[squid-users] Ssl-bump deep dive (self-signed certs in chain)
Yuri Voinov
yvoinov at gmail.com
Mon May 25 16:51:14 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hm. Interesting.
You want to say, you uses ordinal server certificate, signed with
external trusted CA?
And users can't see MiTM?
25.05.15 22:26, James Lay пишет:
> So following advice and instructions on this page:
>
> http://wiki.squid-cache.org/Features/DynamicSslCert
>
> I have set up my lab with explicit proxy by exporting http_proxy and
> https_proxy. After creating the self-signed root CA certificate above
> and creating the .der file for the client, here are my results:
>
> From the squid side:
> 2015/05/25 10:02:20.161| Using certificate
> in /opt/etc/squid/certs/SquidCA.pem
> 2015/05/25 10:02:20.170| support.cc(1743) readSslX509CertificatesChain:
> Certificate is self-signed, will not be chained
> I get the below when I don't specify a CA with curl, otherwise when I do
> I get no error:
> 2015/05/25 09:21:02.229| Error negotiating SSL connection on FD 12:
> error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (1/0)
>
> And from the client side:
> root at kali:~/test# curl -v https://mail.slave-tothe-box.net
> * About to connect() to proxy 192.168.1.9 port 3129 (#0)
> * Trying 192.168.1.9...
> * connected
> * Connected to 192.168.1.9 (192.168.1.9) port 3129 (#0)
> * Establish HTTP proxy tunnel to mail.slave-tothe-box.net:443
>> CONNECT mail.slave-tothe-box.net:443 HTTP/1.1
>> Host: mail.slave-tothe-box.net:443
>> User-Agent: curl/7.26.0
>> Proxy-Connection: Keep-Alive
>>
> * Easy mode waiting response from proxy CONNECT
> < HTTP/1.1 200 Connection established
> <
> * Proxy replied OK to CONNECT request
> * successfully set certificate verify locations:
> * CAfile: none
> CApath: /etc/ssl/certs
> * SSLv3, TLS handshake, Client hello (1):
> * SSLv3, TLS handshake, Server hello (2):
> * SSLv3, TLS handshake, CERT (11):
> * SSLv3, TLS alert, Server hello (2):
> * SSL certificate problem: self signed certificate in certificate chain
> * Closing connection #0
>
> And testing with specifying the .der file:
> root at kali:~/test# curl --cacert /etc/ssl/certs/SquidCA.der -v
> https://mail.slave-tothe-box.net
> * About to connect() to proxy 192.168.1.9 port 3129 (#0)
> * Trying 192.168.1.9...
> * connected
> * Connected to 192.168.1.9 (192.168.1.9) port 3129 (#0)
> * Establish HTTP proxy tunnel to mail.slave-tothe-box.net:443
>> CONNECT mail.slave-tothe-box.net:443 HTTP/1.1
>> Host: mail.slave-tothe-box.net:443
>> User-Agent: curl/7.26.0
>> Proxy-Connection: Keep-Alive
>>
> * Easy mode waiting response from proxy CONNECT
> < HTTP/1.1 200 Connection established
> <
> * Proxy replied OK to CONNECT request
> * error setting certificate verify locations:
> CAfile: /etc/ssl/certs/SquidCA.der
> CApath: /etc/ssl/certs
>
> * Closing connection #0
> curl: (77) error setting certificate verify locations:
> CAfile: /etc/ssl/certs/SquidCA.der
> CApath: /etc/ssl/certs
>
>
> I can confirm that the server is using a bona-fide certificate issued
> from StartSSL and works, so at this point I'm open to suggestions.
> Thank you.
>
> James
>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJVY1MBAAoJENNXIZxhPexGlcYH/2T/L153ynVqn3s9epC7Pwvv
FxjHoamGMum6XJFooUZvQA0kaRzqhQSHduU0i6n4zWEowA4HgLkWrVeRrV/jXhxT
CbcZ+KYrO+UAMxrB04r+b4WQl6OZFcoj0ne+WecsJqgH108GGyrA+at6ibvFVNLl
ruiDntnH7fGuFV/o0J/hQfcxuHNDS7uND4iji7rSih2hIIET1ohG7EkppIaKwUAq
DHA9PtNTmF27eCZuNFXVXxbAjXsRy9NYGC+rwzmFT0Sw2A8KCKl/XBBylu+IRJqv
0TscKQeb/LH9/Jkuh5v2KMLjGaoo7hyqY8q/sjnZVySYy2wKXuXolMbYb+vyla4=
=XVIS
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150525/094de7b4/attachment.html>
More information about the squid-users
mailing list