Re: [squid-users] SSL Bump and dynamic SSL generation
On 13/05/2014 5:11 a.m., Tom Holder wrote: I haven't investigated exactly, however, I'm guessing it's simply not trying to mimic the original SSL and is just generating one that is 'good-enough'. For my purposes, good enough is erm, good enough. Exactly so. Amos Tom On Mon, May 12, 2014 at 6:01 PM, Eliezer Croitoru elie...@ngtech.co.il wrote: How exactly client-first helps in that? Eliezer On 05/12/2014 10:26 AM, Walter H. wrote: Hi, change from server-first to client-first; and your issue is gone; Walter
Re: [squid-users] SSL Bump and dynamic SSL generation
Hi Amos, Thanks for that. Yes I understand the legalities, this isn't to 'forge' anything. The users are well aware they're not looking at the real sites. The CA will be installed on their systems and they will have to agree to it. The issue is that the browser is complaining that the CN does not match because my local web server that represents ANY site has a catch all CN. Therefore I'm trying to determine a way to generate the correct CN before Squid tries to bump the SSL so that the CN is nearly correct. The certificates I generate don't need to look like the original because I'm not trying to trick anyone, they just need not to error in the browser. Thanks, Tom On Mon, May 12, 2014 at 5:39 AM, Amos Jeffries squ...@treenet.co.nz wrote: On 12/05/2014 9:42 a.m., Tom Holder wrote: Thanks for your help Walter, problem is, which I wasn't too clear about, site1.com was just an example. It could be any site that I don't previously know the address for. Therefore, the only thing I can think of is to dynamically generate a self-signed cert. One of the built-in problems with forgery is that one must have an original to work from in order to get even a vague resemblence of correctness. Don't fool yourself into thinking SSL-bump is anything other than high-tech forgery of the website ownser security credentials. OR ... with a blind individual doing the checking it does not matter. (Un)luckily the system design for SSL and TLS as widely used today places a huge blindfold (the trusted CA set) on the client software. So all one has to do is install the signing CA for the forged certificates as one of those CA and most anything becomes possible. ... check carefully the legalities of doing this before doing anything. In some places even experimenting is a criminal offence. Amos -- Tom Holder Systems Architect Follow me on: [Twitter] [Linked In] www.Simpleweb.co.uk Tel: 0117 922 0448 Simpleweb Ltd. Unit G, Albion Dockside Building, Hanover Place, Bristol, BS1 6UT Simpleweb Ltd. is registered in England. Registration no: 5929003 : V.A.T. registration no: 891600913
Re: [squid-users] SSL Bump and dynamic SSL generation
Tom, If your proxy users and computers are members of Active Directory Domain, you might want to use your existing internal AD public key infrastructure. The reason for this is that domain computers already trust the CA of your AD. I can explain the setup a little bit if this is the kind of IT environment you have. The main advantage of this setup is you don't need to install a self-signed CA by squid in each computer. Jay On Mon, May 12, 2014 at 2:41 PM, Tom Holder t...@simpleweb.co.uk wrote: Hi Amos, Thanks for that. Yes I understand the legalities, this isn't to 'forge' anything. The users are well aware they're not looking at the real sites. The CA will be installed on their systems and they will have to agree to it. The issue is that the browser is complaining that the CN does not match because my local web server that represents ANY site has a catch all CN. Therefore I'm trying to determine a way to generate the correct CN before Squid tries to bump the SSL so that the CN is nearly correct. The certificates I generate don't need to look like the original because I'm not trying to trick anyone, they just need not to error in the browser. Thanks, Tom On Mon, May 12, 2014 at 5:39 AM, Amos Jeffries squ...@treenet.co.nz wrote: On 12/05/2014 9:42 a.m., Tom Holder wrote: Thanks for your help Walter, problem is, which I wasn't too clear about, site1.com was just an example. It could be any site that I don't previously know the address for. Therefore, the only thing I can think of is to dynamically generate a self-signed cert. One of the built-in problems with forgery is that one must have an original to work from in order to get even a vague resemblence of correctness. Don't fool yourself into thinking SSL-bump is anything other than high-tech forgery of the website ownser security credentials. OR ... with a blind individual doing the checking it does not matter. (Un)luckily the system design for SSL and TLS as widely used today places a huge blindfold (the trusted CA set) on the client software. So all one has to do is install the signing CA for the forged certificates as one of those CA and most anything becomes possible. ... check carefully the legalities of doing this before doing anything. In some places even experimenting is a criminal offence. Amos -- Tom Holder Systems Architect Follow me on: [Twitter] [Linked In] www.Simpleweb.co.uk Tel: 0117 922 0448 Simpleweb Ltd. Unit G, Albion Dockside Building, Hanover Place, Bristol, BS1 6UT Simpleweb Ltd. is registered in England. Registration no: 5929003 : V.A.T. registration no: 891600913
