On 28/05/14 03:43, Amos Jeffries wrote:
> On 28/05/2014 8:19 a.m., Antoine Klein wrote:
>> I want to bump ssl connections, but without produce a warning of course.
>>
>> I read it is possible to generate a request of certification with a
>> key and send this file to an authority to sign it, do you know that ?
> Having your cert signed by a widely trusted certificate authority is one
> thing, and the basis of how TLS/SSL works.
>
> SSL-bump cannot be used with that type of key for the reasons Alex
> already mentioned. He also mentioned the steps you have to take instead
> to get it going.
>
> Amos
>
Hi Antoine,
You need to be a CA, ie have the CA private key, to be able to do this.
If you are in control of the clients and know how to use OpenSsl to
create a CA you can do this without paying any money to anyone. You
simply create the CA and use it and its private key in your ssl-bump
configuration.
http_port 3128 sslBump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl_cert/proxy.pem
proxy.pem is your private key and CA certificate concatenated.
sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/lib/ssl_db -M 4MB
The above line configures the crtd helpers that actually generate the
certs for the requests, see
http://wiki.squid-cache.org/Features/DynamicSslCert
Cheers
Alex
Received on Wed May 28 2014 - 06:47:18 MDT
This archive was generated by hypermail 2.2.0 : Wed May 28 2014 - 12:00:06 MDT