Re: [CentOS] latest skype (version 8.16.0.4) on Centos 7

2018-03-05 Thread Fred Smith 
On Mon, Mar 05, 2018 at 09:29:51PM +0100, wwp wrote:
> Hello Fred,
> 
> 
> On Mon, 5 Mar 2018 13:53:16 -0500 Fred Smith  
> wrote:
> 
> > I've finally been reduced to having to install Skype on my Linux box.
> > I resisted for years, but now ended up trying it.
> > 
> > and while the latest RPM installs just fine, it refuses to acknowledge
> > that I have a microphone!
> > 
> > In fact I have two: 1 in the USB web cam (it finds the cam), the second
> > in a Plantronics USB headset, which works fine but not with skype.
> > it is as if it doesn't exist.
> > 
> > So, when I connect to someone I can hear them, see them, and they can
> > see me, but I'm producing no sound output.
> > 
> > All the web hits I can find for nonfunctional microphone on the web
> > are for Ubuntu. GAH!
> > 
> > running ldd against the skypeforlinux binary results in a huge list
> > of shared libraries, including libasound (which is what the ubuntu
> > messages say is missing).
> 
> Using the same skype version (and former ones), with various
> input/output hardware (not the ones you have), I encounter no issue
> here with sound setup (I know this doesn't help, sorry). Are you able
> to use the hardware you described, especially the input device, with
> other software in this CentOS7, starting with alsamixer?

the Plantronics USB headset works great as both earphones and as a mic.
I use it regularly for videoconferences using various web-based
meeting/conference apps.

whenever I plug in the USB headset I have to use pavucontrol to manage
sound. whenever it is not plugged in, I use the sound app in the upper
menu, which turns out to be mate-volume-control (yes, I use the Mate
desktop, not Gnome). This seems weird, but I've grown used to it.

With skype, the audio settings menu refuses to admit to there being any
such audio device attached to the system.

Subsequent to my posting, I discovered that my ancient analog phone/mic
headset works with skype, so I'm more or less set--except I like the
Plantronics a lot better. it (the analog one, not the USB) has two 1/8
inch phone plugs, one pink, one green. plug 'em into the pink and green
jacks, hack at the sound settings for a while, turn off the speakers
(cause the system won't mute them when the phones are plugged in)
and voila.

Fred

-- 
 Fred Smith -- fre...@fcshome.stoneham.ma.us -
   I can do all things through Christ 
  who strengthens me.
-- Philippians 4:13 ---
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] latest skype (version 8.16.0.4) on Centos 7

2018-03-05 Thread wwp 
Hello Fred,


On Mon, 5 Mar 2018 13:53:16 -0500 Fred Smith  
wrote:

> I've finally been reduced to having to install Skype on my Linux box.
> I resisted for years, but now ended up trying it.
> 
> and while the latest RPM installs just fine, it refuses to acknowledge
> that I have a microphone!
> 
> In fact I have two: 1 in the USB web cam (it finds the cam), the second
> in a Plantronics USB headset, which works fine but not with skype.
> it is as if it doesn't exist.
> 
> So, when I connect to someone I can hear them, see them, and they can
> see me, but I'm producing no sound output.
> 
> All the web hits I can find for nonfunctional microphone on the web
> are for Ubuntu. GAH!
> 
> running ldd against the skypeforlinux binary results in a huge list
> of shared libraries, including libasound (which is what the ubuntu
> messages say is missing).

Using the same skype version (and former ones), with various
input/output hardware (not the ones you have), I encounter no issue
here with sound setup (I know this doesn't help, sorry). Are you able
to use the hardware you described, especially the input device, with
other software in this CentOS7, starting with alsamixer?


Regards,

-- 
wwp


pgpc4WTLVQldP.pgp
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Squid and HTTPS interception on CentOS 7 ?

2018-03-05 Thread Andrew Holway 
Wouldn't filtering the DNS be more practical?

