[squid-users] Buy Certificates for Squid 'man in the middle'

Odhiambo Washington odhiambo at gmail.com
Thu Feb 2 08:49:05 UTC 2017


So we can't even use the free certs from letsencrypt with Squid??

On 2 February 2017 at 11:35, FredB <fredbmail at free.fr> wrote:

>
> From: http://wiki.squid-cache.org/Features/DynamicSslCert
>
> "In theory, you must either import your root certificate into browsers or
> instruct users on how to do that. Unfortunately, it is apparently a common
> practice among well-known Root CAs to issue subordinate root certificates.
> If you have obtained such a subordinate root certificate from a Root CA
> already trusted by your users, you do not need to import your certificate
> into browsers. However, going down this path may result in removal of the
> well-known Root CA certificate from browsers around the world. Such a
> removal will make your local SslBump-based infrastructure inoperable until
> you import your certificate, but that may only be the beginning of your
> troubles. Will the affected Root CA go after you to recoup their world-wide
> damages? What will your users do when they learn that you have been
> decrypting their traffic without their consent?"
>
> The last sentence is ambiguous the users can known, you can inform that
> you have been decrypting their traffic.
> There is no difference (from user point of view I mean) between a
> well-known Root CAs or a self-signed certificate with a CA injected by a
> local GPO.
>
> But in practice I don't how how you can do that, just hello I want a
> subordinate root certificates ?
>
> FredB
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>



-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170202/324f42bf/attachment.html>


More information about the squid-users mailing list