Certificate Authority with SSLBump

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Certificate Authority with SSLBump

FredB
Hi All,

In practise how you maintain the CA files? I'm testing SSLBump with Debian Jessie the package ca-certificates provides many certificates but less than the latest Firefox Browser.
How do you manage to keep all that in check? When a CA is missing you add the pem in you system config or exclude the website from SSLBump?  

EG: From my test https://wiki.squid-cache.org seems unknown (71) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
SSL Certficate error: certificate issuer (CA) not known: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

Thanks

Regards
Fred
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Certificate Authority with SSLBump

Yuri Voinov
1. Using mozilla CA bundle instead of system (if exists) for squid.

2. Update mozilla CA bundle by script by cron on regular basis.

3. Have own manually maintained custom add_certs.pem list which combines
with step 2 during updates.

Thats all, folks.


08.02.2018 23:33, FredB пишет:

> Hi All,
>
> In practise how you maintain the CA files? I'm testing SSLBump with Debian Jessie the package ca-certificates provides many certificates but less than the latest Firefox Browser.
> How do you manage to keep all that in check? When a CA is missing you add the pem in you system config or exclude the website from SSLBump?  
>
> EG: From my test https://wiki.squid-cache.org seems unknown (71) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
> SSL Certficate error: certificate issuer (CA) not known: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
>
> Thanks
>
> Regards
> Fred
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
--
*****************************
* C++20 : Bug to the future *
*****************************



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

signature.asc (673 bytes) Download Attachment