On 5 March 2018 at 18:57, Leon Fauster  wrote:

>
> > Am 05.03.2018 um 15:34 schrieb Bill Gee :
> >
> >
> > On Monday, March 5, 2018 7:23:53 AM CST Leon Fauster wrote:
> >> Am 05.03.2018 um 13:04 schrieb Nicolas Kovacs :
> >>> Le 28/02/2018 à 22:23, Nicolas Kovacs a écrit :
>  So far, I've only been able to filter HTTP.
> 
>  Do any of you do transparent HTTPS filtering ? Any suggestions,
>  advice, caveats, do's and don'ts ?
> >>>
> >>> After a week of trial and error, transparent HTTPS filtering works
> >>> perfectly. I wrote a detailed blog article about it.
> >>>
> >>> https://blog.microlinux.fr/squid-https-centos/
> >>
> >> I wonder if this works with all https enabled sites? Chrome has
> >> capabilities hardcoded to check google certificates. Certificate
> >> Transparency, HTTP Public Key Pinning, CAA DNS are also supporting
> >> the end node to identify MITM. I hope that such setup will be
> unpractical
> >> in the near future.
> >>
> >> About your legal requirements; Weighing is what courts daily do. So,
> >> such requirements are not asking you to destroy the integrity and
> >> confidentiality >95% of users activity. Blocking Routing, DNS, IPs,
> >> Ports are the way to go.
> >>
> >> --
> >> LF
> >
> > Although not really related to CentOS, I do have some thoughts on this.
> I
> > used to work in the IT department of a public library.  One of the big
> > considerations at a library is patron privacy.  We went to great lengths
> to
> > NOT record what web sites were visited by our patrons.  We also deny
> requests
> > from anyone to find out what books a patron has checked out.
> >
> > The library is required by law to provide web filtering, mainly because
> we
> > have public-use computers which are used by children.  For http this is
> easy.
> > Https is, as this discussion reveals, a different animal.
> >
> > We started to set up a filter which would run directly on our router
> (Juniper
> > SRX-series) using EWF software.  It quickly became apparent that any
> kind of
> > https filtering requires a MITM attack.  We were basically decrypting the
> > patron's web traffic on our router, then encrypting it again with a
> different
> > cert.
> >
> > When we realized what it would take, we had a HUGE internal discussion
> about
> > how to proceed.  Yeah, the lawyers were all over it!  In the end we
> decided to
> > not attempt to filter https traffic except by whatever was not encrypted.
> > Basically that means web site names.
> >
> > Our test case was the Playboy web site.  They are available on https,
> but they
> > do not automatically redirect http to https.  If you open playboy [dot]
> com
> > with no protocol specified, it goes over http.  Our existing filter
> blocked
> > that.  However, if you open https[colon]// playboy [dot] com, it goes
> straight
> > in.  The traffic never goes over http, so the filter on the router never
> > processes it.
> >
> > Security by obscurity ...  It was the best we could do without violating
> our
> > own policies on patron privacy.
>
>
> All browsers sent "server_name" [*] in there https requests. That is the
> domain part of
> the URI. So, you can identify the requested https site without decrypting
> (because its
> "lets call it a header" that includes this information) and without
> damaging the privacy.
>
> [*] https://tools.ietf.org/html/rfc6066
>
> --
> LF
>
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Squid and HTTPS interception on CentOS 7 ?

2018-03-05 Thread John Ratliff 

On 2/28/2018 4:23 PM, Nicolas Kovacs wrote:

Hi,

I've been running Squid successfully on CentOS 7 (and before that on 6
and 5), and it's always been running nicely. I've been using it mostly
as a transparent proxy filter in school networks.

So far, I've only been able to filter HTTP.

Do any of you do transparent HTTPS filtering ? Any suggestions, advice,
caveats, do's and don'ts ?

Cheers from the snowy South of France,

Niki



I made a video on doing this yesterday on Debian. If you skip the part 
about the Debian install and use the CentOS Squid 3.5 packages from the 
binary package repo provided by Squid, you should be able to follow the 
same directions.


https://www.youtube.com/watch?v=Bogdplu_lsE
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] latest skype (version 8.16.0.4) on Centos 7

2018-03-05 Thread Fred Smith 
Hi all!

