Using CA signed certificate for SSL bump

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Using CA signed certificate for SSL bump

Arshad Ansari

Hi All,

 

I have setup squid 4.2 for forward proxy and caching. It is working fine when I am using self-signed certificate for SSL bump.

 

However, our security requirement is to use only CA signed certificate and not self-signed certificate.

 

I have tried various options like using Https and intercept but nothing seems to be working.

 

My question is does SSL work with CA signed certificate?

 

Regards,
Arshad



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Using CA signed certificate for SSL bump

Antony Stone
On Wednesday 05 September 2018 at 09:02:45, Arshad Ansari wrote:

> Hi All,
>
> I have setup squid 4.2 for forward proxy and caching. It is working fine
> when I am using self-signed certificate for SSL bump.

Good.  Well done.

> However, our security requirement is to use only CA signed certificate and
> not self-signed certificate.

That won't work.

> I have tried various options like using Https and intercept but nothing
> seems to be working.

Indeed.

> My question is does SSL work with CA signed certificate?

SSL?  Yes.

SSL Bump / interception, no - because if it did, you'd have a globally-trusted
certificate which you could use to fake any website on the Internet.

Security?  The CA who gave you that certificate would disappear.


Antony.

--
Tinned food was developed for the British Navy in 1813.

The tin opener was not invented until 1858.

                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Using CA signed certificate for SSL bump

Enrico Heine
In reply to this post by Arshad Ansari
Hey,

How should that work? That would require an ca to sign your selfsigney ca to be able to issue valid public certs for all websites. If that would be possible, then the whole concept of ssl security would be worth nothing. You cant create valid certificates for such websites. You can only issue certs that are valid in your organisation only. Therefore the selfsigned ca needs to be trusted by your clients by adding it in the trust root authorities. There is no other way, wait, there is, do not try to intercept ssl secured connections. So you cant look in the traffic as it is supposed to be. Or break it and live with the needs required for this. If you have no valid reason to intercept sich traffic then just dont do it.

Am 5. September 2018 09:02:45 MESZ schrieb Arshad Ansari <[hidden email]>:

Hi All,

 

I have setup squid 4.2 for forward proxy and caching. It is working fine when I am using self-signed certificate for SSL bump.

 

However, our security requirement is to use only CA signed certificate and not self-signed certificate.

 

I have tried various options like using Https and intercept but nothing seems to be working.

 

My question is does SSL work with CA signed certificate?

 

Regards,
Arshad



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Using CA signed certificate for SSL bump

Alex Crow
In reply to this post by Arshad Ansari

You can set up your own internal CA. You then have the CA key (so can generate certificates for any domain) and install the CA public certificate on all client machines.


That CA can be anything from a local CA on the squid box, using a central VM with something like XCA installed, all the way to an enterprise HSM.


But you must have the CA key. There is no way a commercial CA would give you a universal signing key.


Alex


On 05/09/18 08:02, Arshad Ansari wrote:

Hi All,

 

I have setup squid 4.2 for forward proxy and caching. It is working fine when I am using self-signed certificate for SSL bump.

 

However, our security requirement is to use only CA signed certificate and not self-signed certificate.

 

I have tried various options like using Https and intercept but nothing seems to be working.

 

My question is does SSL work with CA signed certificate?

 

Regards,
Arshad




_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users