[squid-users] Squid Proxy SSL Bump Certificates
Antony Stone
Antony.Stone at squid.open.source.it
Thu Jun 30 09:04:38 UTC 2016
On Thursday 30 June 2016 at 10:53:57, info at comunicacionesman.com wrote:
> What I'm trying to do now is to use an external certificate from a
> trusted certificate authority (in this case I'm using a free SSL
> certificate from comodo), but I can't see my certificate in the
> certificates list when enabling SSL Man in the middle. I can only see
> CA's, which are certificate authorities, but when I upload comodo's Root
> CA certificate and select it, service does not start. Throws this error:
>
> Jun 30 08:52:40 squid No valid signing SSL certificate configured
> for HTTP_port 192.168.1.1:3128
>
> Does Squid not accept a SSL Certificate from external authorities or am
> I missing something?
Squid would be quite happy to accept a certificate from external authorities,
but you will never get one.
You're missing the significance of the word "signing" in that error message.
What you have from Comodo is a signED certificate (and you also have the CA
certificate to prove that they signed it).
What you do not have is a signING certificate (together with the accompanying
private key) to be able to create and sign certificates on the fly, which is
what Squid does for SSL MITM interception.
You will never get an appropriate key and certificate for this purpose from an
external CA, because if they gave you those, you could forge certificates for
any website on the Internet and their trust model would collapse.
SSL MITM has to be done with a self-signed certificate, and a self-generated CA
certificate on the clients.
Antony.
--
Python is executable pseudocode.
Perl is executable line noise.
Please reply to the list;
please *don't* CC me.
More information about the squid-users
mailing list