In three words: Forget about it.
No one in the world permit you to do Man-In-The-Middle-Attack hidden from users. CAs in the event of such certificates immediately include it in the list of untrusted. And you can give up the problems up to prison for a long time. For violation of the privacy of users. In other words, users should be aware that there is a proxy hacking HTTPS in front of them. All other tricks are illegal, at least it is contrary to ethics. Forget about it. I'm seriously. 02.02.2017 3:10, Yuri Voinov пишет: > > > > 02.02.2017 2:58, angelv пишет: >> Hi, >> >> I need your advice. >> >> I have a transparent proxy running with the self generated >> certificates 'myCA.pem', as it is not signed by a valid entity then I >> have to import the 'myCA.der' certificate in all web browsers ... >> >> I want to know where I can buy a valid certificate that work in Squid. > Nowhere. Due to CA's CPS. >> >> PD: >> The proxy is working great >> >> >> ---------------------------------------------------------------------------------------------- >> Important information for clarity (FreeBSD, squid-3.5.23 and PF): >> >> Create self-signed certificate for Squid server >> >> # openssl req -new -newkey rsa:2048 -sha256 -days 36500 -nodes -x509 >> -extensions v3_ca -keyout myCA.pem -out >> /usr/local/etc/squid/ssl_cert/myCA.pem -config >> /usr/local/etc/squid/ssl_cert/openssl.cnf >> >> # openssl dhparam -outform PEM -out >> /usr/local/etc/squid/ssl_cert/dhparam.pem 2048 >> >> Create a DER-encoded certificate to import into users' browsers >> >> # openssl x509 -in /usr/local/etc/squid/ssl_cert/myCA.pem -outform >> DER -out /usr/local/etc/squid/ssl_cert/myCA.der >> >> >> # edit /usr/local/etc/squid/squid.conf >> ... >> # Squid normally listens to port 3128 >> http_port 3128 >> >> # Intercept HTTPS CONNECT messages with SSL-Bump >> # >> http_port 3129 ssl-bump intercept \ >> cert=/usr/local/etc/squid/ssl_cert/myCA.pem \ >> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB \ >> dhparams=/usr/local/etc/squid/ssl_cert/dhparam.pem >> # >> https_port 3130 ssl-bump intercept \ >> cert=/usr/local/etc/squid/ssl_cert/myCA.pem \ >> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB \ >> dhparams=/usr/local/etc/squid/ssl_cert/dhparam.pem >> # >> sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s >> /usr/local/etc/squid/ssl_db -M 4MB >> # >> acl step1 at_step SslBump1 >> # >> ssl_bump peek step1 >> ssl_bump stare all >> ssl_bump bump all >> always_direct allow all >> # >> sslproxy_cert_error allow all >> sslproxy_flags DONT_VERIFY_PEER >> ... >> >> PF redirect the traffic to the Squid >> >> # edit /etc/pf.conf >> ... >> # Intercept HTTPS CONNECT messages with SSL-Bump >> rdr pass on $int_if inet proto tcp from any to port https \ >> -> 127.0.0.1 port 3130 >> rdr pass on $int_if inet6 proto tcp from any to port https \ >> -> ::1 port 3130 >> ... >> ---------------------------------------------------------------------------------------------- >> -- >> Ángel Villa G. >> US +1 (786) 233-9240 | CO +57 (300) 283-6546 >> ange...@gmail.com <mailto:ange...@gmail.com> >> https://google.com/+AngelVillaG >> https://angelcontents.blogspot.com >> >> "We are all atheists about most of the gods that societies have ever >> believed in. Some of us just go one god further" - Richard Dawkins >> >> >> _______________________________________________ >> squid-users mailing list >> squid-users@lists.squid-cache.org >> http://lists.squid-cache.org/listinfo/squid-users > > -- > Bugs to the Future -- Bugs to the Future
0x613DEC46.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