I've finally been reduced to having to install Skype on my Linux box.
I resisted for years, but now ended up trying it.

and while the latest RPM installs just fine, it refuses to acknowledge
that I have a microphone!

In fact I have two: 1 in the USB web cam (it finds the cam), the second
in a Plantronics USB headset, which works fine but not with skype.
it is as if it doesn't exist.

So, when I connect to someone I can hear them, see them, and they can
see me, but I'm producing no sound output.

All the web hits I can find for nonfunctional microphone on the web
are for Ubuntu. GAH!

running ldd against the skypeforlinux binary results in a huge list
of shared libraries, including libasound (which is what the ubuntu
messages say is missing).

Anybody got a clue?

Thanks in advance!

Fred
-- 
 Fred Smith -- fre...@fcshome.stoneham.ma.us -
  "For him who is able to keep you from falling and to present you before his 
 glorious presence without fault and with great joy--to the only God our Savior
 be glory, majesty, power and authority, through Jesus Christ our Lord, before
 all ages, now and forevermore! Amen."
- Jude 1:24,25 (niv) -
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Squid and HTTPS interception on CentOS 7 ?

2018-03-05 Thread Leon Fauster 

> Am 05.03.2018 um 15:34 schrieb Bill Gee :
> 
> 
> On Monday, March 5, 2018 7:23:53 AM CST Leon Fauster wrote:
>> Am 05.03.2018 um 13:04 schrieb Nicolas Kovacs :
>>> Le 28/02/2018 à 22:23, Nicolas Kovacs a écrit :
 So far, I've only been able to filter HTTP.
 
 Do any of you do transparent HTTPS filtering ? Any suggestions,
 advice, caveats, do's and don'ts ?
>>> 
>>> After a week of trial and error, transparent HTTPS filtering works
>>> perfectly. I wrote a detailed blog article about it.
>>> 
>>> https://blog.microlinux.fr/squid-https-centos/
>> 
>> I wonder if this works with all https enabled sites? Chrome has
>> capabilities hardcoded to check google certificates. Certificate
>> Transparency, HTTP Public Key Pinning, CAA DNS are also supporting
>> the end node to identify MITM. I hope that such setup will be unpractical
>> in the near future.
>> 
>> About your legal requirements; Weighing is what courts daily do. So,
>> such requirements are not asking you to destroy the integrity and
>> confidentiality >95% of users activity. Blocking Routing, DNS, IPs,
>> Ports are the way to go.
>> 
>> --
>> LF
> 
> Although not really related to CentOS, I do have some thoughts on this.  I 
> used to work in the IT department of a public library.  One of the big 
> considerations at a library is patron privacy.  We went to great lengths to 
> NOT record what web sites were visited by our patrons.  We also deny requests 
> from anyone to find out what books a patron has checked out.  
> 
> The library is required by law to provide web filtering, mainly because we 
> have public-use computers which are used by children.  For http this is easy. 
>  
> Https is, as this discussion reveals, a different animal.
> 
> We started to set up a filter which would run directly on our router (Juniper 
> SRX-series) using EWF software.  It quickly became apparent that any kind of 
> https filtering requires a MITM attack.  We were basically decrypting the 
> patron's web traffic on our router, then encrypting it again with a different 
> cert.  
> 
> When we realized what it would take, we had a HUGE internal discussion about 
> how to proceed.  Yeah, the lawyers were all over it!  In the end we decided 
> to 
> not attempt to filter https traffic except by whatever was not encrypted.  
> Basically that means web site names.
> 
> Our test case was the Playboy web site.  They are available on https, but 
> they 
> do not automatically redirect http to https.  If you open playboy [dot] com 
> with no protocol specified, it goes over http.  Our existing filter blocked 
> that.  However, if you open https[colon]// playboy [dot] com, it goes 
> straight 
> in.  The traffic never goes over http, so the filter on the router never 
> processes it.
> 
> Security by obscurity ...  It was the best we could do without violating our 
> own policies on patron privacy.


All browsers sent "server_name" [*] in there https requests. That is the domain 
part of 
the URI. So, you can identify the requested https site without decrypting 
(because its 
"lets call it a header" that includes this information) and without damaging 
the privacy.

