Re: [squid-users] SSL Bump and dynamic SSL generation from Tom Holder on 2014-05-12 (squid-users)

From: Tom Holder <tom_at_simpleweb.co.uk>
Date: Mon, 12 May 2014 07:41:29 +0100

Hi Amos,

Thanks for that. Yes I understand the legalities, this isn't to
'forge' anything. The users are well aware they're not looking at the
real sites.

The CA will be installed on their systems and they will have to agree
to it. The issue is that the browser is complaining that the CN does
not match because my local web server that represents ANY site has a
catch all CN. Therefore I'm trying to determine a way to generate the
correct CN before Squid tries to bump the SSL so that the CN is nearly
correct.

The certificates I generate don't need to look like the original
because I'm not trying to trick anyone, they just need not to error in
the browser.

Thanks,
Tom

On Mon, May 12, 2014 at 5:39 AM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> On 12/05/2014 9:42 a.m., Tom Holder wrote:
>> Thanks for your help Walter, problem is, which I wasn't too clear
>> about, site1.com was just an example. It could be any site that I
>> don't previously know the address for.
>>
>> Therefore, the only thing I can think of is to dynamically generate a
>> self-signed cert.
>
> One of the built-in problems with forgery is that one must have an
> original to work from in order to get even a vague resemblence of
> correctness. Don't fool yourself into thinking SSL-bump is anything
> other than high-tech forgery of the website ownser security credentials.
>
> OR ... with a blind individual doing the checking it does not matter.
>
> (Un)luckily the system design for SSL and TLS as widely used today
> places a huge blindfold (the trusted CA set) on the client software. So
> all one has to do is install the signing CA for the forged certificates
> as one of those CA and most anything becomes possible.
> ... check carefully the legalities of doing this before doing anything.
> In some places even experimenting is a criminal offence.
>
> Amos
>

-- 
Tom Holder
Systems Architect
Follow me on: [Twitter] [Linked In]
www.Simpleweb.co.uk
Tel: 0117 922 0448
Simpleweb Ltd.
Unit G, Albion Dockside Building, Hanover Place, Bristol, BS1 6UT
Simpleweb Ltd. is registered in England.
Registration no: 5929003 : V.A.T. registration no: 891600913

Received on Mon May 12 2014 - 06:41:35 MDT

This archive was generated by hypermail 2.2.0 : Mon May 12 2014 - 12:00:05 MDT