Re: [squid-users] SSL Bump and dynamic SSL generation

From: Jay Jimenez <jay_at_integralvox.com>
Date: Mon, 12 May 2014 16:02:00 +0800

Dan,

Our browsers have very few and selected trusted CAs which are also
stored in our Trusted Root Certification Authorities. Install an
internal root CA by Microsoft Certificate Services and generate the
CA. After generating the CA certificate make sure that you roll out
the certificate via GPO

Computer Configuration -> Windows Settings -> Security Setting ->
Public Key Policies -> Trusted Publishers and add your cert to the
"Trusted Root Certification Authorities"

Once you have the root CA certificate installed in each computer, all
subordinate CA will be trusted automatically. In this case, We plan to
have your squid box to have a SUBORDINATE CA signed by your ROOT CA.
(I hope you see the chain of authority here)

Go to your squidbox and generate your .key file and certificate request .csr.

openssl genrsa -out yourkey.key 1024

openssl req -new -key yourkey.key -out yourkey.csr

copy the content of your .csr file to your root CA web enrollment
service(make sure the web enrollment is installed), choose advanced
certificate request. Paste the content of your .csr file and choose
"SUBORDINATE Certification Authority"

Click submit and download the Base64 encoded certificate file (NOT the
Der encoded)

Use the downloaded .cer file and your .key file to your squid SSL bump

Your SQUID has now the subordinate CA and any certificate generated by
Squid will be trusted automatically because the issuer of Squid's Sub
CA is your domain root CA.

*Our organization has existing internal PKI that we're currently using
for our Microsoft NPS/802.1x. That keeps us out from headache by
installing a new self-signed CA to each computer for Squid SSL
bumping.

Regards,
Jay

On Mon, May 12, 2014 at 3:06 PM, Dan Charlesworth <dan_at_getbusi.com> wrote:
> I for one would welcome you explaining this set up a little bit. Definitely relevant to my interests.
>
> Thanks!
> Dan
>
> On 12 May 2014, at 4:56 pm, Jay Jimenez <jay_at_integralvox.com> wrote:
>
>> Tom,
>>
>> If your proxy users and computers are members of Active Directory
>> Domain, you might want to use your existing internal AD public key
>> infrastructure. The reason for this is that domain computers already
>> trust the CA of your AD. I can explain the setup a little bit if this
>> is the kind of IT environment you have. The main advantage of this
>> setup is you don't need to install a self-signed CA by squid in each
>> computer.
>>
>> Jay
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> On Mon, May 12, 2014 at 2:41 PM, Tom Holder <tom_at_simpleweb.co.uk> wrote:
>>> Hi Amos,
>>>
>>> Thanks for that. Yes I understand the legalities, this isn't to
>>> 'forge' anything. The users are well aware they're not looking at the
>>> real sites.
>>>
>>> The CA will be installed on their systems and they will have to agree
>>> to it. The issue is that the browser is complaining that the CN does
>>> not match because my local web server that represents ANY site has a
>>> catch all CN. Therefore I'm trying to determine a way to generate the
>>> correct CN before Squid tries to bump the SSL so that the CN is nearly
>>> correct.
>>>
>>> The certificates I generate don't need to look like the original
>>> because I'm not trying to trick anyone, they just need not to error in
>>> the browser.
>>>
>>> Thanks,
>>> Tom
>>>
>>> On Mon, May 12, 2014 at 5:39 AM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
>>>> On 12/05/2014 9:42 a.m., Tom Holder wrote:
>>>>> Thanks for your help Walter, problem is, which I wasn't too clear
>>>>> about, site1.com was just an example. It could be any site that I
>>>>> don't previously know the address for.
>>>>>
>>>>> Therefore, the only thing I can think of is to dynamically generate a
>>>>> self-signed cert.
>>>>
>>>> One of the built-in problems with forgery is that one must have an
>>>> original to work from in order to get even a vague resemblence of
>>>> correctness. Don't fool yourself into thinking SSL-bump is anything
>>>> other than high-tech forgery of the website ownser security credentials.
>>>>
>>>> OR ... with a blind individual doing the checking it does not matter.
>>>>
>>>> (Un)luckily the system design for SSL and TLS as widely used today
>>>> places a huge blindfold (the trusted CA set) on the client software. So
>>>> all one has to do is install the signing CA for the forged certificates
>>>> as one of those CA and most anything becomes possible.
>>>> ... check carefully the legalities of doing this before doing anything.
>>>> In some places even experimenting is a criminal offence.
>>>>
>>>> Amos
>>>>
>>>
>>>
>>>
>>> --
>>> Tom Holder
>>> Systems Architect
>>>
>>>
>>> Follow me on: [Twitter] [Linked In]
>>>
>>> www.Simpleweb.co.uk
>>>
>>> Tel: 0117 922 0448
>>>
>>> Simpleweb Ltd.
>>> Unit G, Albion Dockside Building, Hanover Place, Bristol, BS1 6UT
>>>
>>> Simpleweb Ltd. is registered in England.
>>> Registration no: 5929003 : V.A.T. registration no: 891600913
>
Received on Mon May 12 2014 - 08:02:07 MDT

This archive was generated by hypermail 2.2.0 : Mon May 12 2014 - 12:00:05 MDT