[*] https://tools.ietf.org/html/rfc6066

--
LF


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Squid and HTTPS interception on CentOS 7 ?

2018-03-05 Thread Valeri Galtsev 



On 03/05/18 10:21, Nicolas Kovacs wrote:

Le 05/03/2018 à 16:30, Valeri Galtsev a écrit :

Sorry, I missed the beginning of this thread. This sounds to me like
running one's own Certification Authority. I did that a while ago for
over a decade. However, these days one may consider

https://letsencrypt.org/

- you will have to run web server to have certificate signed by them,
but pointing other services to use that same certificate/secret key pair
will work.


I do use LetsEncrypt for all my public certificates. But I can't use it
on a local machine with a hostname like server.company.lan. This is
simply not possible.


Yes, it is not. They do verify on publicly accessible server that that 
host is the one you have assess to, and certainly no CA authority will 
sign certificate for private address space. I missed the beginning of 
the thread which was edited away from what I was replying to...


Valeri



Niki



--

Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Squid and HTTPS interception on CentOS 7 ?

2018-03-05 Thread Nicolas Kovacs 
Le 05/03/2018 à 16:30, Valeri Galtsev a écrit :
> Sorry, I missed the beginning of this thread. This sounds to me like
> running one's own Certification Authority. I did that a while ago for
> over a decade. However, these days one may consider
> 
> https://letsencrypt.org/
> 
> - you will have to run web server to have certificate signed by them,
> but pointing other services to use that same certificate/secret key pair
> will work.

I do use LetsEncrypt for all my public certificates. But I can't use it
on a local machine with a hostname like server.company.lan. This is
simply not possible.

Niki

-- 
Microlinux - Solutions informatiques durables
7, place de l'église - 30730 Montpezat
Site : https://www.microlinux.fr
Blog : https://blog.microlinux.fr
Mail : i...@microlinux.fr
Tél. : 04 66 63 10 32
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Squid and HTTPS interception on CentOS 7 ?

2018-03-05 Thread Valeri Galtsev 



On 03/05/18 08:34, Bill Gee wrote:


On Monday, March 5, 2018 7:23:53 AM CST Leon Fauster wrote:

Am 05.03.2018 um 13:04 schrieb Nicolas Kovacs :

Le 28/02/2018 à 22:23, Nicolas Kovacs a écrit :

So far, I've only been able to filter HTTP.

Do any of you do transparent HTTPS filtering ? Any suggestions,
advice, caveats, do's and don'ts ?


After a week of trial and error, transparent HTTPS filtering works
perfectly. I wrote a detailed blog article about it.

https://blog.microlinux.fr/squid-https-centos/


I wonder if this works with all https enabled sites? Chrome has
capabilities hardcoded to check google certificates. Certificate
Transparency, HTTP Public Key Pinning, CAA DNS are also supporting
the end node to identify MITM. I hope that such setup will be unpractical
in the near future.

About your legal requirements; Weighing is what courts daily do. So,
such requirements are not asking you to destroy the integrity and
confidentiality >95% of users activity. Blocking Routing, DNS, IPs,
Ports are the way to go.

--
LF


Although not really related to CentOS, I do have some thoughts on this.  I
used to work in the IT department of a public library.  One of the big
considerations at a library is patron privacy.  We went to great lengths to
NOT record what web sites were visited by our patrons.  We also deny requests
from anyone to find out what books a patron has checked out.


I bet, your servers never embedded links to anything external. If it is 
external link, it is requested to open in new browser window. No part of 
the page should need external (not living on our server) content. That 
was the way we did it since forever.


It sounds like I will have to fight soon against "google-analytics" 
glued into each page of our websites. It is amazing that people who have 
no knowledge rule technical aspects of IT in many places...


Valeri



The library is required by law to provide web filtering, mainly because we
have public-use computers which are used by children.  For http this is easy.
Https is, as this discussion reveals, a different animal.

We started to set up a filter which would run directly on our router (Juniper
SRX-series) using EWF software.  It quickly became apparent that any kind of
https filtering requires a MITM attack.  We were basically decrypting the
patron's web traffic on our router, then encrypting it again with a different
cert.

