
continue ssl bumping..


-----------
Daniel I Greenwald



On Tue, Feb 3, 2015 at 7:16 PM, Amos Jeffries <squid3 at treenet.co.nz> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 4/02/2015 7:50 a.m., Yuri Voinov wrote:
> >
> > Now I have:
> >
> > root @ cthulhu /etc/opt/csw/ssl/certs # ls -al *.pem|wc -l 210
> >
> > root and intermediate CA's. Most known I can found.
> >
> > Note: all of them was wound in different places - in addition with
> > Mozilla's bundle, shipped with OpenSSL.
> >
> > How I can found, which is absent?
>
> Depends on your definition of "absent". If one was being really
> serious about the security the Trusted CA list would be empty.**
>
> All the domains using DANE and TLSA DNS records? I am hoping someday
> to have Squid fetch and use those instead of the Trusted CA, but that
> is a while off. (hint, hint sponsorship welcome etc. and so on).
>
> >
> > And how to support this heap? In practice? Manually with CLI
> > openssl? Ok, but how to identify problem URL, when Squid's load
> > over 100 requests per second?
>
> With the cert validator helper I think. Probably something custom.
>
>
> ** The point of the word "Trusted" in Trusted CA is that they have
> passed through some difficult criteria to get listed and installed.
> Just grabbing CA certs from all over the place is risking a huge
> amount. The major well-known security flaw in the whole TLS/SSL system
> is that any one of the Trusted CAs is capable of forging signatures on
> other CAs clients. So dodgy list entries is a VERY big deal.
>
> Amos
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (MingW32)
>
> iQEcBAEBAgAGBQJU0Y8YAAoJELJo5wb/XPRjYzkH/0n9xKM6oi8Uk3h4PkJVHYg6
> 2fqVwPkXiSiqtxuD/DQ/IYJ04UQ0gxKz7KCWt4LaWoTBoAh8GdGnWciGCIcx1eYC
> GUhxOWP04ak1CSTaOOsUzAnXofp5Vc3pqaYHZVVohzE4KNvHzSEoOTGEwZpF2gtP
> yK559mi1g0wH8NVjzYaO/0oMEhIPuxjr2HyLBb3ZUWMG63JtlpQX35KGGm93A5Ws
> /03NhWs/iZDLpPvFivm3WxZme85Hl4XIbsWXp/AJWgK/jqr/SpFjUBs11CclTd9n
> zsTGiMMC+3RX/x1V/wzSrZ2wIdyAcfId2GRLKM4JaK7ABb0g3AMhQMesRv5JkDk=
> =Sgg5
> -----END PGP SIGNATURE-----
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150203/26711a15/attachment.html>


More information about the squid-users mailing list