Hey hack,
From the comments in the past I am unsure what you are after...
If you are using ssl-bump you should first learn about how ssl works and
about the differences between encrypted traffic to verification of a
public key.
I must admit that these topic are not marked as an easy one.
Since
how it didnt work while i found articles in google saying that it work for
them
like this one:
http://www.linuxquestions.org/questions/linux-server-73/ssl-intermediate-chain-warning-917476/
--
View this message in context:
http://squid-web-proxy-cache.1019090.n4.nabble.com/ssl-cert-wiki-tp46690
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 13/01/2015 12:00 a.m., HackXBack wrote:
> in this case the clear question is what https_port line must
> contain ?
>
The basic config for a reverse proxy is supposed to be just this:
https_port 443 accel no-vhost \
defaultdomain=example.com
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Yep :)
12.01.2015 17:53, Eliezer Croitoru пишет:
> Hey,
>
> This is not a reverse proxy...
> It's a ssl-bump server and which you cannot use any bought certificate
for it.
>
> Eliezer
>
> On 12/01/2015 13:20, HackXBack wrote:
>> https_port 3127 inte
Hey,
This is not a reverse proxy...
It's a ssl-bump server and which you cannot use any bought certificate
for it.
Eliezer
On 12/01/2015 13:20, HackXBack wrote:
https_port 3127 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/CA.pem
ke
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
AFAIK,
you can't be use SERVER certificate (almost signed trusted CA) for SSL
bumping. You need root CA exactly. Self-signed root CA.
12.01.2015 17:28, HackXBack пишет:
> if it is self-signed CA certificate + import to browser
> then it will worke
if it is self-signed CA certificate + import to browser
then it will worked
but if it is Trusted CA cert it giving me error like i said in first post
--
View this message in context:
http://squid-web-proxy-cache.1019090.n4.nabble.com/ssl-cert-wiki-tp4669016p4669037.html
Sent from the Squid - Us
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
The similar like me config. It is HTTP/HTTPS interception proxy, right?
Try to create your own self-signed CA certificate (without CN field,
leave it empty), and try to connect via browser. Don't forget to install
publick key from your certificate t
https_port 3127 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/CA.pem
key=/etc/squid/ssl_cert/testkey.pem
http_port 3129
http_port 3128 intercept
where CA.pem is from trusted CA authoroties
--
View this message in context:
http://s
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
May I take a look on your squid.conf?
Looks like you incorrect configure your proxy.
12.01.2015 17:07, HackXBack пишет:
> i dont know where you take me but my problem is not in any command !
> i used trusted cert that got it from trusted CA
> but w
i dont know where you take me but my problem is not in any command !
i used trusted cert that got it from trusted CA
but when i use it in https_port the browser give error like i mentioned in
my first post
--
View this message in context:
http://squid-web-proxy-cache.1019090.n4.nabble.com/ssl-c
okay great so what is my issue ?
--
View this message in context:
http://squid-web-proxy-cache.1019090.n4.nabble.com/ssl-cert-wiki-tp4669016p4669032.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squi
Are you using the command with facebook.com???
You should use your own server...
Eliezer
On 12/01/2015 13:02, HackXBack wrote:
openssl s_client -connect facebook.com:443 -CApath /var/squid/ssl_db/certs
CONNECTED(0003)
depth=2 C = US, O = DigiCert Inc, OU =www.digicert.com, CN = DigiCert Hig
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Yep, openssl is ok and works.
12.01.2015 17:02, HackXBack пишет:
> openssl s_client -connect facebook.com:443 -CApath /var/squid/ssl_db/certs
> CONNECTED(0003)
> depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert
High
> Assur
openssl s_client -connect facebook.com:443 -CApath /var/squid/ssl_db/certs
CONNECTED(0003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High
Assurance EV Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High
Assurance CA-3
in this case the clear question is what https_port line must contain ?
--
View this message in context:
http://squid-web-proxy-cache.1019090.n4.nabble.com/ssl-cert-wiki-tp4669016p4669027.html
Sent from the Squid - Users mailing list archive at Nabble.com.
__
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
http://i.imgur.com/uFKQz5b.png
You got an error 20 because of your openssl client does not see any CA
certs.
To avoid that need to specify CA's.
openssl s_client -connect facebook.com:443 -CApath
12.01.2015 16:55, HackXBack пишет:
> what you mea
what you mean by specify -CAPath with trusted root CA's
--
View this message in context:
http://squid-web-proxy-cache.1019090.n4.nabble.com/ssl-cert-wiki-tp4669016p4669025.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
You need to specify -CAPath with trusted root CA's from openssl
installation to avoid error 20. :)
But looks like openssl connect works.
12.01.2015 16:50, HackXBack пишет:
> openssl s_client -connect facebook.com:443
> CONNECTED(0003)
> depth=1
openssl s_client -connect facebook.com:443
CONNECTED(0003)
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High
Assurance CA-3
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=US/ST=CA/L=Menlo Park/O=Facebook, Inc./C
Can you try to use openssl s_client?
an exapmple:
"openssl s_client -connect facebook.com:443"
Eliezer
On 12/01/2015 11:41, HackXBack wrote:
hello,
according to this chapter
http://wiki.squid-cache.org/ConfigExamples/Reverse/SslWithWildcardCertifiate
i bought signed certificate
but no one acc
yes you are right
--
View this message in context:
http://squid-web-proxy-cache.1019090.n4.nabble.com/ssl-cert-wiki-tp4669016p4669020.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.s
Just to make sure I understand it right.
The certificate is for a reverse proxy?
Eliezer
On 12/01/2015 11:41, HackXBack wrote:
hello,
according to this chapter
http://wiki.squid-cache.org/ConfigExamples/Reverse/SslWithWildcardCertifiate
i bought signed certificate
but no one accept rsa:1024
s
hello,
according to this chapter
http://wiki.squid-cache.org/ConfigExamples/Reverse/SslWithWildcardCertifiate
i bought signed certificate
but no one accept rsa:1024
so i generate the key with rsa:2048
after i got my crt from them
https_port 443 cert=/usr/newrprgate/CertAuth/signed.crt
key=/usr/
24 matches
Mail list logo
