Re: [squid-users] SSL Bump and dynamic SSL generation

From: Dan Charlesworth <dan_at_getbusi.com>
Date: Mon, 12 May 2014 18:07:54 +1000

Thanks Jay! Very informative.

Dan

On 12 May 2014, at 6:02 pm, Jay Jimenez <jay_at_integralvox.com> wrote:

> Dan,
>
> Our browsers have very few and selected trusted CAs which are also
> stored in our Trusted Root Certification Authorities. Install an
> internal root CA by Microsoft Certificate Services and generate the
> CA. After generating the CA certificate make sure that you roll out
> the certificate via GPO
>
> Computer Configuration -> Windows Settings -> Security Setting ->
> Public Key Policies -> Trusted Publishers and add your cert to the
> "Trusted Root Certification Authorities"
>
> Once you have the root CA certificate installed in each computer, all
> subordinate CA will be trusted automatically. In this case, We plan to
> have your squid box to have a SUBORDINATE CA signed by your ROOT CA.
> (I hope you see the chain of authority here)
>
>
> Go to your squidbox and generate your .key file and certificate request .csr.
>
> openssl genrsa -out yourkey.key 1024
>
> openssl req -new -key yourkey.key -out yourkey.csr
>
>
> copy the content of your .csr file to your root CA web enrollment
> service(make sure the web enrollment is installed), choose advanced
> certificate request. Paste the content of your .csr file and choose
> "SUBORDINATE Certification Authority"
>
> Click submit and download the Base64 encoded certificate file (NOT the
> Der encoded)
>
>
> Use the downloaded .cer file and your .key file to your squid SSL bump
>
> Your SQUID has now the subordinate CA and any certificate generated by
> Squid will be trusted automatically because the issuer of Squid's Sub
> CA is your domain root CA.
>
>
> *Our organization has existing internal PKI that we're currently using
> for our Microsoft NPS/802.1x. That keeps us out from headache by
> installing a new self-signed CA to each computer for Squid SSL
> bumping.
>
>
>
>
> Regards,
> Jay
>
>
>
>
>
>
>
>
> On Mon, May 12, 2014 at 3:06 PM, Dan Charlesworth <dan_at_getbusi.com> wrote:
>> I for one would welcome you explaining this set up a little bit. Definitely relevant to my interests.
>>
>> Thanks!
>> Dan
>>
>> On 12 May 2014, at 4:56 pm, Jay Jimenez <jay_at_integralvox.com> wrote:
>>
>>> Tom,
>>>
>>> If your proxy users and computers are members of Active Directory
>>> Domain, you might want to use your existing internal AD public key
>>> infrastructure. The reason for this is that domain computers already
>>> trust the CA of your AD. I can explain the setup a little bit if this
>>> is the kind of IT environment you have. The main advantage of this
>>> setup is you don't need to install a self-signed CA by squid in each
>>> computer.
>>>
>>> Jay
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Mon, May 12, 2014 at 2:41 PM, Tom Holder <tom_at_simpleweb.co.uk> wrote:
>>>> Hi Amos,
>>>>
>>>> Thanks for that. Yes I understand the legalities, this isn't to
>>>> 'forge' anything. The users are well aware they're not looking at the
>>>> real sites.
>>>>
>>>> The CA will be installed on their systems and they will have to agree
>>>> to it. The issue is that the browser is complaining that the CN does
>>>> not match because my local web server that represents ANY site has a
>>>> catch all CN. Therefore I'm trying to determine a way to generate the
>>>> correct CN before Squid tries to bump the SSL so that the CN is nearly
>>>> correct.
>>>>
>>>> The certificates I generate don't need to look like the original
>>>> because I'm not trying to trick anyone, they just need not to error in
>>>> the browser.
>>>>
>>>> Thanks,
>>>> Tom
>>>>
>>>> On Mon, May 12, 2014 at 5:39 AM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
>>>>> On 12/05/2014 9:42 a.m., Tom Holder wrote:
>>>>>> Thanks for your help Walter, problem is, which I wasn't too clear
>>>>>> about, site1.com was just an example. It could be any site that I
>>>>>> don't previously know the address for.
>>>>>>
>>>>>> Therefore, the only thing I can think of is to dynamically generate a
>>>>>> self-signed cert.
>>>>>
>>>>> One of the built-in problems with forgery is that one must have an
>>>>> original to work from in order to get even a vague resemblence of
>>>>> correctness. Don't fool yourself into thinking SSL-bump is anything
>>>>> other than high-tech forgery of the website ownser security credentials.
>>>>>
>>>>> OR ... with a blind individual doing the checking it does not matter.
>>>>>
>>>>> (Un)luckily the system design for SSL and TLS as widely used today
>>>>> places a huge blindfold (the trusted CA set) on the client software. So
>>>>> all one has to do is install the signing CA for the forged certificates
>>>>> as one of those CA and most anything becomes possible.
>>>>> ... check carefully the legalities of doing this before doing anything.
>>>>> In some places even experimenting is a criminal offence.
>>>>>
>>>>> Amos
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Tom Holder
>>>> Systems Architect
>>>>
>>>>
>>>> Follow me on: [Twitter] [Linked In]
>>>>
>>>> www.Simpleweb.co.uk
>>>>
>>>> Tel: 0117 922 0448
>>>>
>>>> Simpleweb Ltd.
>>>> Unit G, Albion Dockside Building, Hanover Place, Bristol, BS1 6UT
>>>>
>>>> Simpleweb Ltd. is registered in England.
>>>> Registration no: 5929003 : V.A.T. registration no: 891600913
>>
Received on Mon May 12 2014 - 08:08:07 MDT

This archive was generated by hypermail 2.2.0 : Mon May 12 2014 - 12:00:05 MDT