When we realized what it would take, we had a HUGE internal discussion about
how to proceed.  Yeah, the lawyers were all over it!  In the end we decided to
not attempt to filter https traffic except by whatever was not encrypted.
Basically that means web site names.

Our test case was the Playboy web site.  They are available on https, but they
do not automatically redirect http to https.  If you open playboy [dot] com
with no protocol specified, it goes over http.  Our existing filter blocked
that.  However, if you open https[colon]// playboy [dot] com, it goes straight
in.  The traffic never goes over http, so the filter on the router never
processes it.

Security by obscurity ...  It was the best we could do without violating our
own policies on patron privacy.



--

Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Squid and HTTPS interception on CentOS 7 ?

2018-03-05 Thread Valeri Galtsev 



On 03/05/18 07:23, Leon Fauster wrote:

Am 05.03.2018 um 13:04 schrieb Nicolas Kovacs :


Le 28/02/2018 à 22:23, Nicolas Kovacs a écrit :

So far, I've only been able to filter HTTP.

Do any of you do transparent HTTPS filtering ? Any suggestions,
advice, caveats, do's and don'ts ?


After a week of trial and error, transparent HTTPS filtering works
perfectly. I wrote a detailed blog article about it.

https://blog.microlinux.fr/squid-https-centos/



I wonder if this works with all https enabled sites? Chrome has
capabilities hardcoded to check google certificates.


Google, huh ;-( see below...


Certificate
Transparency, HTTP Public Key Pinning, CAA DNS are also supporting
the end node to identify MITM. I hope that such setup will be unpractical
in the near future.

About your legal requirements; Weighing is what courts daily do. So,
such requirements are not asking you to destroy the integrity and
confidentiality >95% of users activity. Blocking Routing, DNS, IPs,
Ports are the way to go.


I would add avoiding google and all google products by all means to the 
above list ;-)


valeri



--
LF


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos



--

Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Squid and HTTPS interception on CentOS 7 ?

2018-03-05 Thread Vitalino Victor 
The certificate should have *CA:true* set for act a CA for dynamic signing
certificates by Squid.

Most probably, Let's Encrypt will ignore this constraint in CSR.

2018-03-05 12:33 GMT-03:00 Chris Adams :

> Once upon a time, Valeri Galtsev  said:
> > https://letsencrypt.org/
> >
> > - you will have to run web server to have certificate signed by
> > them
>
> Not necessarily - we do most of our Let's Encrypt validation with DNS
> rather than HTTP.
> --
> Chris Adams 
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Squid and HTTPS interception on CentOS 7 ?

2018-03-05 Thread Chris Adams 
Once upon a time, Valeri Galtsev  said:
> https://letsencrypt.org/
> 
> - you will have to run web server to have certificate signed by
> them

Not necessarily - we do most of our Let's Encrypt validation with DNS
rather than HTTP.
-- 
Chris Adams 
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Squid and HTTPS interception on CentOS 7 ?

2018-03-05 Thread Valeri Galtsev 



On 03/05/18 06:34, Nicolas Kovacs wrote:

Le 05/03/2018 à 13:30, Nux! a écrit :

You could probably just drop your CA cert in the filesystem and run a
couple of commands to get it imported, rather than having to import
the CA in the browsers individually. You could probably deliver it
via yum/rpm or better yet, ansible or even some shell script.


I will have to use this in environments with mainly Windows, OS X and
iOS clients. I'm still thinking about how to do this, but I guess I'll
just setup a local web page on the server, with a link to download the
certificate file and short instructions on how to install it on the most
common browsers (Internet Explorer, Edge, Firefox, Chrome, Safari, ...).


Sorry, I missed the beginning of this thread. This sounds to me like 
running one's own Certification Authority. I did that a while ago for 
over a decade. However, these days one may consider


https://letsencrypt.org/

- you will have to run web server to have certificate signed by them, 
but pointing other services to use that same certificate/secret key pair 
will work.


Just my $0.02

Valeri



Niki



--

Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Squid and HTTPS interception on CentOS 7 ?

