[squid-users] SSL Bump, CA Cert
Amos Jeffries
squid3 at treenet.co.nz
Fri Jan 30 04:42:04 UTC 2015
On 30/01/2015 1:43 p.m., Christian Kundela wrote:
> Dear all,
>
> I have problems setting up explicit proxy. (interrcept tcp 80 no problem)
>
> If i doaself signed Cert, and i install it in Firefox or IE, no problem.
>
> but if i use a CA-Cert i am using a signed cert from cacert.org, SSl
> Site only TXT loaded and no pictures ... this i know, when something is
> wrong with keyor else ?
> (Install also all certs from cacert.org (also Firefox addons))
Something is definitely wrong with your understanding of TLS/SSL.
You are not alone in this, we get people every few weeks asking about
this same "problem".
>
> Key, CSR is generatedwith:
> openssl genrsa -out /etc/squid/squid.key 2048
> openssl req -new -key /etc/squid/squid.key -out /etc/squid/squid.csr
>
> Signed on the sitecacert.org.TXT put into /etc/squid/squid.crt
>
> My question: what CA Cert Squid expects ? wildcard * ? as common name i
> choose www.mydomain.net (is an example, for csr i used my real domain
> name).
SSL-Bump cert generator requires both public and *private* security key
for a CA which is eligible to generate signed certificates.
To do what you are trying with a cacert.org signed certificate chain you
would need to have a copy of the private key belonging to cacert.org.
Or, to somehow convince them to grant *you* the same worldwide powers
and responsibilities that the global Trusted CA organisations have.
I hope you can see why that is not possible?
>
> How can trace this Problem (debug)or is the Cert wrong ?i stuck here ...
>
Use the self-signed cert in the way that you found works.
There are two situations where certificate generation is potentially
legitimately used:
1) if you have legal authority to install your self-signed CA into the
client browser,
- cacert.org and other Trusted CA organisations are unnecessary.
2) if you own the domain being visited and are only delivering the cert
cacert.org verified as belonging to you.
- interception of the traffic is unnecessary.
In neither situation do a Trusted CA signed certificate and interception
happen together.
Definitely do check up your local laws. Some countries its outright
illegal to use that Squid feature, others require a govt license, etc.
Amos
More information about the squid-users
mailing list