Re: [squid-users] squid/sslbump + IE9

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 03 Dec 2011 16:11:50 +1300

On 3/12/2011 6:22 a.m., Sean Boran wrote:
> Well yes, we are trying to incept...
> I dont see where the "forgery" is, if my proxy CA is trusted and a
> cert is generated for that target, signed by that CA, why should the
> browser complain?

The "forgery" is that you are creating a certificate claiming to be
fetched from that website and authorizing you to act as their
intermediary with complete security clearance. When it is not. Exactly
like me presenting someone with a cheque against your bank account
signed by myself. Forgery, by the plain and simple definition of the
word. This is why the browser complains unless it has explicitly been
made to trust the CA you use to sign.

I missed the part where you had your signing CA already in the browser
and read that as the browser not complaining when only presented with
the plain cert.

> And why would FF not complain but IE9 does?

The one complaining does not trust the certificate or some part of its
CA chain. As others have said, each of the three browser engines uses
their own CA collections.

Amos
Received on Sat Dec 03 2011 - 03:12:12 MST

This archive was generated by hypermail 2.2.0 : Mon Dec 05 2011 - 12:00:03 MST