2018-03-05 Thread Vitalino Victor 
Starting with version 3.5 of Squid, was introduced a new feature named
"*SslBump
Peek and Splice*".

With this functionality, Squid is able to intercept HTTPS traffic
transparently (with exceptions, of course).

This manner, Squid, with spike, is able to logging HTTPS traffic and apply
directives like dstdomain on HTTPS traffic without need of a auto-signed CA.

This resource of Squid is the same functionality available on apliances
like Sonicwall, Fortigate, Checkpoint, and etc.

A example of config:

http_port 80 intercept
https_port 443 intercept
ssl-bump cert=/etc/squid3/ssl/ca/intermediate/certs/wilcard.pem
key=/etc/squid3/ssl/ca/intermediate/private/wildcard.key
generate-host-certificates=off version=4
options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
cache_log /var/log/squid3/cache.log
access_log daemon:/var/log/squid3/access.log squid
netdb_filename stdio:/var/log/squid3/netdb.state
sslcrtd_program /usr/libexec/ssl_crtd -s /var/log/squid3/ssl_db -M 4MB
sslcrtd_children 1 startup=1 idle=1
cache_effective_user proxy
cache_effective_group proxy
pinger_enable off
dns_v4_first on
acl HTTPS dstdomain "/etc/squid3/https"
acl BLOCK url_regex "(torrent)|sex(y|o)"
cache deny all
ssl_bump bump HTTPS
ssl_bump splice all
http_access deny BLOCK
http_access allow all


PS: the use of "ssl-bump" is only to satisfy de Squid parser.

Best clarifications: https://wiki.squid-cache.org/Features/SslPeekAndSplice

Att,

2018-03-05 11:34 GMT-03:00 Bill Gee :

>
> On Monday, March 5, 2018 7:23:53 AM CST Leon Fauster wrote:
> > Am 05.03.2018 um 13:04 schrieb Nicolas Kovacs :
> > > Le 28/02/2018 à 22:23, Nicolas Kovacs a écrit :
> > >> So far, I've only been able to filter HTTP.
> > >>
> > >> Do any of you do transparent HTTPS filtering ? Any suggestions,
> > >> advice, caveats, do's and don'ts ?
> > >
> > > After a week of trial and error, transparent HTTPS filtering works
> > > perfectly. I wrote a detailed blog article about it.
> > >
> > > https://blog.microlinux.fr/squid-https-centos/
> >
> > I wonder if this works with all https enabled sites? Chrome has
> > capabilities hardcoded to check google certificates. Certificate
> > Transparency, HTTP Public Key Pinning, CAA DNS are also supporting
> > the end node to identify MITM. I hope that such setup will be unpractical
> > in the near future.
> >
> > About your legal requirements; Weighing is what courts daily do. So,
> > such requirements are not asking you to destroy the integrity and
> > confidentiality >95% of users activity. Blocking Routing, DNS, IPs,
> > Ports are the way to go.
> >
> > --
> > LF
>
> Although not really related to CentOS, I do have some thoughts on this.  I
> used to work in the IT department of a public library.  One of the big
> considerations at a library is patron privacy.  We went to great lengths to
> NOT record what web sites were visited by our patrons.  We also deny
> requests
> from anyone to find out what books a patron has checked out.
>
> The library is required by law to provide web filtering, mainly because we
> have public-use computers which are used by children.  For http this is
> easy.
> Https is, as this discussion reveals, a different animal.
>
> We started to set up a filter which would run directly on our router
> (Juniper
> SRX-series) using EWF software.  It quickly became apparent that any kind
> of
> https filtering requires a MITM attack.  We were basically decrypting the
> patron's web traffic on our router, then encrypting it again with a
> different
> cert.
>
> When we realized what it would take, we had a HUGE internal discussion
> about
> how to proceed.  Yeah, the lawyers were all over it!  In the end we
> decided to
> not attempt to filter https traffic except by whatever was not encrypted.
> Basically that means web site names.
>
> Our test case was the Playboy web site.  They are available on https, but
> they
> do not automatically redirect http to https.  If you open playboy [dot] com
> with no protocol specified, it goes over http.  Our existing filter blocked
> that.  However, if you open https[colon]// playboy [dot] com, it goes
> straight
> in.  The traffic never goes over http, so the filter on the router never
> processes it.
>
> Security by obscurity ...  It was the best we could do without violating
> our
> own policies on patron privacy.
>
> --
> Bill Gee
>
>
>
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Squid and HTTPS interception on CentOS 7 ?

