Re: [squid-users] Dynamic SSL

From: Hasanen AL-Bana <hasanen_at_gmail.com>
Date: Thu, 14 Mar 2013 20:54:29 +0300

Thank you Guy for your clarification,

So you are saying that the only way to achieve squid https
interception is to force users to upload our squid certificate to
their browser, or they will have to deal with the browser warnings....

On Thu, Mar 14, 2013 at 5:29 PM, Guy Helmer
<guy.helmer_at_palisadesystems.com> wrote:
>
> On Mar 14, 2013, at 9:23 AM, Hasanen AL-Bana <hasanen_at_gmail.com> wrote:
>
> > I thought Squid can fetch the original certificate for a website and
> > pass it to the browser instead of the one created by me,
> > Isn't that how dynamic ssl generation should work ?
>
> No, there are two parts for the asymmetric encryption used for
> certificates: the public key in the certificate, and the private key known
> only to the original web server. Without the original private key, squid can
> not impersonate the original web server and thus can not simply pass the
> real certificate to the browser.
>
> So, dynamic SSL certificate generation involves creating 'imposter"
> certificates and private keys, signed with a local signing certificate that
> the local web browsers trust.
>
> Guy
>
> >
> > On Thu, Mar 14, 2013 at 5:05 PM, Guy Helmer
> > <guy.helmer_at_palisadesystems.com> wrote:
> > On Mar 14, 2013, at 7:22 AM, Hasanen AL-Bana <hasanen_at_gmail.com> wrote:
> >
> > > Hi,
> > >
> > > I have successfully installed squid 3.3 compiled with ssl support
> > > Interception SSL traffic is working fine with browsers loaded with my
> > > self created .DER file.
> > > But without it , I keep getting browser warningings , chrome doesn't
> > > work at all with gmail in this case.
> >
> > That's correct behavior.
> >
> > > The question is , if I purchase a valid SSL certificate , will squid
> > > be able to use it for all websites ?
> > > Will user browsers accept it ?
> >
> > No, you can't purchase a certificate from legitimate certificate vendors
> > that can sign other arbitrary certificates. If you could, then any site
> > could impersonate any other site, and server authentication by certificates
> > would be meaningless.
> >
> > Guy
>
>
>
>
Received on Thu Mar 14 2013 - 17:54:56 MDT

This archive was generated by hypermail 2.2.0 : Fri Mar 15 2013 - 12:00:05 MDT