[squid-users] SSL Bump, CA Cert

Yuri Voinov yvoinov at gmail.com
Fri Jan 30 11:19:24 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Amos,

this question is already ready for FAQ.

Time to write article in Squid Wiki? :)

This question popups every week.

WBR, Yuri

30.01.2015 10:42, Amos Jeffries пишет:
> On 30/01/2015 1:43 p.m., Christian Kundela wrote:
>> Dear all,
>>
>> I have problems setting up explicit proxy. (interrcept tcp 80 no problem)
>>
>> If i doaself signed Cert, and i install it in Firefox or IE, no problem.
>>
>> but if i use a CA-Cert i am using a signed cert from cacert.org, SSl
>> Site only TXT loaded and no pictures ... this i know, when something is
>> wrong with keyor else ?
>> (Install also all certs from cacert.org (also Firefox addons))
>
> Something is definitely wrong with your understanding of TLS/SSL.
>
> You are not alone in this, we get people every few weeks asking about
> this same "problem".
>
>>
>> Key, CSR is generatedwith:
>> openssl genrsa -out /etc/squid/squid.key 2048
>> openssl req -new -key /etc/squid/squid.key -out /etc/squid/squid.csr
>>
>> Signed on the sitecacert.org.TXT put into /etc/squid/squid.crt
>>
>> My question: what CA Cert Squid expects ? wildcard * ? as common name i
>> choose www.mydomain.net (is an example, for csr i used my real domain
>> name).
>
> SSL-Bump cert generator requires both public and *private* security key
> for a CA which is eligible to generate signed certificates.
>
> To do what you are trying with a cacert.org signed certificate chain you
> would need to have a copy of the private key belonging to cacert.org.
> Or, to somehow convince them to grant *you* the same worldwide powers
> and responsibilities that the global Trusted CA organisations have.
>
> I hope you can see why that is not possible?
>
>
>>
>> How can trace this Problem (debug)or is the Cert wrong ?i stuck here ...
>>
>
> Use the self-signed cert in the way that you found works.
>
> There are two situations where certificate generation is potentially
> legitimately used:
>  1) if you have legal authority to install your self-signed CA into the
> client browser,
>   - cacert.org and other Trusted CA organisations are unnecessary.
>
>  2) if you own the domain being visited and are only delivering the cert
> cacert.org verified as belonging to you.
>   - interception of the traffic is unnecessary.
>
> In neither situation do a Trusted CA signed certificate and interception
> happen together.
>
>
> Definitely do check up your local laws. Some countries its outright
> illegal to use that Squid feature, others require a govt license, etc.
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
 
iQEcBAEBAgAGBQJUy2i8AAoJENNXIZxhPexGyV0H/R/uVgotfAKEUqrLdC5ieCHj
A7M9Ef+4/3D8Z0l7GFb31TWEAA6L2H4q857QvmefA4Tgd4Jo14X1tA7oi5HQgv3G
i0l+e7a0MBsxdKy5nO0vWBQEoghmj9qlhi5azfsKslINhlejmmrGhNNP2RQywZKK
ZSFJvUjbpg0J2iofBSY1kG8nDAC3BEBTkHJxbdW3NYZyXDAIYonHY7+UjBtIPKR5
XKZDYKjPI0GcjjKDoaePCYOgfzfjz5SXtxK2yyg1yeU61BRSidVMH6NAwmMxgd8I
TXpIslXQqmdZuwxuPo/HO4zdvLTwZxkBaZwKAi1OAPoYTBlO5JbkcaS38B7LUSI=
=Q9Fc
-----END PGP SIGNATURE-----



More information about the squid-users mailing list