On 6/13/2014 10:02 AM, Alex Rousskov wrote:
> On 06/12/2014 08:36 PM, Mike wrote:
>
>> So then next question is how do I know for sure ssl-bump is working?
> A simple test is to look at the root CA certificate shown by the browser
> at the *top* of the certificate chain for a secure (https) site. Please
> note that you should not be looking at the site certificate. You should
> be looking at the certificate that was used to sign the site certificate
> (or the certificate that was used to sign the certificate that was used
> to sign the site certificate, etc. -- go to the root of the certificate
> chain).
>
> If that root certificate is yours, then the site was bumped. If it is an
> "official" root CA from a "well-known" company, the site was not bumped.
>
> To check SslBump for many sites, you have to examine Squid logs which is
> more difficult, especially if you test this with a mix of secure and
> insecure traffic.
>
>
> HTH,
>
> Alex.
>
If thats the case then ssl-bump is not working. The root certificates
all show the mainstream companies, Digicert, Godaddy, Verisign, etc.
Mike
Received on Fri Jun 13 2014 - 15:38:51 MDT
This archive was generated by hypermail 2.2.0 : Tue Jun 17 2014 - 12:00:06 MDT