2018-03-05 Thread Bill Gee 

On Monday, March 5, 2018 7:23:53 AM CST Leon Fauster wrote:
> Am 05.03.2018 um 13:04 schrieb Nicolas Kovacs :
> > Le 28/02/2018 à 22:23, Nicolas Kovacs a écrit :
> >> So far, I've only been able to filter HTTP.
> >> 
> >> Do any of you do transparent HTTPS filtering ? Any suggestions,
> >> advice, caveats, do's and don'ts ?
> > 
> > After a week of trial and error, transparent HTTPS filtering works
> > perfectly. I wrote a detailed blog article about it.
> > 
> > https://blog.microlinux.fr/squid-https-centos/
> 
> I wonder if this works with all https enabled sites? Chrome has
> capabilities hardcoded to check google certificates. Certificate
> Transparency, HTTP Public Key Pinning, CAA DNS are also supporting
> the end node to identify MITM. I hope that such setup will be unpractical
> in the near future.
> 
> About your legal requirements; Weighing is what courts daily do. So,
> such requirements are not asking you to destroy the integrity and
> confidentiality >95% of users activity. Blocking Routing, DNS, IPs,
> Ports are the way to go.
> 
> --
> LF

Although not really related to CentOS, I do have some thoughts on this.  I 
used to work in the IT department of a public library.  One of the big 
considerations at a library is patron privacy.  We went to great lengths to 
NOT record what web sites were visited by our patrons.  We also deny requests 
from anyone to find out what books a patron has checked out.  

The library is required by law to provide web filtering, mainly because we 
have public-use computers which are used by children.  For http this is easy.  
Https is, as this discussion reveals, a different animal.

We started to set up a filter which would run directly on our router (Juniper 
SRX-series) using EWF software.  It quickly became apparent that any kind of 
https filtering requires a MITM attack.  We were basically decrypting the 
patron's web traffic on our router, then encrypting it again with a different 
cert.  

When we realized what it would take, we had a HUGE internal discussion about 
how to proceed.  Yeah, the lawyers were all over it!  In the end we decided to 
not attempt to filter https traffic except by whatever was not encrypted.  
Basically that means web site names.

Our test case was the Playboy web site.  They are available on https, but they 
do not automatically redirect http to https.  If you open playboy [dot] com 
with no protocol specified, it goes over http.  Our existing filter blocked 
that.  However, if you open https[colon]// playboy [dot] com, it goes straight 
in.  The traffic never goes over http, so the filter on the router never 
processes it.

Security by obscurity ...  It was the best we could do without violating our 
own policies on patron privacy.

-- 
Bill Gee




___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Squid and HTTPS interception on CentOS 7 ?

2018-03-05 Thread Leon Fauster 
Am 05.03.2018 um 13:04 schrieb Nicolas Kovacs :
> 
> Le 28/02/2018 à 22:23, Nicolas Kovacs a écrit :
>> So far, I've only been able to filter HTTP.
>> 
>> Do any of you do transparent HTTPS filtering ? Any suggestions,
>> advice, caveats, do's and don'ts ?
> 
> After a week of trial and error, transparent HTTPS filtering works
> perfectly. I wrote a detailed blog article about it.
> 
> https://blog.microlinux.fr/squid-https-centos/


I wonder if this works with all https enabled sites? Chrome has 
capabilities hardcoded to check google certificates. Certificate 
Transparency, HTTP Public Key Pinning, CAA DNS are also supporting
the end node to identify MITM. I hope that such setup will be unpractical
in the near future. 

About your legal requirements; Weighing is what courts daily do. So, 
such requirements are not asking you to destroy the integrity and 
confidentiality >95% of users activity. Blocking Routing, DNS, IPs, 
Ports are the way to go. 

