[squid-users] Alert unknown CA

Yuri Voinov yvoinov at gmail.com
Wed Feb 4 08:52:47 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 

04.02.2015 9:16, Amos Jeffries пишет:
> On 4/02/2015 7:50 a.m., Yuri Voinov wrote:
>
> > Now I have:
>
> > root @ cthulhu /etc/opt/csw/ssl/certs # ls -al *.pem|wc -l 210
>
> > root and intermediate CA's. Most known I can found.
>
> > Note: all of them was wound in different places - in addition with
> > Mozilla's bundle, shipped with OpenSSL.
>
> > How I can found, which is absent?
>
> Depends on your definition of "absent". If one was being really
> serious about the security the Trusted CA list would be empty.**
It not my definition. Squid tells this. :) It indicates it as unknown CA.

>
> All the domains using DANE and TLSA DNS records? I am hoping someday
> to have Squid fetch and use those instead of the Trusted CA, but that
> is a while off. (hint, hint sponsorship welcome etc. and so on).
>
>
> > And how to support this heap? In practice? Manually with CLI
> > openssl? Ok, but how to identify problem URL, when Squid's load
> > over 100 requests per second?
>
> With the cert validator helper I think. Probably something custom.
Agrrrrrrrrrrrrrrhhhhhhhhhhhhhhhhh........ Will think.
>
>
> ** The point of the word "Trusted" in Trusted CA is that they have
> passed through some difficult criteria to get listed and installed.
> Just grabbing CA certs from all over the place is risking a huge
> amount. The major well-known security flaw in the whole TLS/SSL system
> is that any one of the Trusted CAs is capable of forging signatures on
> other CAs clients. So dodgy list entries is a VERY big deal.
Agreed. Of course, CA's cant be get anywhere. As minimum, from
provider's sites.

On the other hand, every of them cannot be checked (and could not be) in
deep. We just get it and trast. This is wrong concept, but we haven't
anything else....

>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
 
iQEcBAEBAgAGBQJU0d3fAAoJENNXIZxhPexGozoH/Ri2ljZrROkZ+9RLqr6gY0U+
ckpX1bZUp3hmOw+i6fdASJHL2Wj4mXe7LMvTOr9P7oKiW8H0r/sAfh2zlcss2WIA
aQA+TntAyWJG66NH0MBJbTWtnlmDGMV11i2g5B30jUg7G1KPIAGd2IW1fi/Uf3Kb
bNuT5lFz6peG2l04qMjwY26xhaM+IQIh0b1JyKtpiqNnwjLw/gLpESvJB1Ah8LST
CgLsM+j5w/2sTPeg/K+SIvYwfRpng/XgvedONY0eL6RTWY1xnWS4zWmn29ZmRqkx
tAJZVHHQl4NhpJ8ulYUi1ILgWLK2FYIqTZ0ctXOpRBmNwGqPFhvA1SY7K43d5ew=
=HwCL
-----END PGP SIGNATURE-----

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150204/c87a8d08/attachment.html>


More information about the squid-users mailing list