Hi Antoine,
Replies below:
On 30/05/14 15:44, Antoine Klein wrote:
> Ok i'm really sorry, i don't understand the english very well...
> I read again the discussion but i am confused :/
>
> Before this project i had not any knowledge about certificates and SSL
> connexions but i did several research on the subject, especially on
> squid wiki.
> I also read again the documentation here :
> http://wiki.squid-cache.org/Features/SslBump
> http://wiki.squid-cache.org/Features/DynamicSslCert
> http://wiki.squid-cache.org/Features/HTTPS
> But nothing concern trusted signed certificate :/
>
> My company wishes to offer to its clients a public WIFI, i need to use
> squid for the delay pool, and possibly the cache. There is already a
> warning given on the connexion where we have to accept terms of use
> which warns the user.
Who are your "clients" - by which I mean not only what devices/browsers
but also what relationship do they have to your company?
I think (anyone correct me if I'm wrong) that delay pools do not require
you to decrypt *anything*. To cache SSL replies, inspect for
viruses/malware/bad URL paths, you do need to do so, hence SSLBump.
> So, according to you, isn't it possible ?
> I think it's strange, because the WIFI is deployed, and the connexion
> of clients passes by the firewall which already decipher packets.
I have no idea what you are talking about here. How can your firewall
possibly decipher SSL communications between <some random Wifi Connected
device> and <some web server out on the internet>. Again, this would
mean that SSL would be utterly worthless (which despite recent
developments, it is not). Unless you gor your firewall from the NSA in
which case I'd not recommend advertising that fact on here!
>
> I don't understand why do you speak about dynamic certificate
> generation, does it concern my problem ? Because finally i have the
> certificate signed by godaddy and the private key of this certificate.
I feel like you might be wasting your time (and money) if you paid for
this, You presumably have submitted a CSR for <foo.whatever.domain> to
be signed by Godaddy. and received a certificate (.pem/.p12/.crt
whatever) back How do you propose to use the certificate (which only
certifies that domain) to somehow provide client browsers with a valid
certificate for whatever https:// site they choose to visit? How would a
cert for <foo.whatever.domain> have any use for someone visiting
https://mylittlepony.com (example!). Or have we just completely missed
the point and this SSL stuff is just for your own web server behind
squid - in which case you have gone completely in the wrong direction
and need to be looking at setting up a "reverse prosy", which does not
require SSLBump at all and would indeed work with what you've just done.
>
> Anyway, thanks for your patience. :)
I fear that even if mine does not run out then that of others may do so
first. You really need to state exactly what it is you are trying to
achieve, and this has so far IMHO not happened - and your English is
perfectly good enough to do so.
Thanks
Alex
Received on Fri May 30 2014 - 15:44:16 MDT
This archive was generated by hypermail 2.2.0 : Sat May 31 2014 - 12:00:07 MDT