Re: [squid-users] SSL Bump and dynamic SSL generation
I for one would welcome you explaining this set up a little bit. Definitely relevant to my interests. Thanks! Dan On 12 May 2014, at 4:56 pm, Jay Jimenez j...@integralvox.com wrote: Tom, If your proxy users and computers are members of Active Directory Domain, you might want to use your existing internal AD public key infrastructure. The reason for this is that domain computers already trust the CA of your AD. I can explain the setup a little bit if this is the kind of IT environment you have. The main advantage of this setup is you don't need to install a self-signed CA by squid in each computer. Jay On Mon, May 12, 2014 at 2:41 PM, Tom Holder t...@simpleweb.co.uk wrote: Hi Amos, Thanks for that. Yes I understand the legalities, this isn't to 'forge' anything. The users are well aware they're not looking at the real sites. The CA will be installed on their systems and they will have to agree to it. The issue is that the browser is complaining that the CN does not match because my local web server that represents ANY site has a catch all CN. Therefore I'm trying to determine a way to generate the correct CN before Squid tries to bump the SSL so that the CN is nearly correct. The certificates I generate don't need to look like the original because I'm not trying to trick anyone, they just need not to error in the browser. Thanks, Tom On Mon, May 12, 2014 at 5:39 AM, Amos Jeffries squ...@treenet.co.nz wrote: On 12/05/2014 9:42 a.m., Tom Holder wrote: Thanks for your help Walter, problem is, which I wasn't too clear about, site1.com was just an example. It could be any site that I don't previously know the address for. Therefore, the only thing I can think of is to dynamically generate a self-signed cert. One of the built-in problems with forgery is that one must have an original to work from in order to get even a vague resemblence of correctness. Don't fool yourself into thinking SSL-bump is anything other than high-tech forgery of the website ownser security credentials. OR ... with a blind individual doing the checking it does not matter. (Un)luckily the system design for SSL and TLS as widely used today places a huge blindfold (the trusted CA set) on the client software. So all one has to do is install the signing CA for the forged certificates as one of those CA and most anything becomes possible. ... check carefully the legalities of doing this before doing anything. In some places even experimenting is a criminal offence. Amos -- Tom Holder Systems Architect Follow me on: [Twitter] [Linked In] www.Simpleweb.co.uk Tel: 0117 922 0448 Simpleweb Ltd. Unit G, Albion Dockside Building, Hanover Place, Bristol, BS1 6UT Simpleweb Ltd. is registered in England. Registration no: 5929003 : V.A.T. registration no: 891600913
Re: [squid-users] SSL Bump and dynamic SSL generation
Hi, change from server-first to client-first; and your issue is gone; Walter On Mon, May 12, 2014 08:41, Tom Holder wrote: Hi Amos, Thanks for that. Yes I understand the legalities, this isn't to 'forge' anything. The users are well aware they're not looking at the real sites. The CA will be installed on their systems and they will have to agree to it. The issue is that the browser is complaining that the CN does not match because my local web server that represents ANY site has a catch all CN. Therefore I'm trying to determine a way to generate the correct CN before Squid tries to bump the SSL so that the CN is nearly correct. The certificates I generate don't need to look like the original because I'm not trying to trick anyone, they just need not to error in the browser. Thanks, Tom
Re: [squid-users] SSL Bump and dynamic SSL generation
