Re: [squid-users] SSL Bump and dynamic SSL generation

From: Jay Jimenez <jay_at_integralvox.com>
Date: Mon, 12 May 2014 14:56:43 +0800

Tom,

If your proxy users and computers are members of Active Directory
Domain, you might want to use your existing internal AD public key
infrastructure. The reason for this is that domain computers already
trust the CA of your AD. I can explain the setup a little bit if this
is the kind of IT environment you have. The main advantage of this
setup is you don't need to install a self-signed CA by squid in each
computer.

Jay

On Mon, May 12, 2014 at 2:41 PM, Tom Holder <tom_at_simpleweb.co.uk> wrote:
> Hi Amos,
>
> Thanks for that. Yes I understand the legalities, this isn't to
> 'forge' anything. The users are well aware they're not looking at the
> real sites.
>
> The CA will be installed on their systems and they will have to agree
> to it. The issue is that the browser is complaining that the CN does
> not match because my local web server that represents ANY site has a
> catch all CN. Therefore I'm trying to determine a way to generate the
> correct CN before Squid tries to bump the SSL so that the CN is nearly
> correct.
>
> The certificates I generate don't need to look like the original
> because I'm not trying to trick anyone, they just need not to error in
> the browser.
>
> Thanks,
> Tom
>
> On Mon, May 12, 2014 at 5:39 AM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
>> On 12/05/2014 9:42 a.m., Tom Holder wrote:
>>> Thanks for your help Walter, problem is, which I wasn't too clear
>>> about, site1.com was just an example. It could be any site that I
>>> don't previously know the address for.
>>>
>>> Therefore, the only thing I can think of is to dynamically generate a
>>> self-signed cert.
>>
>> One of the built-in problems with forgery is that one must have an
>> original to work from in order to get even a vague resemblence of
>> correctness. Don't fool yourself into thinking SSL-bump is anything
>> other than high-tech forgery of the website ownser security credentials.
>>
>> OR ... with a blind individual doing the checking it does not matter.
>>
>> (Un)luckily the system design for SSL and TLS as widely used today
>> places a huge blindfold (the trusted CA set) on the client software. So
>> all one has to do is install the signing CA for the forged certificates
>> as one of those CA and most anything becomes possible.
>> ... check carefully the legalities of doing this before doing anything.
>> In some places even experimenting is a criminal offence.
>>
>> Amos
>>
>
>
>
> --
> Tom Holder
> Systems Architect
>
>
> Follow me on: [Twitter] [Linked In]
>
> www.Simpleweb.co.uk
>
> Tel: 0117 922 0448
>
> Simpleweb Ltd.
> Unit G, Albion Dockside Building, Hanover Place, Bristol, BS1 6UT
>
> Simpleweb Ltd. is registered in England.
> Registration no: 5929003 : V.A.T. registration no: 891600913
Received on Mon May 12 2014 - 06:56:51 MDT

This archive was generated by hypermail 2.2.0 : Mon May 12 2014 - 12:00:05 MDT