>From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of Stuart Henderson >Sent: Tuesday, June 14, 2016 12:31 PM > >On 2016-06-14, Ted Wynnychenko <ted....@comcast.net> wrote: >> This really isn't a big deal; but as more sites have started using https, and as >> tools such as relayd and squid (and others?) have developed ways to "inject" >> https certificates on the fly, I am wondering if there is a way to create https >> certificates based solely on the requested URL in a connection attempt using an >> internal CA to avoid the certificate errors with blocked HTTPS connections? > >How are you identifying connections to block?
I block connections based on a list from malwaredomains.com. A script runs nightly that downloads the list/changes, creates zone files, and reloads unbound/nsd. The "blocked" zone files point those domains at an internal (10.0.x.x) IP address. ----- >From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of Christopher Ahrens >Sent: Tuesday, June 14, 2016 1:11 PM > >If all your internal clients trust a CA you control, just have it issue >a certificate with a common name of * and install that cert onto your >webserver. Its how we do MitM virus scanning at my day job. I had tried this, but it did not seem to work. I tried again and created a certificate with CN of * without success. Then added a number of combinations of alternative names: DNS:*, DNS:*.*, DNS:*.*.* --- etc None of these certificates are acceptable to either Firefox, IE, or Safari. Firefox complains with error: SSL_ERROR_BAD_CERT_DOMAIN "The certificate is only valid for the following names: *, *.*, *.*.*, *.*.*.*, *.*.*.*.*" (this is just the most recent example, same error with no and other SAN's) >From my looking, it appears that a certificate is only accepted by browsers >with "one level" of domain wildcard present; so I am not sure how to get a certificate with a common name of * to be accepted for any/every domain. Am I missing something? Thanks [demime 1.01d removed an attachment of type application/x-pkcs7-signature which had a name of smime.p7s]