subject:"Re\: \[squid\-users\] Buy Certificates for Squid 'man in the middle'"

Re: [squid-users] Buy Certificates for Squid 'man in the middle'

2017-02-02 Thread Amos Jeffries

On 3/02/2017 1:43 a.m., angelv wrote:
> On Thu, Feb 2, 2017 at 4:37 AM, Amos Jeffries  wrote:
> 
>> On 2/02/2017 9:49 p.m., Odhiambo Washington wrote:
>>> So we can't even use the free certs from letsencrypt with Squid??
>>>
>>
>> Not for MITM / SSL-Bump no.
>>
>> The very first clause of the purchase contract for the LetsEncrypt CA is:
>>
>> "
>> By requesting, accepting, or using a Let’s Encrypt Certificate:
>>
>> * You warrant to ISRG and the public-at-large that You are the
>> legitimate registrant of the Internet domain name that is, or is going
>> to be, the subject of Your Certificate, or that You are the duly
>> authorized agent of such registrant.
>> "
>>
>> Meaning they can be used for explicit TLS-proxy or CDN reverse-proxy only.
>>
>> If you have just used LetsEncrypt certs because of the hype about being
>> cheap, easy and everyone else is saying its good. I think it well worth
>> your time going to their site and reading that contract to which you
>> have bound your network.
>>
>> For networks outside North America there are some legal implications
>> about signing judicial authority and your users method of legal redress
>> over to the USA government.
>>
> 
> I have certificates for my sub-domain
> 
> for example:
> 
> Proxy.subdomain.domain.com
> 
> I have the following files issued by Letsencrypt:
> 
> ca.cer
> proxy.subdomain.domain.com.conf  proxy.subdomain.domain.com.ssl.conf
> fullchain.cer   proxy.subdomain.domain.com.csr
> proxy.subdomain.domain.com.cer   proxy.subdomain.domain.com.key
> 
> Can you use it?
> How do I make them usable for the proxy?
> 

https_port 3128 \
  cert=/path/to/proxy.subdomain.domain.com.cer \
  key=/path/to/proxy.subdomain.domain.com.key \
  cafile=/path/to/fullchain.cer

That is all. No SSL-Bump or other config.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Buy Certificates for Squid 'man in the middle'

2017-02-02 Thread Amos Jeffries

On 2/02/2017 9:49 p.m., Odhiambo Washington wrote:
> So we can't even use the free certs from letsencrypt with Squid??
> 

Not for MITM / SSL-Bump no.

The very first clause of the purchase contract for the LetsEncrypt CA is:

"
By requesting, accepting, or using a Let’s Encrypt Certificate:

* You warrant to ISRG and the public-at-large that You are the
legitimate registrant of the Internet domain name that is, or is going
to be, the subject of Your Certificate, or that You are the duly
authorized agent of such registrant.
"

Meaning they can be used for explicit TLS-proxy or CDN reverse-proxy only.

If you have just used LetsEncrypt certs because of the hype about being
cheap, easy and everyone else is saying its good. I think it well worth
your time going to their site and reading that contract to which you
have bound your network.

For networks outside North America there are some legal implications
about signing judicial authority and your users method of legal redress
over to the USA government.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Buy Certificates for Squid 'man in the middle'

2017-02-02 Thread Odhiambo Washington

So we can't even use the free certs from letsencrypt with Squid??

On 2 February 2017 at 11:35, FredB  wrote:

>
> From: http://wiki.squid-cache.org/Features/DynamicSslCert
>
> "In theory, you must either import your root certificate into browsers or
> instruct users on how to do that. Unfortunately, it is apparently a common
> practice among well-known Root CAs to issue subordinate root certificates.
> If you have obtained such a subordinate root certificate from a Root CA
> already trusted by your users, you do not need to import your certificate
> into browsers. However, going down this path may result in removal of the
> well-known Root CA certificate from browsers around the world. Such a
> removal will make your local SslBump-based infrastructure inoperable until
> you import your certificate, but that may only be the beginning of your
> troubles. Will the affected Root CA go after you to recoup their world-wide
> damages? What will your users do when they learn that you have been
> decrypting their traffic without their consent?"
>
> The last sentence is ambiguous the users can known, you can inform that
> you have been decrypting their traffic.
> There is no difference (from user point of view I mean) between a
> well-known Root CAs or a self-signed certificate with a CA injected by a
> local GPO.
>
> But in practice I don't how how you can do that, just hello I want a
> subordinate root certificates ?
>
> FredB
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>



