Re: [squid-users] Install Godaddy certificate on squid to use ssl-bumping functionnality

From: Antoine Klein <klein.anto_at_gmail.com>
Date: Thu, 29 May 2014 15:02:33 -0400

Thanks for your answers !

Alex your last answer is for me ? What is illegal ?

Finally, i managed to install the certificate, in fact my boss had the
private key...

So i have another problem, squid start correctly with the certificate
but on the client with firefox i have this error
"ssl_error_bad_cert_domain" when i make an HTTPS connexion.
Furthermore, Squid displays an error "2014/05/29 14:15:53 kid1|
clientNegotiateSSL: Error negotiating SSL connection on FD 11:
error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
(1/0)"

Do you know these errors ?

2014-05-28 11:39 GMT-04:00 Alex Crow <alex_at_nanogherkin.com>:
> You cannot generate on the fly new certs that are signed by a commercial CA.
> You need a generated cert for every site your clients visit.
>
> And if you are not in control of your clients this would be not only
> unethical but also most likely illegal - and you won't get any further help
> from this list with either of those.
>
> On 28 May 2014 15:55:04 BST, Antoine Klein <klein.anto_at_gmail.com> wrote:
>>
>> I send back my post because i'm not sur it is sent...
>>
>> Ok thanks all !
>>
>> I haven't in control of clients so it's the real problem, i can't
>> install certificate on their smartphone ^^.
>>
>> So according to you, if i create a CA with openssl, and create a
>> certification signing request (.csr) with a private key, and if i send
>> my csr to a trusted authority to sign it, i could use it in squid
>> without problem, then clients wouldn't have any warning ?
>> I would like to be sure to avoid every problem.
>>
>> 2014-05-28 2:47 GMT-04:00 Alex Crow <alex_at_nanogherkin.com>:
>>>
>>>
>>> On 28/05/14 03:43, Amos Jeffries wrote:
>>>>
>>>>
>>>> On 28/05/2014 8:19 a.m., Antoine Klein wrote:
>>>>>
>>>>>
>>>>> I want to bump ssl connections, but without produce a warning of
>>>>> course.
>>>>>
>>>>> I read it is possible to generate a request of certification with a
>>>>> key and send this file to an authority to sign it, do you know that ?
>>>>
>>>>
>>>> Having your cert signed by a widely trusted certificate authority is
>>>> one
>>>> thing, and the basis of how TLS/SSL works.
>>>>
>>>> SSL-bump cannot be used with that type of key for the reasons Alex
>>>> already mentioned. He also mentioned the steps you have to take instead
>>>> to get it going.
>>>>
>>>> Amos
>>>
>>>
>>>
>>> Hi Antoine,
>>>
>>> You need to be a CA, ie have the CA private key, to be able to do this.
>>> If
>>> you are in control of the clients and know how to use OpenSsl to create
>>> a CA
>>> you can do this without paying any money to anyone. You simply create
>>> the CA<
>>> br />
>>> and use it and its private key in your ssl-bump configuration.
>>>
>>>
>>> http_port 3128 sslBump generate-host-certificates=on
>>> dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl_cert/proxy.pem
>>>
>>> proxy.pem is your private key and CA certificate concatenated.
>>>
>>> sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/lib/ssl_db -M 4MB
>>>
>>> The above line configures the crtd helpers that actually generate the
>>> certs
>>> for the requests, see
>>> http://wiki.squid-cache.org/Features/DynamicSslCert
>>>
>>> Cheers
>>>
>>> Alex
>>
>>
>>
>
> --
> Sent from my Android device with K-9 Mail. Please excuse my brevity.

-- 
Antoine KLEIN
Received on Thu May 29 2014 - 19:02:40 MDT

This archive was generated by hypermail 2.2.0 : Fri May 30 2014 - 12:00:06 MDT