Re: [squid-users] Install Godaddy certificate on squid to use ssl-bumping functionnality

From: Antoine Klein <klein.anto_at_gmail.com>
Date: Fri, 30 May 2014 10:44:26 -0400

Ok i'm really sorry, i don't understand the english very well...
I read again the discussion but i am confused :/

Before this project i had not any knowledge about certificates and SSL
connexions but i did several research on the subject, especially on
squid wiki.
I also read again the documentation here :
http://wiki.squid-cache.org/Features/SslBump
http://wiki.squid-cache.org/Features/DynamicSslCert
http://wiki.squid-cache.org/Features/HTTPS
But nothing concern trusted signed certificate :/

My company wishes to offer to its clients a public WIFI, i need to use
squid for the delay pool, and possibly the cache. There is already a
warning given on the connexion where we have to accept terms of use
which warns the user.

So, according to you, isn't it possible ?
I think it's strange, because the WIFI is deployed, and the connexion
of clients passes by the firewall which already decipher packets.

I don't understand why do you speak about dynamic certificate
generation, does it concern my problem ? Because finally i have the
certificate signed by godaddy and the private key of this certificate.

Anyway, thanks for your patience. :)

2014-05-29 17:14 GMT-04:00 Alex Crow <alex_at_nanogherkin.com>:
> Antoine,
>
> I really think you are completely missing the point of what everyone has
> said to you on this list.
>
> 1. SSL bumping is effectively an MITM attack against users/clients and they
> must be aware that it is happening and it must be legal in your country and
> also comply with company policy (if this is for corporate use).
> 2. You *CAN NOT* use a certificate issued by a commercial CA to do SSL
> bumping with dynamic certificate generation, full stop. It *CANNOT* work -
> if it did, SSL would be utterly useless. For everyone on the internet, not
> just your clients.
> 3. You *CAN NOT* prevent an SSL warning appearing for bumped connections
> unless you are able to install on the clients *your own CA cert*, ie *the
> very same CA* you use in Squid. Squid will need that CA's private key to be
> able to generate certs for every https site your clients visit.
>
> Please read all the Squid docs about SSL and a lot of general info about how
> SSL works (ie the trust model) as I feel we are all now at a loss in helping
> you further!
>
> Alex
>
>
>
> On 29/05/14 20:02, Antoine Klein wrote:
>>
>> Thanks for your answers !
>>
>> Alex your last answer is for me ? What is illegal ?
>>
>> Finally, i managed to install the certificate, in fact my boss had the
>> private key...
>>
>> So i have another problem, squid start correctly with the certificate
>> but on the client with firefox i have this error
>> "ssl_error_bad_cert_domain" when i make an HTTPS connexion.
>> Furthermore, Squid displays an error "2014/05/29 14:15:53 kid1|
>> clientNegotiateSSL: Error negotiating SSL connection on FD 11:
>> error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
>> (1/0)"
>>
>> Do you know these errors ?
>>
>> 2014-05-28 11:39 GMT-04:00 Alex Crow <alex_at_nanogherkin.com>:
>>>
>>> You cannot generate on the fly new certs that are signed by a commercial
>>> CA.
>>> You need a generated cert for every site your clients visit.
>>>
>>> And if you are not in control of your clients this would be not only
>>> unethical but also most likely illegal - and you won't get any further
>>> help
>>> from this list with either of those.
>>>
>>> On 28 May 2014 15:55:04 BST, Antoine Klein <klein.anto_at_gmail.com> wrote:
>>>>
>>>> I send back my post because i'm not sur it is sent...
>>>>
>>>> Ok thanks all !
>>>>
>>>> I haven't in control of clients so it's the real problem, i can't
>>>> install certificate on their smartphone ^^.
>>>>
>>>> So according to you, if i create a CA with openssl, and create a
>>>> certification signing request (.csr) with a private key, and if i send
>>>> my csr to a trusted authority to sign it, i could use it in squid
>>>> without problem, then clients wouldn't have any warning ?
>>>> I would like to be sure to avoid every problem.
>>>>
>>>> 2014-05-28 2:47 GMT-04:00 Alex Crow <alex_at_nanogherkin.com>:
>>>>>
>>>>>
>>>>> On 28/05/14 03:43, Amos Jeffries wrote:
>>>>>>
>>>>>>
>>>>>> On 28/05/2014 8:19 a.m., Antoine Klein wrote:
>>>>>>>
>>>>>>>
>>>>>>> I want to bump ssl connections, but without produce a warning of
>>>>>>> course.
>>>>>>>
>>>>>>> I read it is possible to generate a request of certification with a
>>>>>>> key and send this file to an authority to sign it, do you know that
>>>>>>> ?
>>>>>>
>>>>>>
>>>>>> Having your cert signed by a widely trusted certificate authority is
>>>>>> one
>>>>>> thing, and the basis of how TLS/SSL works.
>>>>>>
>>>>>> SSL-bump cannot be used with that type of key for the reasons Alex
>>>>>> already mentioned. He also mentioned the steps you have to take
>>>>>> instead
>>>>>> to get it going.
>>>>>>
>>>>>> Amos
>>>>>
>>>>>
>>>>>
>>>>> Hi Antoine,
>>>>>
>>>>> You need to be a CA, ie have the CA private key, to be able to do
>>>>> this.
>>>>> If
>>>>> you are in control of the clients and know how to use OpenSsl to
>>>>> create
>>>>> a CA
>>>>> you can do this without paying any money to anyone. You simply create
>>>>> the CA<
>>>>> br />
>>>>> and use it and its private key in your ssl-bump configuration.
>>>>>
>>>>>
>>>>> http_port 3128 sslBump generate-host-certificates=on
>>>>> dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl_cert/proxy.pem
>>>>>
>>>>> proxy.pem is your private key and CA certificate concatenated.
>>>>>
>>>>> sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/lib/ssl_db -M 4MB
>>>>>
>>>>> The above line configures the crtd helpers that actually generate the
>>>>> certs
>>>>> for the requests, see
>>>>> http://wiki.squid-cache.org/Features/DynamicSslCert
>>>>>
>>>>> Cheers
>>>>>
>>>>> Alex
>>>>
>>>>
>>>>
>>> --
>>> Sent from my Android device with K-9 Mail. Please excuse my brevity.
>>
>>
>>
>

-- 
Antoine KLEIN
Received on Fri May 30 2014 - 14:44:33 MDT

This archive was generated by hypermail 2.2.0 : Fri May 30 2014 - 12:00:06 MDT