4.9 https isue...unable import certificate in browser

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

4.9 https isue...unable import certificate in browser

aw_wolfe
I have squid 4.9 built with https support in which I created a certificate
following tutorial. Squid starts, appears to be running fine. http whitelist
with user groups working....trying to add https support.

copy/paste from example of what I did to create certificate.

openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -extensions
v3_ca -keyout myCA.pem  -out myCA.pem

certtool --generate-privkey --outfile ca-key.pem

certtool --generate-self-signed --load-privkey ca-key.pem --outfile myCA.pem

openssl x509 -in myCA.pem -outform DER -out myCA.der

1) problem when trying to import myCA.der certificate into firefox: "This is
not a certificate authority certificate, so it can’t be imported into the
certificate authority list"

2) My goal is simply to whitelist sites, I do not have a need to view the
traffic. Is following ssl-bump examples the right/only approach or is easier
way to let the client connect directly, but preventing any connection except
if on the whitelist?

Thanks,
Tony




--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: 4.9 https isue...unable import certificate in browser

Matus UHLAR - fantomas
On 10.12.19 05:19, aw_wolfe wrote:
>I have squid 4.9 built with https support in which I created a certificate
>following tutorial. Squid starts, appears to be running fine. http whitelist
>with user groups working....trying to add https support.
>
>copy/paste from example of what I did to create certificate.
>
>openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -extensions
>v3_ca -keyout myCA.pem  -out myCA.pem

here you create the authority with both the key and certificate in myCA.pem
using OpenSSL

>certtool --generate-privkey --outfile ca-key.pem
>
>certtool --generate-self-signed --load-privkey ca-key.pem --outfile myCA.pem

here you overwrite it by GnuTLS commands...
you misunderstood: These commands are alternative to openssl commands.

>openssl x509 -in myCA.pem -outform DER -out myCA.der

>1) problem when trying to import myCA.der certificate into firefox: "This is
>not a certificate authority certificate, so it can’t be imported into the
>certificate authority list"

try without certtool commands. According to my experience, that openssl
command should produce correct CA certificate, I don't know about certtool
commands.

note that:
1. you can import myCA.pem at least into firefox (iirc)
2. you should not copy myCA.pem containing CA private key anywhere.

>2) My goal is simply to whitelist sites, I do not have a need to view the
>traffic. Is following ssl-bump examples the right/only approach or is easier
>way to let the client connect directly, but preventing any connection except
>if on the whitelist?

you don't need to generate own certificate for this reason.
Configuring squid to stare at SSL connections should be enough.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
The 3 biggets disasters: Hiroshima 45, Tschernobyl 86, Windows 95
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: 4.9 https isue...unable import certificate in browser

aw_wolfe
Ok, thank  you. As you can tell, I'm kinda fumbling my way through setting
this up.

Re-creating the certification with the openssl command only fixed the issue.
Firefox accepted the certification.

I think that I would rather not have to do the install certificate on all
the browsers. So if I can configure the stare option, that would be my
preferred solution.

A bit of searching around however, didn't turn up much and I'm a little
confused by the different "steps" commands.

If you don't mind I'd appreciate a simple 1 or 2 line example or point me in
the right direction

Right now my squid.conf (not including the groups and whitelist part):

http_port 3128 ssl-bump cert=/etc/squid/ssl_cert/myCA.pem
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
key=/etc/squid/ssl_cert/ca-key.pem

sslcrtd_program /usr/sbin/squid/libexec/security_file_certgen -s
/var/lib/ssl_db -M 4MB
sslcrtd_children 5
ssl_bump server-first all
sslproxy_cert_error allow all




--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: 4.9 https isue...unable import certificate in browser

Matus UHLAR - fantomas
On 10.12.19 06:14, aw_wolfe wrote:

>Ok, thank  you. As you can tell, I'm kinda fumbling my way through setting
>this up.
>
>Re-creating the certification with the openssl command only fixed the issue.
>Firefox accepted the certification.
>
>I think that I would rather not have to do the install certificate on all
>the browsers. So if I can configure the stare option, that would be my
>preferred solution.
>
>A bit of searching around however, didn't turn up much and I'm a little
>confused by the different "steps" commands.

so am I...

>If you don't mind I'd appreciate a simple 1 or 2 line example or point me in
>the right direction

and I also plan to log based on SSL client helo (SNI option).

>Right now my squid.conf (not including the groups and whitelist part):
>
>http_port 3128 ssl-bump cert=/etc/squid/ssl_cert/myCA.pem
>generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
>key=/etc/squid/ssl_cert/ca-key.pem
>
>sslcrtd_program /usr/sbin/squid/libexec/security_file_certgen -s
>/var/lib/ssl_db -M 4MB
>sslcrtd_children 5
>ssl_bump server-first all
>sslproxy_cert_error allow all

if you only want to get the requested server name, forget making
certificates at all.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Silvester Stallone: Father of the RISC concept.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: 4.9 https isue...unable import certificate in browser

Alex Rousskov
In reply to this post by aw_wolfe
On 12/10/19 6:19 AM, aw_wolfe wrote:

> I have squid 4.9 built with https support in which I created a certificate
> following tutorial. Squid starts, appears to be running fine. http whitelist
> with user groups working....trying to add https support.
>
> copy/paste from example of what I did to create certificate.
>
> openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -extensions
> v3_ca -keyout myCA.pem  -out myCA.pem
>
> certtool --generate-privkey --outfile ca-key.pem
>
> certtool --generate-self-signed --load-privkey ca-key.pem --outfile myCA.pem

You seem to be combining/overlapping two alternative ways to generate a
CA certificate: OpenSSL and GnuTLS. To avoid surprises, I recommend
using either one or another. I cannot speak for GnuTLS, but I know that
the OpenSSL commands did work at some point in the past.


> 1) problem when trying to import myCA.der certificate into firefox: "This is
> not a certificate authority certificate, so it can’t be imported into the
> certificate authority list"

CA certificates have a "true" CA basic constraint. Double check that
your certificate has a true CA extension:

    $ openssl x509 -in myCA.pem -noout -text | \
      grep -A1 'Basic Constraints'
                X509v3 Basic Constraints:
                   CA:TRUE

By default, your modern browser or OS might not trust _you_ with
deciding which CAs it should trust. If that is the case, you will need
to find a way to bypass that built-in browser/OS "safety net". Modern
browsers/OSes usually have a way to do that because their
corporate/government clients require such workarounds.


> 2) My goal is simply to whitelist sites, I do not have a need to view the
> traffic. Is following ssl-bump examples the right/only approach or is easier
> way to let the client connect directly, but preventing any connection except
> if on the whitelist?

FWIW, I do not understand what you mean by "let the client connect
directly" and/or how that differs from some of the SslBump examples.
Please detail that part.

Today, the fake CA certificate is needed to enable SslBump. It will be
used to report errors (including blocked access) to users.

If you do not want to report any errors to users, then you do not need
to import your CA certificate into browsers (but you still need to give
that certificate to Squid -- it is a limitation of the current
implementation). In this case, you should configure your Squid to
terminate the from-client TLS connection on any error. Doing so may be
difficult -- there is no single directive that can do that for you.


HTH,

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users