Thanks Jay, it's not the CA I have an issue with, I can easily get that installed. On Mon, May 12, 2014 at 7:56 AM, Jay Jimenez j...@integralvox.com wrote: Tom, If your proxy users and computers are members of Active Directory Domain, you might want to use your existing internal AD public key infrastructure. The reason for this is that domain computers already trust the CA of your AD. I can explain the setup a little bit if this is the kind of IT environment you have. The main advantage of this setup is you don't need to install a self-signed CA by squid in each computer. Jay On Mon, May 12, 2014 at 2:41 PM, Tom Holder t...@simpleweb.co.uk wrote: Hi Amos, Thanks for that. Yes I understand the legalities, this isn't to 'forge' anything. The users are well aware they're not looking at the real sites. The CA will be installed on their systems and they will have to agree to it. The issue is that the browser is complaining that the CN does not match because my local web server that represents ANY site has a catch all CN. Therefore I'm trying to determine a way to generate the correct CN before Squid tries to bump the SSL so that the CN is nearly correct. The certificates I generate don't need to look like the original because I'm not trying to trick anyone, they just need not to error in the browser. Thanks, Tom On Mon, May 12, 2014 at 5:39 AM, Amos Jeffries squ...@treenet.co.nz wrote: On 12/05/2014 9:42 a.m., Tom Holder wrote: Thanks for your help Walter, problem is, which I wasn't too clear about, site1.com was just an example. It could be any site that I don't previously know the address for. Therefore, the only thing I can think of is to dynamically generate a self-signed cert. One of the built-in problems with forgery is that one must have an original to work from in order to get even a vague resemblence of correctness. Don't fool yourself into thinking SSL-bump is anything other than high-tech forgery of the website ownser security credentials. OR ... with a blind individual doing the checking it does not matter. (Un)luckily the system design for SSL and TLS as widely used today places a huge blindfold (the trusted CA set) on the client software. So all one has to do is install the signing CA for the forged certificates as one of those CA and most anything becomes possible. ... check carefully the legalities of doing this before doing anything. In some places even experimenting is a criminal offence. Amos -- Tom Holder Systems Architect Follow me on: [Twitter] [Linked In] www.Simpleweb.co.uk Tel: 0117 922 0448 Simpleweb Ltd. Unit G, Albion Dockside Building, Hanover Place, Bristol, BS1 6UT Simpleweb Ltd. is registered in England. Registration no: 5929003 : V.A.T. registration no: 891600913 -- Tom Holder Systems Architect Follow me on: [Twitter] [Linked In] www.Simpleweb.co.uk Tel: 0117 922 0448 Simpleweb Ltd. Unit G, Albion Dockside Building, Hanover Place, Bristol, BS1 6UT Simpleweb Ltd. is registered in England. Registration no: 5929003 : V.A.T. registration no: 891600913
Re: [squid-users] SSL Bump and dynamic SSL generation
Dan, Our browsers have very few and selected trusted CAs which are also stored in our Trusted Root Certification Authorities. Install an internal root CA by Microsoft Certificate Services and generate the CA. After generating the CA certificate make sure that you roll out the certificate via GPO Computer Configuration - Windows Settings - Security Setting - Public Key Policies - Trusted Publishers and add your cert to the Trusted Root Certification Authorities Once you have the root CA certificate installed in each computer, all subordinate CA will be trusted automatically. In this case, We plan to have your squid box to have a SUBORDINATE CA signed by your ROOT CA. (I hope you see the chain of authority here) Go to your squidbox and generate your .key file and certificate request .csr. openssl genrsa -out yourkey.key 1024 openssl req -new -key yourkey.key -out yourkey.csr copy the content of your .csr file to your root CA web enrollment service(make sure the web enrollment is installed), choose advanced certificate request. Paste the content of your .csr file and choose SUBORDINATE Certification Authority Click submit and download the Base64 encoded certificate file (NOT the Der encoded) Use the downloaded .cer file and your .key file to your squid SSL bump Your SQUID has now the subordinate CA and any certificate generated by Squid will be trusted automatically because the issuer of Squid's Sub CA is your domain root CA. *Our organization has existing internal PKI that we're currently using for our Microsoft NPS/802.1x. That keeps us out from headache by installing a new self-signed CA to each computer for Squid SSL bumping. Regards, Jay On Mon, May 12, 2014 at 3:06 PM, Dan Charlesworth d...@getbusi.com wrote: I for one would welcome you explaining this set up a little bit. Definitely relevant to my interests. Thanks! Dan On 12 May 2014, at 4:56 pm, Jay Jimenez j...@integralvox.com wrote: Tom, If your proxy users and computers are members of Active Directory Domain, you might want to use your existing internal AD public key infrastructure. The reason for this is that domain computers already trust the CA of your AD. I can explain the setup a little bit if this is the kind of IT environment you have. The main advantage of this setup is you don't need to install a self-signed CA by squid in each computer. Jay On Mon, May 12, 2014 at 2:41 PM, Tom Holder t...