RE: [squid-users] Dynamic SSL

From: Sébastien WENSKE <sebastien_at_wenske.fr>
Date: Thu, 14 Mar 2013 18:01:26 +0000

Hi Hasanen,

All certificates are generated on-the-fly by your Squid CA <- who is sefl-signed.
So you have to install/deploy this self-signed Root CA on all your clients.

Cheers!
Sebastien WENSKE
-----Message d'origine-----
De : Hasanen AL-Bana [mailto:hasanen_at_gmail.com]
Envoyé : jeudi 14 mars 2013 18:54
À : Guy Helmer
Cc : squid-users_at_squid-cache.org
Objet : Re: [squid-users] Dynamic SSL

Thank you Guy for your clarification,

So you are saying that the only way to achieve squid https interception is to force users to upload our squid certificate to their browser, or they will have to deal with the browser warnings....

On Thu, Mar 14, 2013 at 5:29 PM, Guy Helmer <guy.helmer_at_palisadesystems.com> wrote:
>
> On Mar 14, 2013, at 9:23 AM, Hasanen AL-Bana <hasanen_at_gmail.com> wrote:
>
> > I thought Squid can fetch the original certificate for a website and
> > pass it to the browser instead of the one created by me, Isn't that
> > how dynamic ssl generation should work ?
>
> No, there are two parts for the asymmetric encryption used for
> certificates: the public key in the certificate, and the private key
> known only to the original web server. Without the original private
> key, squid can not impersonate the original web server and thus can
> not simply pass the real certificate to the browser.
>
> So, dynamic SSL certificate generation involves creating 'imposter"
> certificates and private keys, signed with a local signing certificate
> that the local web browsers trust.
>
> Guy
>
> >
> > On Thu, Mar 14, 2013 at 5:05 PM, Guy Helmer
> > <guy.helmer_at_palisadesystems.com> wrote:
> > On Mar 14, 2013, at 7:22 AM, Hasanen AL-Bana <hasanen_at_gmail.com> wrote:
> >
> > > Hi,
> > >
> > > I have successfully installed squid 3.3 compiled with ssl support
> > > Interception SSL traffic is working fine with browsers loaded with
> > > my self created .DER file.
> > > But without it , I keep getting browser warningings , chrome
> > > doesn't work at all with gmail in this case.
> >
> > That's correct behavior.
> >
> > > The question is , if I purchase a valid SSL certificate , will
> > > squid be able to use it for all websites ?
> > > Will user browsers accept it ?
> >
> > No, you can't purchase a certificate from legitimate certificate
> > vendors that can sign other arbitrary certificates. If you could,
> > then any site could impersonate any other site, and server
> > authentication by certificates would be meaningless.
> >
> > Guy
>
>
>
>

Received on Thu Mar 14 2013 - 18:04:51 MDT

This archive was generated by hypermail 2.2.0 : Fri Mar 15 2013 - 12:00:05 MDT