hello,
according to this chapter
http://wiki.squid-cache.org/ConfigExamples/Reverse/SslWithWildcardCertifiate
i bought signed certificate
but no one accept rsa:1024
so i generate the key with rsa:2048
after i got my crt from them
https_port 443 cert=/usr/newrprgate/CertAuth/signed.crt
yes you are right
--
View this message in context:
http://squid-web-proxy-cache.1019090.n4.nabble.com/ssl-cert-wiki-tp4669016p4669020.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
what you mean by specify -CAPath with trusted root CA's
--
View this message in context:
http://squid-web-proxy-cache.1019090.n4.nabble.com/ssl-cert-wiki-tp4669016p4669025.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
AFAIK,
you can't be use SERVER certificate (almost signed trusted CA) for SSL
bumping. You need root CA exactly. Self-signed root CA.
12.01.2015 17:28, HackXBack пишет:
if it is self-signed CA certificate + import to browser
then it will worked
how it didnt work while i found articles in google saying that it work for
them
like this one:
http://www.linuxquestions.org/questions/linux-server-73/ssl-intermediate-chain-warning-917476/
--
View this message in context:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
May I take a look on your squid.conf?
Looks like you incorrect configure your proxy.
12.01.2015 17:07, HackXBack пишет:
i dont know where you take me but my problem is not in any command !
i used trusted cert that got it from trusted CA
but
in this case the clear question is what https_port line must contain ?
--
View this message in context:
http://squid-web-proxy-cache.1019090.n4.nabble.com/ssl-cert-wiki-tp4669016p4669027.html
Sent from the Squid - Users mailing list archive at Nabble.com.
i dont know where you take me but my problem is not in any command !
i used trusted cert that got it from trusted CA
but when i use it in https_port the browser give error like i mentioned in
my first post
--
View this message in context:
Can you try to use openssl s_client?
an exapmple:
openssl s_client -connect facebook.com:443
Eliezer
On 12/01/2015 11:41, HackXBack wrote:
hello,
according to this chapter
http://wiki.squid-cache.org/ConfigExamples/Reverse/SslWithWildcardCertifiate
i bought signed certificate
but no one
openssl s_client -connect facebook.com:443
CONNECTED(0003)
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High
Assurance CA-3
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=US/ST=CA/L=Menlo Park/O=Facebook,
openssl s_client -connect facebook.com:443 -CApath /var/squid/ssl_db/certs
CONNECTED(0003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High
Assurance EV Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High
Assurance CA-3
if it is self-signed CA certificate + import to browser
then it will worked
but if it is Trusted CA cert it giving me error like i said in first post
--
View this message in context:
http://squid-web-proxy-cache.1019090.n4.nabble.com/ssl-cert-wiki-tp4669016p4669037.html
Sent from the Squid -
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Yep, openssl is ok and works.
12.01.2015 17:02, HackXBack пишет:
openssl s_client -connect facebook.com:443 -CApath /var/squid/ssl_db/certs
CONNECTED(0003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert
High
Are you using the command with facebook.com???
You should use your own server...
Eliezer
On 12/01/2015 13:02, HackXBack wrote:
openssl s_client -connect facebook.com:443 -CApath /var/squid/ssl_db/certs
CONNECTED(0003)
depth=2 C = US, O = DigiCert Inc, OU =www.digicert.com, CN = DigiCert
Just to make sure I understand it right.
The certificate is for a reverse proxy?
Eliezer
On 12/01/2015 11:41, HackXBack wrote:
hello,
according to this chapter
http://wiki.squid-cache.org/ConfigExamples/Reverse/SslWithWildcardCertifiate
i bought signed certificate
but no one accept rsa:1024
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
You need to specify -CAPath with trusted root CA's from openssl
installation to avoid error 20. :)
But looks like openssl connect works.
12.01.2015 16:50, HackXBack пишет:
openssl s_client -connect facebook.com:443
CONNECTED(0003)
depth=1 C
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Yep :)
12.01.2015 17:53, Eliezer Croitoru пишет:
Hey,
This is not a reverse proxy...
It's a ssl-bump server and which you cannot use any bought certificate
for it.
Eliezer
On 12/01/2015 13:20, HackXBack wrote:
https_port 3127 intercept
Hey,
This is not a reverse proxy...
It's a ssl-bump server and which you cannot use any bought certificate
for it.
Eliezer
On 12/01/2015 13:20, HackXBack wrote:
https_port 3127 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/CA.pem
Hey hack,
From the comments in the past I am unsure what you are after...
If you are using ssl-bump you should first learn about how ssl works and
about the differences between encrypted traffic to verification of a
public key.
I must admit that these topic are not marked as an easy one.
19 matches
Mail list logo