-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Buy Certificates for Squid 'man in the middle'

2017-02-02 Thread FredB


From: http://wiki.squid-cache.org/Features/DynamicSslCert

"In theory, you must either import your root certificate into browsers or 
instruct users on how to do that. Unfortunately, it is apparently a common 
practice among well-known Root CAs to issue subordinate root certificates. If 
you have obtained such a subordinate root certificate from a Root CA already 
trusted by your users, you do not need to import your certificate into 
browsers. However, going down this path may result in removal of the well-known 
Root CA certificate from browsers around the world. Such a removal will make 
your local SslBump-based infrastructure inoperable until you import your 
certificate, but that may only be the beginning of your troubles. Will the 
affected Root CA go after you to recoup their world-wide damages? What will 
your users do when they learn that you have been decrypting their traffic 
without their consent?" 

The last sentence is ambiguous the users can known, you can inform that you 
have been decrypting their traffic. 
There is no difference (from user point of view I mean) between a well-known 
Root CAs or a self-signed certificate with a CA injected by a local GPO. 
 
But in practice I don't how how you can do that, just hello I want a 
subordinate root certificates ?

FredB  
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Buy Certificates for Squid 'man in the middle'

2017-02-01 Thread Yuri Voinov

In three words:

Forget about it.

No one in the world permit you to do Man-In-The-Middle-Attack hidden
from users.

CAs in the event of such certificates immediately include it in the list
of untrusted. And you can give up the problems up to prison for a long
time. For violation of the privacy of users. In other words, users
should be aware that there is a proxy hacking HTTPS in front of them.
All other tricks are illegal, at least it is contrary to ethics.

Forget about it.

I'm seriously.

02.02.2017 3:10, Yuri Voinov пишет:
>
>
>
> 02.02.2017 2:58, angelv пишет:
>> Hi,
>>
>> I need your advice.
>>
>> I have a transparent proxy running with the self generated
>> certificates 'myCA.pem', as it is not signed by a valid entity then I
>> have to import the 'myCA.der' certificate in all web browsers ...
>>
>> I want to know where I can buy a valid certificate that work in Squid.
> Nowhere. Due to CA's CPS.
>>
>> PD:
>> The proxy is working great
>>
>>
>> --
>> Important information for clarity (FreeBSD, squid-3.5.23 and PF):
>>
>> Create self-signed certificate for Squid server
>>
>> # openssl req -new -newkey rsa:2048 -sha256 -days 36500 -nodes -x509
>> -extensions v3_ca -keyout myCA.pem  -out
>> /usr/local/etc/squid/ssl_cert/myCA.pem -config
>> /usr/local/etc/squid/ssl_cert/openssl.cnf
>>
>> # openssl dhparam -outform PEM -out
>> /usr/local/etc/squid/ssl_cert/dhparam.pem 2048
>>
>> Create a DER-encoded certificate to import into users' browsers
>>
>> # openssl x509 -in /usr/local/etc/squid/ssl_cert/myCA.pem -outform
>> DER -out /usr/local/etc/squid/ssl_cert/myCA.der
>>
>>
>> # edit /usr/local/etc/squid/squid.conf
>> ...
>> # Squid normally listens to port 3128
>> http_port  3128
>>
>> # Intercept HTTPS CONNECT messages with SSL-Bump
>> #
>> http_port  3129 ssl-bump intercept \
>> cert=/usr/local/etc/squid/ssl_cert/myCA.pem \
>> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB \
>> dhparams=/usr/local/etc/squid/ssl_cert/dhparam.pem
>> #
>> https_port 3130 ssl-bump intercept \
>> cert=/usr/local/etc/squid/ssl_cert/myCA.pem \
>> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB \
>> dhparams=/usr/local/etc/squid/ssl_cert/dhparam.pem
>> #
>> sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s
>> /usr/local/etc/squid/ssl_db -M 4MB
>> #
>> acl step1 at_step SslBump1
>> #
>> ssl_bump peek step1
>> ssl_bump stare all
>> ssl_bump bump all
>> always_direct allow all
>> #
>> sslproxy_cert_error allow all
>> sslproxy_flags DONT_VERIFY_PEER
>> ...
>>
>> PF redirect the traffic to the Squid
>>
>> # edit /etc/pf.conf
>> ...
>> # Intercept HTTPS CONNECT messages with SSL-Bump
>> rdr pass on $int_if inet  proto tcp from any to port https \
>> -> 127.0.0.1 port 3130
>> rdr pass on $int_if inet6 proto tcp from any to port https \
>> -> ::1 port 3130
>> ...
>> --
>> -- 
>> Ángel Villa G.
>> US +1 (786) 233-9240 | CO +57 (300) 283-6546
>> ange...@gmail.com 
>> https://google.com/+AngelVillaG
>> https://angelcontents.blogspot.com
>>
>> "We are all atheists about most of the gods that societies have ever
>> believed in. Some of us just go one god further" - Richard Dawkins
>>
>>
>> ___
>> squid-users mailing list
>> squid-users@lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>
> -- 
> Bugs to the Future

