Re: [squid-users] Install Godaddy certificate on squid to use ssl-bumping functionnality

From: Alex Crow <alex_at_nanogherkin.com>
Date: Thu, 29 May 2014 22:14:51 +0100

Antoine,

I really think you are completely missing the point of what everyone has
said to you on this list.

1. SSL bumping is effectively an MITM attack against users/clients and
they must be aware that it is happening and it must be legal in your
country and also comply with company policy (if this is for corporate use).
2. You *CAN NOT* use a certificate issued by a commercial CA to do SSL
bumping with dynamic certificate generation, full stop. It *CANNOT* work
- if it did, SSL would be utterly useless. For everyone on the internet,
not just your clients.
3. You *CAN NOT* prevent an SSL warning appearing for bumped connections
unless you are able to install on the clients *your own CA cert*, ie
*the very same CA* you use in Squid. Squid will need that CA's private
key to be able to generate certs for every https site your clients visit.

Please read all the Squid docs about SSL and a lot of general info about
how SSL works (ie the trust model) as I feel we are all now at a loss in
helping you further!

Alex

On 29/05/14 20:02, Antoine Klein wrote:
> Thanks for your answers !
>
> Alex your last answer is for me ? What is illegal ?
>
> Finally, i managed to install the certificate, in fact my boss had the
> private key...
>
> So i have another problem, squid start correctly with the certificate
> but on the client with firefox i have this error
> "ssl_error_bad_cert_domain" when i make an HTTPS connexion.
> Furthermore, Squid displays an error "2014/05/29 14:15:53 kid1|
> clientNegotiateSSL: Error negotiating SSL connection on FD 11:
> error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
> (1/0)"
>
> Do you know these errors ?
>
> 2014-05-28 11:39 GMT-04:00 Alex Crow <alex_at_nanogherkin.com>:
>> You cannot generate on the fly new certs that are signed by a commercial CA.
>> You need a generated cert for every site your clients visit.
>>
>> And if you are not in control of your clients this would be not only
>> unethical but also most likely illegal - and you won't get any further help
>> from this list with either of those.
>>
>> On 28 May 2014 15:55:04 BST, Antoine Klein <klein.anto_at_gmail.com> wrote:
>>> I send back my post because i'm not sur it is sent...
>>>
>>> Ok thanks all !
>>>
>>> I haven't in control of clients so it's the real problem, i can't
>>> install certificate on their smartphone ^^.
>>>
>>> So according to you, if i create a CA with openssl, and create a
>>> certification signing request (.csr) with a private key, and if i send
>>> my csr to a trusted authority to sign it, i could use it in squid
>>> without problem, then clients wouldn't have any warning ?
>>> I would like to be sure to avoid every problem.
>>>
>>> 2014-05-28 2:47 GMT-04:00 Alex Crow <alex_at_nanogherkin.com>:
>>>>
>>>> On 28/05/14 03:43, Amos Jeffries wrote:
>>>>>
>>>>> On 28/05/2014 8:19 a.m., Antoine Klein wrote:
>>>>>>
>>>>>> I want to bump ssl connections, but without produce a warning of
>>>>>> course.
>>>>>>
>>>>>> I read it is possible to generate a request of certification with a
>>>>>> key and send this file to an authority to sign it, do you know that ?
>>>>>
>>>>> Having your cert signed by a widely trusted certificate authority is
>>>>> one
>>>>> thing, and the basis of how TLS/SSL works.
>>>>>
>>>>> SSL-bump cannot be used with that type of key for the reasons Alex
>>>>> already mentioned. He also mentioned the steps you have to take instead
>>>>> to get it going.
>>>>>
>>>>> Amos
>>>>
>>>>
>>>> Hi Antoine,
>>>>
>>>> You need to be a CA, ie have the CA private key, to be able to do this.
>>>> If
>>>> you are in control of the clients and know how to use OpenSsl to create
>>>> a CA
>>>> you can do this without paying any money to anyone. You simply create
>>>> the CA<
>>>> br />
>>>> and use it and its private key in your ssl-bump configuration.
>>>>
>>>>
>>>> http_port 3128 sslBump generate-host-certificates=on
>>>> dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl_cert/proxy.pem
>>>>
>>>> proxy.pem is your private key and CA certificate concatenated.
>>>>
>>>> sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/lib/ssl_db -M 4MB
>>>>
>>>> The above line configures the crtd helpers that actually generate the
>>>> certs
>>>> for the requests, see
>>>> http://wiki.squid-cache.org/Features/DynamicSslCert
>>>>
>>>> Cheers
>>>>
>>>> Alex
>>>
>>>
>> --
>> Sent from my Android device with K-9 Mail. Please excuse my brevity.
>
>
Received on Thu May 29 2014 - 21:14:55 MDT

This archive was generated by hypermail 2.2.0 : Fri May 30 2014 - 12:00:06 MDT