-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I was shaking in my boots :))
While HTTPS bullshit - you can have nothing to fear. ;)
It not me - Bruce opinion. :)
05.02.2015 1:19, Daniel Greenwald пишет:
> squid beware, the pins and staples are coming
>
> ---
> Daniel I Gree
squid beware, the pins and staples are coming
---
Daniel I Greenwald
On Wed, Feb 4, 2015 at 1:03 PM, Yuri Voinov wrote:
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
>
> 04.02.2015 21:39, Amos Jeffries пишет:
> > On 4/02/2015 7:32 p.m., Jason Haar wrote:
> >> On 04/02/15 1
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
04.02.2015 21:39, Amos Jeffries пишет:
> On 4/02/2015 7:32 p.m., Jason Haar wrote:
>> On 04/02/15 18:47, Daniel Greenwald wrote:
>>> And happens to be one that squid desperately needs to remain in order
>>> to continue ssl bumping..
>> ...and is one
On 4/02/2015 7:32 p.m., Jason Haar wrote:
> On 04/02/15 18:47, Daniel Greenwald wrote:
>> And happens to be one that squid desperately needs to remain in order
>> to continue ssl bumping..
> ...and is one that diminishes in value as cert pinning becomes more
> popular...
>
> It's a tough life: on
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
04.02.2015 9:16, Amos Jeffries пишет:
> On 4/02/2015 7:50 a.m., Yuri Voinov wrote:
>
> > Now I have:
>
> > root @ cthulhu /etc/opt/csw/ssl/certs # ls -al *.pem|wc -l 210
>
> > root and intermediate CA's. Most known I can found.
>
> > Note: all of th
On 04/02/15 18:47, Daniel Greenwald wrote:
> And happens to be one that squid desperately needs to remain in order
> to continue ssl bumping..
...and is one that diminishes in value as cert pinning becomes more
popular...
It's a tough life: on the one hand we want to do TLS intercept in order
to d
Amos Wrote:
The major well-known security flaw in the whole TLS/SSL system
is that any one of the Trusted CAs is capable of forging signatures on
other CAs clients.
And happens to be one that squid desperately needs to remain in order to
continue ssl bumping..
---
Daniel I Greenwald
O
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 4/02/2015 7:50 a.m., Yuri Voinov wrote:
>
> Now I have:
>
> root @ cthulhu /etc/opt/csw/ssl/certs # ls -al *.pem|wc -l 210
>
> root and intermediate CA's. Most known I can found.
>
> Note: all of them was wound in different places - in addition
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
04.02.2015 2:39, Eliezer Croitoru пишет:
> Hey Yuri,
>
> From what I remember before squid passes data into ssl_crtd can debug
the certificates of the requested sites.
> If you will record\log them you can run a script throw them and find
the culpri
Hey Yuri,
From what I remember before squid passes data into ssl_crtd can debug
the certificates of the requested sites.
If you will record\log them you can run a script throw them and find the
culprit pretty fast(relatively).
What debug sections have you tried using to debug it?
Since squid
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Now I have:
root @ cthulhu /etc/opt/csw/ssl/certs # ls -al *.pem|wc -l
210
root and intermediate CA's. Most known I can found.
Note: all of them was wound in different places - in addition with
Mozilla's bundle, shipped with OpenSSL.
How I can fo
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
What about linking OpenSSL libraries into Squid? Like eCAP?
Or how to trace openssl calls anywhere else?
AFAIK, URL is passed to SSL_CRTD. Then return with result, right?
Why we can't add catch errors and log it with URL?
This unrecoverable error
On 4/02/2015 3:26 a.m., Yuri Voinov wrote: Hi gents,
>
> I think, will be good to add advanced debug options to ssl_crtd to avoid
> this:
>
> 2015/02/03 20:21:37 kid1| clientNegotiateSSL: Error negotiating SSL
> connection on FD 28: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1
> alert unknow
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi gents,
I think, will be good to add advanced debug options to ssl_crtd to avoid
this:
2015/02/03 20:21:37 kid1| clientNegotiateSSL: Error negotiating SSL
connection on FD 28: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1
alert unknown ca (1/
14 matches
Mail list logo