@simpleweb.co.uk wrote: Hi Amos, Thanks for that. Yes I understand the legalities, this isn't to 'forge' anything. The users are well aware they're not looking at the real sites. The CA will be installed on their systems and they will have to agree to it. The issue is that the browser is complaining that the CN does not match because my local web server that represents ANY site has a catch all CN. Therefore I'm trying to determine a way to generate the correct CN before Squid tries to bump the SSL so that the CN is nearly correct. The certificates I generate don't need to look like the original because I'm not trying to trick anyone, they just need not to error in the browser. Thanks, Tom On Mon, May 12, 2014 at 5:39 AM, Amos Jeffries squ...@treenet.co.nz wrote: On 12/05/2014 9:42 a.m., Tom Holder wrote: Thanks for your help Walter, problem is, which I wasn't too clear about, site1.com was just an example. It could be any site that I don't previously know the address for. Therefore, the only thing I can think of is to dynamically generate a self-signed cert. One of the built-in problems with forgery is that one must have an original to work from in order to get even a vague resemblence of correctness. Don't fool yourself into thinking SSL-bump is anything other than high-tech forgery of the website ownser security credentials. OR ... with a blind individual doing the checking it does not matter. (Un)luckily the system design for SSL and TLS as widely used today places a huge blindfold (the trusted CA set) on the client software. So all one has to do is install the signing CA for the forged certificates as one of those CA and most anything becomes possible. ... check carefully the legalities of doing this before doing anything. In some places even experimenting is a criminal offence. Amos -- Tom Holder Systems Architect Follow me on: [Twitter] [Linked In] www.Simpleweb.co.uk Tel: 0117 922 0448 Simpleweb Ltd. Unit G, Albion Dockside Building, Hanover Place, Bristol, BS1 6UT Simpleweb Ltd. is registered in England. Registration no: 5929003 : V.A.T. registration no: 891600913
Re: [squid-users] SSL Bump and dynamic SSL generation
Tom, No problem. Make sure you have the latest version of Squid or at least version 3.3 to use server-first Jay On Mon, May 12, 2014 at 3:54 PM, Tom Holder t...@simpleweb.co.uk wrote: Thanks Jay, it's not the CA I have an issue with, I can easily get that installed. On Mon, May 12, 2014 at 7:56 AM, Jay Jimenez j...@integralvox.com wrote: Tom, If your proxy users and computers are members of Active Directory Domain, you might want to use your existing internal AD public key infrastructure. The reason for this is that domain computers already trust the CA of your AD. I can explain the setup a little bit if this is the kind of IT environment you have. The main advantage of this setup is you don't need to install a self-signed CA by squid in each computer. Jay On Mon, May 12, 2014 at 2:41 PM, Tom Holder t...@simpleweb.co.uk wrote: Hi Amos, Thanks for that. Yes I understand the legalities, this isn't to 'forge' anything. The users are well aware they're not looking at the real sites. The CA will be installed on their systems and they will have to agree to it. The issue is that the browser is complaining that the CN does not match because my local web server that represents ANY site has a catch all CN. Therefore I'm trying to determine a way to generate the correct CN before Squid tries to bump the SSL so that the CN is nearly correct. The certificates I generate don't need to look like the original because I'm not trying to trick anyone, they just need not to error in the browser. Thanks, Tom On Mon, May 12, 2014 at 5:39 AM, Amos Jeffries squ...@treenet.co.nz wrote: On 12/05/2014 9:42 a.m., Tom Holder wrote: Thanks for your help Walter, problem is, which I wasn't too clear about, site1.com was just an example. It could be any site that I don't previously know the address for. Therefore, the only thing I can think of is to dynamically generate a self-signed cert. One of the built-in problems with forgery is that one must have an original to work from in order to get even a vague resemblence of correctness. Don't fool yourself into thinking SSL-bump is anything other than high-tech forgery of the website ownser security credentials. OR ... with a blind individual doing the checking it does not matter. (Un)luckily the system design for SSL and TLS as widely used today places a huge blindfold (the trusted CA set) on the client software. So all one has to do is install the signing CA for the forged certificates as one of those CA and most anything becomes possible. ... check carefully the legalities of doing this before doing anything. In some places even experimenting is a criminal offence. Amos -- Tom Holder Systems Architect Follow me on: [Twitter] [Linked In] www.Simpleweb.co.uk Tel: 0117 922 0448 Simpleweb Ltd. Unit G, Albion Dockside Building, Hanover Place, Bristol, BS1 6UT Simpleweb Ltd. is registered in England. Registration no: 5929003 : V.A.T. registration no: 891600913 -- Tom Holder Systems Architect Follow me on: [Twitter] [Linked In] www.Simpleweb.co.uk Tel: 0117 922 0448 Simpleweb Ltd. Unit G, Albion Dockside Building, Hanover Place, Bristol, BS1 6UT Simpleweb Ltd. is registered in England. Registration no: 5929003 : V.A.T. registration no: 891600913
