Re: [squid-users] The method for SSL Mitm Proxying without browser warnings

From: Oguz Yilmaz <oguzyilmazlist_at_gmail.com>
Date: Wed, 15 Dec 2010 09:11:32 +0200

The error on IE is "The security service presented by this web site
issued for a different web sites address.". I think it is about need
for wildcard certificates. Is it?

--
Oguz YILMAZ
On Wed, Dec 15, 2010 at 8:52 AM, Oguz Yilmaz <oguzyilmazlist_at_gmail.com> wrote:
> On Tue, Dec 14, 2010 at 9:13 PM, Michael Leong
> <Michael.Leong_at_digitalglobe.com> wrote:
>> One of the features of SSL is to detect the MITM you're doing.  You need to
>> manually add the squid cert on each browser as a trusted CA to prevent those
>> warnings.
>
> Actually I have added the cert to IE Intermediate Certficition
> authorities and Trusted Root certificates. The error continues. May it
> be about the name of the site does not match the certificate issued
> for field? How can I create the right certificate?
>
>>
>>
>>
>> On 12/14/2010 12:31 AM, Oguz Yilmaz wrote:
>>
>> Dear all,
>>
>> I have enabled my proxy for transparent SSL Mitm proxying. Traffic for
>> destination tcp 443 is DNAT'ed to localhost:8443 through iptables.
>> This part is working. I am able to browse the internet sites. For each
>> SSL site, for once, browser gives a warning of Mitm. It should, of
>> course.
>> However I want to learn the way to remove any warning by through
>> manually adding a certificate to Trusted Key Store of Internet
>> Explorer or Firefox.
>>
>> Squid conf param:
>> https_port 8443 cert=/etc/squid/certs/sslfilter.crt
>> key=/etc/squid/certs/sslfilter.key protocol=https accel vhost
>> defaultsite=google.com
>>
>> The way I have created the certificate and key:
>>
>> openssl genrsa -rand
>> /proc/apm:/proc/cpuinfo:/proc/dma:/proc/filesystems:/proc/interrupts:/proc/ioports:/proc/pci:/proc/rtc:/proc/uptime
>> 1024 > /etc/squid/certs/sslfilter.key
>>
>> cat << EOF | openssl req -new -key /etc/squid/certs/sslfilter.key
>> -x509 -days 1825 -out /etc/squid/certs/sslfilter.crt
>> TR
>> ANK
>> Ankara
>> Info
>> Customer IT
>> SSL Filtering Proxy
>> support_at_domain
>> EOF
>>
>>
>> Regards,
>>
>> --
>> Oguz YILMAZ
>>
>> This electronic communication and any attachments may contain confidential
>> and proprietary
>> information of DigitalGlobe, Inc. If you are not the intended recipient, or
>> an agent or employee
>> responsible for delivering this communication to the intended recipient, or
>> if you have received
>> this communication in error, please do not print, copy, retransmit,
>> disseminate or
>> otherwise use the information. Please indicate to the sender that you have
>> received this
>> communication in error, and delete the copy you received. DigitalGlobe
>> reserves the
>> right to monitor any electronic communication sent or received by its
>> employees, agents
>> or representatives.
>>
>
Received on Wed Dec 15 2010 - 07:11:58 MST

This archive was generated by hypermail 2.2.0 : Wed Dec 15 2010 - 12:00:03 MST