[squid-users] SSL Bump, CA Cert

Amos Jeffries squid3 at treenet.co.nz
Fri Jan 30 04:42:04 UTC 2015 

On 30/01/2015 1:43 p.m., Christian Kundela wrote:
> Dear all,
> 
> I have problems setting up explicit proxy. (interrcept tcp 80 no problem)
> 
> If i doaself signed Cert, and i install it in Firefox or IE, no problem.
> 
> but if i use a CA-Cert i am using a signed cert from cacert.org, SSl
> Site only TXT loaded and no pictures ... this i know, when something is
> wrong with keyor else ?
> (Install also all certs from cacert.org (also Firefox addons))

Something is definitely wrong with your understanding of TLS/SSL.

You are not alone in this, we get people every few weeks asking about
this same "problem".

> 
> Key, CSR is generatedwith:
> openssl genrsa -out /etc/squid/squid.key 2048
> openssl req -new -key /etc/squid/squid.key -out /etc/squid/squid.csr
> 
> Signed on the sitecacert.org.TXT put into /etc/squid/squid.crt
> 
> My question: what CA Cert Squid expects ? wildcard * ? as common name i
> choose www.mydomain.net (is an example, for csr i used my real domain
> name).

SSL-Bump cert generator requires both public and *private* security key
for a CA which is eligible to generate signed certificates.

To do what you are trying with a cacert.org signed certificate chain you
would need to have a copy of the private key belonging to cacert.org.
Or, to somehow convince them to grant *you* the same worldwide powers
and responsibilities that the global Trusted CA organisations have.

I hope you can see why that is not possible?


> 
> How can trace this Problem (debug)or is the Cert wrong ?i stuck here ...
> 

Use the self-signed cert in the way that you found works.

There are two situations where certificate generation is potentially
legitimately used:
 1) if you have legal authority to install your self-signed CA into the
client browser,
  - cacert.org and other Trusted CA organisations are unnecessary.

 2) if you own the domain being visited and are only delivering the cert
cacert.org verified as belonging to you.
  - interception of the traffic is unnecessary.

In neither situation do a Trusted CA signed certificate and interception
happen together.


Definitely do check up your local laws. Some countries its outright
illegal to use that Squid feature, others require a govt license, etc.

Amos

More information about the squid-users mailing list