-- 
Bugs to the Future


0x613DEC46.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Buy Certificates for Squid 'man in the middle'

2017-02-01 Thread Yuri Voinov



02.02.2017 2:58, angelv пишет:
> Hi,
>
> I need your advice.
>
> I have a transparent proxy running with the self generated
> certificates 'myCA.pem', as it is not signed by a valid entity then I
> have to import the 'myCA.der' certificate in all web browsers ...
>
> I want to know where I can buy a valid certificate that work in Squid.
Nowhere. Due to CA's CPS.
>
> PD:
> The proxy is working great
>
>
> --
> Important information for clarity (FreeBSD, squid-3.5.23 and PF):
>
> Create self-signed certificate for Squid server
>
> # openssl req -new -newkey rsa:2048 -sha256 -days 36500 -nodes -x509
> -extensions v3_ca -keyout myCA.pem  -out
> /usr/local/etc/squid/ssl_cert/myCA.pem -config
> /usr/local/etc/squid/ssl_cert/openssl.cnf
>
> # openssl dhparam -outform PEM -out
> /usr/local/etc/squid/ssl_cert/dhparam.pem 2048
>
> Create a DER-encoded certificate to import into users' browsers
>
> # openssl x509 -in /usr/local/etc/squid/ssl_cert/myCA.pem -outform DER
> -out /usr/local/etc/squid/ssl_cert/myCA.der
>
>
> # edit /usr/local/etc/squid/squid.conf
> ...
> # Squid normally listens to port 3128
> http_port  3128
>
> # Intercept HTTPS CONNECT messages with SSL-Bump
> #
> http_port  3129 ssl-bump intercept \
> cert=/usr/local/etc/squid/ssl_cert/myCA.pem \
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB \
> dhparams=/usr/local/etc/squid/ssl_cert/dhparam.pem
> #
> https_port 3130 ssl-bump intercept \
> cert=/usr/local/etc/squid/ssl_cert/myCA.pem \
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB \
> dhparams=/usr/local/etc/squid/ssl_cert/dhparam.pem
> #
> sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s
> /usr/local/etc/squid/ssl_db -M 4MB
> #
> acl step1 at_step SslBump1
> #
> ssl_bump peek step1
> ssl_bump stare all
> ssl_bump bump all
> always_direct allow all
> #
> sslproxy_cert_error allow all
> sslproxy_flags DONT_VERIFY_PEER
> ...
>
> PF redirect the traffic to the Squid
>
> # edit /etc/pf.conf
> ...
> # Intercept HTTPS CONNECT messages with SSL-Bump
> rdr pass on $int_if inet  proto tcp from any to port https \
> -> 127.0.0.1 port 3130
> rdr pass on $int_if inet6 proto tcp from any to port https \
> -> ::1 port 3130
> ...
> --
> -- 
> Ángel Villa G.
> US +1 (786) 233-9240 | CO +57 (300) 283-6546
> ange...@gmail.com 
> https://google.com/+AngelVillaG
> https://angelcontents.blogspot.com
>
> "We are all atheists about most of the gods that societies have ever
> believed in. Some of us just go one god further" - Richard Dawkins
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-- 
Bugs to the Future


0x613DEC46.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Buy Certificates for Squid 'man in the middle'

Re: [squid-users] Buy Certificates for Squid 'man in the middle'

Re: [squid-users] Buy Certificates for Squid 'man in the middle'

Re: [squid-users] Buy Certificates for Squid 'man in the middle'

Re: [squid-users] Buy Certificates for Squid 'man in the middle'

Re: [squid-users] Buy Certificates for Squid 'man in the middle'

6 matches

Site Navigation

Mail list logo

Footer information