Re: [squid-users] Issues with ssl-bump in 3.HEAD

From: Mike <>
Date: Fri, 13 Jun 2014 10:38:48 -0500

On 6/13/2014 10:02 AM, Alex Rousskov wrote:
> On 06/12/2014 08:36 PM, Mike wrote:
>> So then next question is how do I know for sure ssl-bump is working?
> A simple test is to look at the root CA certificate shown by the browser
> at the *top* of the certificate chain for a secure (https) site. Please
> note that you should not be looking at the site certificate. You should
> be looking at the certificate that was used to sign the site certificate
> (or the certificate that was used to sign the certificate that was used
> to sign the site certificate, etc. -- go to the root of the certificate
> chain).
> If that root certificate is yours, then the site was bumped. If it is an
> "official" root CA from a "well-known" company, the site was not bumped.
> To check SslBump for many sites, you have to examine Squid logs which is
> more difficult, especially if you test this with a mix of secure and
> insecure traffic.
> HTH,
> Alex.
If thats the case then ssl-bump is not working. The root certificates
all show the mainstream companies, Digicert, Godaddy, Verisign, etc.

Received on Fri Jun 13 2014 - 15:38:51 MDT

This archive was generated by hypermail 2.2.0 : Tue Jun 17 2014 - 12:00:06 MDT