Tom,
No problem. Make sure you have the latest version of Squid or at least
version 3.3 to use server-first
Jay
On Mon, May 12, 2014 at 3:54 PM, Tom Holder <tom_at_simpleweb.co.uk> wrote:
> Thanks Jay, it's not the CA I have an issue with, I can easily get
> that installed.
>
> On Mon, May 12, 2014 at 7:56 AM, Jay Jimenez <jay_at_integralvox.com> wrote:
>> Tom,
>>
>> If your proxy users and computers are members of Active Directory
>> Domain, you might want to use your existing internal AD public key
>> infrastructure. The reason for this is that domain computers already
>> trust the CA of your AD. I can explain the setup a little bit if this
>> is the kind of IT environment you have. The main advantage of this
>> setup is you don't need to install a self-signed CA by squid in each
>> computer.
>>
>> Jay
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> On Mon, May 12, 2014 at 2:41 PM, Tom Holder <tom_at_simpleweb.co.uk> wrote:
>>> Hi Amos,
>>>
>>> Thanks for that. Yes I understand the legalities, this isn't to
>>> 'forge' anything. The users are well aware they're not looking at the
>>> real sites.
>>>
>>> The CA will be installed on their systems and they will have to agree
>>> to it. The issue is that the browser is complaining that the CN does
>>> not match because my local web server that represents ANY site has a
>>> catch all CN. Therefore I'm trying to determine a way to generate the
>>> correct CN before Squid tries to bump the SSL so that the CN is nearly
>>> correct.
>>>
>>> The certificates I generate don't need to look like the original
>>> because I'm not trying to trick anyone, they just need not to error in
>>> the browser.
>>>
>>> Thanks,
>>> Tom
>>>
>>> On Mon, May 12, 2014 at 5:39 AM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
>>>> On 12/05/2014 9:42 a.m., Tom Holder wrote:
>>>>> Thanks for your help Walter, problem is, which I wasn't too clear
>>>>> about, site1.com was just an example. It could be any site that I
>>>>> don't previously know the address for.
>>>>>
>>>>> Therefore, the only thing I can think of is to dynamically generate a
>>>>> self-signed cert.
>>>>
>>>> One of the built-in problems with forgery is that one must have an
>>>> original to work from in order to get even a vague resemblence of
>>>> correctness. Don't fool yourself into thinking SSL-bump is anything
>>>> other than high-tech forgery of the website ownser security credentials.
>>>>
>>>> OR ... with a blind individual doing the checking it does not matter.
>>>>
>>>> (Un)luckily the system design for SSL and TLS as widely used today
>>>> places a huge blindfold (the trusted CA set) on the client software. So
>>>> all one has to do is install the signing CA for the forged certificates
>>>> as one of those CA and most anything becomes possible.
>>>> ... check carefully the legalities of doing this before doing anything.
>>>> In some places even experimenting is a criminal offence.
>>>>
>>>> Amos
>>>>
>>>
>>>
>>>
>>> --
>>> Tom Holder
>>> Systems Architect
>>>
>>>
>>> Follow me on: [Twitter] [Linked In]
>>>
>>> www.Simpleweb.co.uk
>>>
>>> Tel: 0117 922 0448
>>>
>>> Simpleweb Ltd.
>>> Unit G, Albion Dockside Building, Hanover Place, Bristol, BS1 6UT
>>>
>>> Simpleweb Ltd. is registered in England.
>>> Registration no: 5929003 : V.A.T. registration no: 891600913
>
>
>
> --
> Tom Holder
> Systems Architect
>
>
> Follow me on: [Twitter] [Linked In]
>
> www.Simpleweb.co.uk
>
> Tel: 0117 922 0448
>
> Simpleweb Ltd.
> Unit G, Albion Dockside Building, Hanover Place, Bristol, BS1 6UT
>
> Simpleweb Ltd. is registered in England.
> Registration no: 5929003 : V.A.T. registration no: 891600913
Received on Mon May 12 2014 - 08:05:38 MDT
This archive was generated by hypermail 2.2.0 : Mon May 12 2014 - 12:00:05 MDT