Re: [squid-users] SSL Bump and dynamic SSL generation
Thanks Jay! Very informative. Dan On 12 May 2014, at 6:02 pm, Jay Jimenez j...@integralvox.com wrote: Dan, Our browsers have very few and selected trusted CAs which are also stored in our Trusted Root Certification Authorities. Install an internal root CA by Microsoft Certificate Services and generate the CA. After generating the CA certificate make sure that you roll out the certificate via GPO Computer Configuration - Windows Settings - Security Setting - Public Key Policies - Trusted Publishers and add your cert to the Trusted Root Certification Authorities Once you have the root CA certificate installed in each computer, all subordinate CA will be trusted automatically. In this case, We plan to have your squid box to have a SUBORDINATE CA signed by your ROOT CA. (I hope you see the chain of authority here) Go to your squidbox and generate your .key file and certificate request .csr. openssl genrsa -out yourkey.key 1024 openssl req -new -key yourkey.key -out yourkey.csr copy the content of your .csr file to your root CA web enrollment service(make sure the web enrollment is installed), choose advanced certificate request. Paste the content of your .csr file and choose SUBORDINATE Certification Authority Click submit and download the Base64 encoded certificate file (NOT the Der encoded) Use the downloaded .cer file and your .key file to your squid SSL bump Your SQUID has now the subordinate CA and any certificate generated by Squid will be trusted automatically because the issuer of Squid's Sub CA is your domain root CA. *Our organization has existing internal PKI that we're currently using for our Microsoft NPS/802.1x. That keeps us out from headache by installing a new self-signed CA to each computer for Squid SSL bumping. Regards, Jay On Mon, May 12, 2014 at 3:06 PM, Dan Charlesworth d...@getbusi.com wrote: I for one would welcome you explaining this set up a little bit. Definitely relevant to my interests. Thanks! Dan On 12 May 2014, at 4:56 pm, Jay Jimenez j...@integralvox.com wrote: Tom, If your proxy users and computers are members of Active Directory Domain, you might want to use your existing internal AD public key infrastructure. The reason for this is that domain computers already trust the CA of your AD. I can explain the setup a little bit if this is the kind of IT environment you have. The main advantage of this setup is you don't need to install a self-signed CA by squid in each computer. Jay On Mon, May 12, 2014 at 2:41 PM, Tom Holder t...@simpleweb.co.uk wrote: Hi Amos, Thanks for that. Yes I understand the legalities, this isn't to 'forge' anything. The users are well aware they're not looking at the real sites. The CA will be installed on their systems and they will have to agree to it. The issue is that the browser is complaining that the CN does not match because my local web server that represents ANY site has a catch all CN. Therefore I'm trying to determine a way to generate the correct CN before Squid tries to bump the SSL so that the CN is nearly correct. The certificates I generate don't need to look like the original because I'm not trying to trick anyone, they just need not to error in the browser. Thanks, Tom On Mon, May 12, 2014 at 5:39 AM, Amos Jeffries squ...@treenet.co.nz wrote: On 12/05/2014 9:42 a.m., Tom Holder wrote: Thanks for your help Walter, problem is, which I wasn't too clear about, site1.com was just an example. It could be any site that I don't previously know the address for. Therefore, the only thing I can think of is to dynamically generate a self-signed cert. One of the built-in problems with forgery is that one must have an original to work from in order to get even a vague resemblence of correctness. Don't fool yourself into thinking SSL-bump is anything other than high-tech forgery of the website ownser security credentials. OR ... with a blind individual doing the checking it does not matter. (Un)luckily the system design for SSL and TLS as widely used today places a huge blindfold (the trusted CA set) on the client software. So all one has to do is install the signing CA for the forged certificates as one of those CA and most anything becomes possible. ... check carefully the legalities of doing this before doing anything. In some places even experimenting is a criminal offence. Amos -- Tom Holder Systems Architect Follow me on: [Twitter] [Linked In] www.Simpleweb.co.uk Tel: 0117 922 0448 Simpleweb Ltd. Unit G, Albion Dockside Building, Hanover Place, Bristol, BS1 6UT Simpleweb Ltd. is registered in England. Registration no: 5929003 : V.A.T. registration no: 891600913