--
LF


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Addind kmail to EPEL

2018-03-05 Thread Nicolas Kovacs 
Le 04/03/2018 à 02:45, Yves Bellefeuille a écrit :
> I finally decided to move from CentOS 6 to CentOS 7, but was surprised
> to see that kmail is no longer included: Red Hat deliberately decided
> to omit it.

Probably because it's too buggy. I've been using Kmail for a few years
under KDE 3.x, but after that, the KDE developers simply couldn't get
their act together, and every new Kmail version got worse than the
previous one.

Cheers from a KDE + Thunderbird user.

:o)

-- 
Microlinux - Solutions informatiques durables
7, place de l'église - 30730 Montpezat
Site : https://www.microlinux.fr
Blog : https://blog.microlinux.fr
Mail : i...@microlinux.fr
Tél. : 04 66 63 10 32
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Squid and HTTPS interception on CentOS 7 ?

2018-03-05 Thread Nicolas Kovacs 
Le 05/03/2018 à 13:30, Nux! a écrit :
> You could probably just drop your CA cert in the filesystem and run a
> couple of commands to get it imported, rather than having to import
> the CA in the browsers individually. You could probably deliver it
> via yum/rpm or better yet, ansible or even some shell script.

I will have to use this in environments with mainly Windows, OS X and
iOS clients. I'm still thinking about how to do this, but I guess I'll
just setup a local web page on the server, with a link to download the
certificate file and short instructions on how to install it on the most
common browsers (Internet Explorer, Edge, Firefox, Chrome, Safari, ...).

Niki

-- 
Microlinux - Solutions informatiques durables
7, place de l'église - 30730 Montpezat
Site : https://www.microlinux.fr
Blog : https://blog.microlinux.fr
Mail : i...@microlinux.fr
Tél. : 04 66 63 10 32
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Squid and HTTPS interception on CentOS 7 ?

2018-03-05 Thread Nux! 
Nice, thanks for sharing.

You could probably just drop your CA cert in the filesystem and run a couple of 
commands to get it imported, rather than having to import the CA in the 
browsers individually. 
You could probably deliver it via yum/rpm or better yet, ansible or even some 
shell script.

--
Sent from the Delta quadrant using Borg technology!

Nux!
www.nux.ro

- Original Message -
> From: "Nicolas Kovacs" 
> To: "CentOS mailing list" 
> Sent: Monday, 5 March, 2018 12:04:59
> Subject: Re: [CentOS] Squid and HTTPS interception on CentOS 7 ?

> Le 28/02/2018 à 22:23, Nicolas Kovacs a écrit :
>> So far, I've only been able to filter HTTP.
>> 
>> Do any of you do transparent HTTPS filtering ? Any suggestions,
>> advice, caveats, do's and don'ts ?
> 
> After a week of trial and error, transparent HTTPS filtering works
> perfectly. I wrote a detailed blog article about it.
> 
> https://blog.microlinux.fr/squid-https-centos/
> 
> Cheers,
> 
> Niki
> 
> --
> Microlinux - Solutions informatiques durables
> 7, place de l'église - 30730 Montpezat
> Site : https://www.microlinux.fr
> Blog : https://blog.microlinux.fr
> Mail : i...@microlinux.fr
> Tél. : 04 66 63 10 32
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Squid and HTTPS interception on CentOS 7 ?

2018-03-05 Thread Nicolas Kovacs 
Le 28/02/2018 à 22:23, Nicolas Kovacs a écrit :
> So far, I've only been able to filter HTTP.
> 
> Do any of you do transparent HTTPS filtering ? Any suggestions,
> advice, caveats, do's and don'ts ?

After a week of trial and error, transparent HTTPS filtering works
perfectly. I wrote a detailed blog article about it.

https://blog.microlinux.fr/squid-https-centos/

Cheers,

Niki

-- 
Microlinux - Solutions informatiques durables
7, place de l'église - 30730 Montpezat
Site : https://www.microlinux.fr
Blog : https://blog.microlinux.fr
Mail : i...@microlinux.fr
Tél. : 04 66 63 10 32
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos