Re: [squid-users] The method for SSL Mitm Proxying without browser warnings

From: Oguz Yilmaz <oguzyilmazlist_at_gmail.com>
Date: Wed, 15 Dec 2010 08:52:54 +0200

On Tue, Dec 14, 2010 at 9:13 PM, Michael Leong
<Michael.Leong_at_digitalglobe.com> wrote:
> One of the features of SSL is to detect the MITM you're doing.  You need to
> manually add the squid cert on each browser as a trusted CA to prevent those
> warnings.

Actually I have added the cert to IE Intermediate Certficition
authorities and Trusted Root certificates. The error continues. May it
be about the name of the site does not match the certificate issued
for field? How can I create the right certificate?

>
>
>
> On 12/14/2010 12:31 AM, Oguz Yilmaz wrote:
>
> Dear all,
>
> I have enabled my proxy for transparent SSL Mitm proxying. Traffic for
> destination tcp 443 is DNAT'ed to localhost:8443 through iptables.
> This part is working. I am able to browse the internet sites. For each
> SSL site, for once, browser gives a warning of Mitm. It should, of
> course.
> However I want to learn the way to remove any warning by through
> manually adding a certificate to Trusted Key Store of Internet
> Explorer or Firefox.
>
> Squid conf param:
> https_port 8443 cert=/etc/squid/certs/sslfilter.crt
> key=/etc/squid/certs/sslfilter.key protocol=https accel vhost
> defaultsite=google.com
>
> The way I have created the certificate and key:
>
> openssl genrsa -rand
> /proc/apm:/proc/cpuinfo:/proc/dma:/proc/filesystems:/proc/interrupts:/proc/ioports:/proc/pci:/proc/rtc:/proc/uptime
> 1024 > /etc/squid/certs/sslfilter.key
>
> cat << EOF | openssl req -new -key /etc/squid/certs/sslfilter.key
> -x509 -days 1825 -out /etc/squid/certs/sslfilter.crt
> TR
> ANK
> Ankara
> Info
> Customer IT
> SSL Filtering Proxy
> support_at_domain
> EOF
>
>
> Regards,
>
> --
> Oguz YILMAZ
>
> This electronic communication and any attachments may contain confidential
> and proprietary
> information of DigitalGlobe, Inc. If you are not the intended recipient, or
> an agent or employee
> responsible for delivering this communication to the intended recipient, or
> if you have received
> this communication in error, please do not print, copy, retransmit,
> disseminate or
> otherwise use the information. Please indicate to the sender that you have
> received this
> communication in error, and delete the copy you received. DigitalGlobe
> reserves the
> right to monitor any electronic communication sent or received by its
> employees, agents
> or representatives.
>
Received on Wed Dec 15 2010 - 06:53:22 MST

This archive was generated by hypermail 2.2.0 : Wed Dec 15 2010 - 12:00:03 MST