Re: [squid-users] SSL Bump and dynamic SSL generation
How exactly client-first helps in that? Eliezer On 05/12/2014 10:26 AM, Walter H. wrote: Hi, change from server-first to client-first; and your issue is gone; Walter
Re: [squid-users] SSL Bump and dynamic SSL generation
I haven't investigated exactly, however, I'm guessing it's simply not trying to mimic the original SSL and is just generating one that is 'good-enough'. For my purposes, good enough is erm, good enough. Tom On Mon, May 12, 2014 at 6:01 PM, Eliezer Croitoru elie...@ngtech.co.il wrote: How exactly client-first helps in that? Eliezer On 05/12/2014 10:26 AM, Walter H. wrote: Hi, change from server-first to client-first; and your issue is gone; Walter -- Tom Holder Systems Architect Follow me on: [Twitter] [Linked In] www.Simpleweb.co.uk Tel: 0117 922 0448 Simpleweb Ltd. Unit G, Albion Dockside Building, Hanover Place, Bristol, BS1 6UT Simpleweb Ltd. is registered in England. Registration no: 5929003 : V.A.T. registration no: 891600913
[squid-users] SSL Bump and dynamic SSL generation
Hi, I've configured Squid 3 with SSL bump and dynamic SSL generation and it works really well when I use it for just browsing the Internet. My problem is I'm trying to 'mimic' a live web site and the server Squid is on does not have access to the live Internet. E.g. site1.com doesn't actually go to site1.com on the live Internet I'm redirecting it to a local version of site1.com The problem is dynamic SSL generation and SSL Bump requires connecting to the real site1.com to grab the certificate. When it tries to connect to my local site1.com there is just a generic SSL I've generated with the wrong common name and this causes the browser to throw an SSL error. Note, I'm not trying to do this for anything dodgy here, the custom CA is installed in to the end user's computer and this is not a transparent proxy, it's only because the common name isn't matching that I'm getting issues. The only way around this I can think of without hacking squid (a possibility but my C++ is poor), is to build something that hooks in to the rewrite connect method to generate a certificate myself, load it in to the web server and then my own local site1.com will have a correct cert. Has anyone had a similar issue or managed to solve this? I might have missed something in the docs but I don't think so and I realise this is a bit of a strange request. Thanks Tom
Re: [squid-users] SSL Bump and dynamic SSL generation
On 11.05.2014 18:24, Tom Holder wrote: Hi, I've configured Squid 3 with SSL bump and dynamic SSL generation and it works really well when I use it for just browsing the Internet. My problem is I'm trying to 'mimic' a live web site and the server Squid is on does not have access to the live Internet. E.g. site1.com doesn't actually go to site1.com on the live Internet I'm redirecting it to a local version of site1.com The problem is dynamic SSL generation and SSL Bump requires connecting to the real site1.com to grab the certificate. When it tries to connect to my local site1.com there is just a generic SSL I've generated with the wrong common name and this causes the browser to throw an SSL error. you'd have the same problem, without Squid, because then the browser would try to connect with your fake site1.com; install on this site1.com website a cert with correct CN, and everything works fine; smime.p7s Description: S/MIME Cryptographic Signature
Re: [squid-users] SSL Bump and dynamic SSL generation
On 12/05/2014 9:42 a.m., Tom Holder wrote: Thanks for your help Walter, problem is, which I wasn't too clear about, site1.com was just an example. It could be any site that I don't previously know the address for. Therefore, the only thing I can think of is to dynamically generate a self-signed cert. One of the built-in problems with forgery is that one must have an original to work from in order to get even a vague resemblence of correctness. Don't fool yourself into thinking SSL-bump is anything other than high-tech forgery of the website ownser security credentials. OR ... with a blind individual doing the checking it does not matter. (Un)luckily the system design for SSL and TLS as widely used today places a huge blindfold (the trusted CA set) on the client software. So all one has to do is install the signing CA for the forged certificates as one of those CA and most anything becomes possible. ... check carefully the legalities of doing this before doing anything. In some places even experimenting is a criminal offence. Amos