RE: [squid-users] SslBump and bad cert

From: Ming Fu <Ming.Fu_at_watchguard.com>
Date: Tue, 24 May 2011 17:45:19 +0000

Hi Alex,

One question about sslbump implementation, was the client side cert exchange done before squid start the ssl to the server? If so, it might be too late when squid learns that the server cert is not good. The client side cert was already sent out.

If the client side cert was exchanged after the server side, I am willing to experiment with the openssl to see if purposefully sign a flawed cert is possible.

Ming

-----Original Message-----
From: Alex Crow [mailto:alex_at_nanogherkin.com]
Sent: Tuesday, May 24, 2011 12:25 PM
To: Ming Fu
Cc: squid-users_at_squid-cache.org
Subject: Re: [squid-users] SslBump and bad cert

E.g. if the server cert has expired, sign an expired squid cert to the
browser. At least this will reproduce the same behavior as if the
sslbump is not turned on. The browser will warn the certificate problem
and the user can proceed at his own risk. The squid administrator can be
kept out of the loop in dealing with not so well maintained server
certificate.
> Regards,
> Ming
>

Sounds like it could work, but I don't know with openssl if it's even
possible to generate a cert that has already expired!

Alex
Received on Tue May 24 2011 - 17:45:28 MDT

This archive was generated by hypermail 2.2.0 : Wed May 25 2011 - 12:00:03 MDT