Re: [squid-users] Dynamic SSL

From: Guy Helmer <guy.helmer_at_palisadesystems.com>
Date: Thu, 14 Mar 2013 09:29:38 -0500

On Mar 14, 2013, at 9:23 AM, Hasanen AL-Bana <hasanen_at_gmail.com> wrote:

> I thought Squid can fetch the original certificate for a website and pass it to the browser instead of the one created by me,
> Isn't that how dynamic ssl generation should work ?

No, there are two parts for the asymmetric encryption used for certificates: the public key in the certificate, and the private key known only to the original web server. Without the original private key, squid can not impersonate the original web server and thus can not simply pass the real certificate to the browser.

So, dynamic SSL certificate generation involves creating 'imposter" certificates and private keys, signed with a local signing certificate that the local web browsers trust.

Guy

>
> On Thu, Mar 14, 2013 at 5:05 PM, Guy Helmer <guy.helmer_at_palisadesystems.com> wrote:
> On Mar 14, 2013, at 7:22 AM, Hasanen AL-Bana <hasanen_at_gmail.com> wrote:
>
> > Hi,
> >
> > I have successfully installed squid 3.3 compiled with ssl support
> > Interception SSL traffic is working fine with browsers loaded with my
> > self created .DER file.
> > But without it , I keep getting browser warningings , chrome doesn't
> > work at all with gmail in this case.
>
> That's correct behavior.
>
> > The question is , if I purchase a valid SSL certificate , will squid
> > be able to use it for all websites ?
> > Will user browsers accept it ?
>
> No, you can't purchase a certificate from legitimate certificate vendors that can sign other arbitrary certificates. If you could, then any site could impersonate any other site, and server authentication by certificates would be meaningless.
>
> Guy
Received on Thu Mar 14 2013 - 14:30:01 MDT

This archive was generated by hypermail 2.2.0 : Thu Mar 14 2013 - 12:00:06 MDT