Re: [squid-users] SSL Bump and dynamic SSL generation

From: Tom Holder <tom_at_simpleweb.co.uk>
Date: Mon, 12 May 2014 08:54:44 +0100

Thanks Jay, it's not the CA I have an issue with, I can easily get
that installed.

On Mon, May 12, 2014 at 7:56 AM, Jay Jimenez <jay_at_integralvox.com> wrote:
> Tom,
>
> If your proxy users and computers are members of Active Directory
> Domain, you might want to use your existing internal AD public key
> infrastructure. The reason for this is that domain computers already
> trust the CA of your AD. I can explain the setup a little bit if this
> is the kind of IT environment you have. The main advantage of this
> setup is you don't need to install a self-signed CA by squid in each
> computer.
>
> Jay
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> On Mon, May 12, 2014 at 2:41 PM, Tom Holder <tom_at_simpleweb.co.uk> wrote:
>> Hi Amos,
>>
>> Thanks for that. Yes I understand the legalities, this isn't to
>> 'forge' anything. The users are well aware they're not looking at the
>> real sites.
>>
>> The CA will be installed on their systems and they will have to agree
>> to it. The issue is that the browser is complaining that the CN does
>> not match because my local web server that represents ANY site has a
>> catch all CN. Therefore I'm trying to determine a way to generate the
>> correct CN before Squid tries to bump the SSL so that the CN is nearly
>> correct.
>>
>> The certificates I generate don't need to look like the original
>> because I'm not trying to trick anyone, they just need not to error in
>> the browser.
>>
>> Thanks,
>> Tom
>>
>> On Mon, May 12, 2014 at 5:39 AM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
>>> On 12/05/2014 9:42 a.m., Tom Holder wrote:
>>>> Thanks for your help Walter, problem is, which I wasn't too clear
>>>> about, site1.com was just an example. It could be any site that I
>>>> don't previously know the address for.
>>>>
>>>> Therefore, the only thing I can think of is to dynamically generate a
>>>> self-signed cert.
>>>
>>> One of the built-in problems with forgery is that one must have an
>>> original to work from in order to get even a vague resemblence of
>>> correctness. Don't fool yourself into thinking SSL-bump is anything
>>> other than high-tech forgery of the website ownser security credentials.
>>>
>>> OR ... with a blind individual doing the checking it does not matter.
>>>
>>> (Un)luckily the system design for SSL and TLS as widely used today
>>> places a huge blindfold (the trusted CA set) on the client software. So
>>> all one has to do is install the signing CA for the forged certificates
>>> as one of those CA and most anything becomes possible.
>>> ... check carefully the legalities of doing this before doing anything.
>>> In some places even experimenting is a criminal offence.
>>>
>>> Amos
>>>
>>
>>
>>
>> --
>> Tom Holder
>> Systems Architect
>>
>>
>> Follow me on: [Twitter] [Linked In]
>>
>> www.Simpleweb.co.uk
>>
>> Tel: 0117 922 0448
>>
>> Simpleweb Ltd.
>> Unit G, Albion Dockside Building, Hanover Place, Bristol, BS1 6UT
>>
>> Simpleweb Ltd. is registered in England.
>> Registration no: 5929003 : V.A.T. registration no: 891600913

-- 
Tom Holder
Systems Architect
Follow me on: [Twitter] [Linked In]
www.Simpleweb.co.uk
Tel: 0117 922 0448
Simpleweb Ltd.
Unit G, Albion Dockside Building, Hanover Place, Bristol, BS1 6UT
Simpleweb Ltd. is registered in England.
Registration no: 5929003 : V.A.T. registration no: 891600913
Received on Mon May 12 2014 - 07:54:52 MDT

This archive was generated by hypermail 2.2.0 : Mon May 12 2014 - 12:00:05 MDT