Re: [squid-users] Intercept HTTPS with dynamic certificate for clients

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 25 Mar 2014 13:43:22 +1300

On 25/03/2014 4:29 a.m., Emmanuel LAZARO - S.IM.KO. wrote:
> Hi again,
>
> In addition i can say this problem (sec_error_unknown_issuer) appears when i am using a "real" certificate from verisign who is well known by the web browser.
>
> I readed here : http://squid-web-proxy-cache.1019090.n4.nabble.com/Need-help-on-SSL-bump-and-certificate-chain-td4659421.html
>
> That i can't do what i want with a signed certificate from a known authority.
>
> So i try using a self signed certificate but it doesn't work with the error : sec_error_untrusted_issuer
>

This *is* working. The client has identified that your self-signed CA
certificate is the authority for the dynamically created certificate. It
just does not trust you, the "self" who signed it.

The step beyond this is to get the client end-point to trust your
self-signed CA certificate. Be careful here. Do this only for clients
where it is actually legal to make trust your sertificate.

Do not forget that what you are doing is a clear and blatant attack on
both the client and web server security systems. There *are* things
which thay can (and some do already) to prevent you succeeding.

I suggest you also investigate the reason why VeriSign and other widely
trusted CA refuse to counter-sign your self-signed CA certificate. That
is behind what Alex said about using the VeriSign certificate.

Amos

>
>
> Le 24 mars 2014 à 11:48, Emmanuel LAZARO - S.IM.KO. <em.lazaro_at_simko.fr> a écrit :
>
>> Hi all,
>>
>> I get on the web browsers : Code d'erreur : sec_error_unknown_issuer
>>
>> Can someone help me ?
>>
>>
>> Le 19 mars 2014 à 08:53, Emmanuel LAZARO - S.IM.KO. <em.lazaro_at_simko.fr> a écrit :
>>
>>> Hi all,
>>>
>>> I am using Squid 3.4.4 on debian wheezy compiling the sources.
>>>
>>> I am trying to configure squid as a transparent proxy using :
>>>
>>> https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/CertifSignature/SquidServeurVeriSign.pem key=/etc/squid3/CertifSignature/Squid.key
>>>
>>> The SquidServeurVeriSign.pem have been signed by verisign.
>>>
>>> How can i avoid the alerts on firefox or safari (i am in a mac osx environment) because the alerts are spoting on every https pages :
>>>
>>> "Connexion not certified
>>>
>>> You asked firefox to connect... we can't confirm the connexion is secured...website identity can't be verified."
>>>
>>> Sry for the translation...
>>>
>>> Can someone help me ?
>>>
>>> NB : I imported the root certificate in my firefox.
>>> ------
>>>
>>> LAZARO Emmanuel
>>
>
Received on Wed Mar 26 2014 - 04:06:02 MDT

This archive was generated by hypermail 2.2.0 : Wed Mar 26 2014 - 12:00:05 MDT