Re: [squid-users] squid/sslbump + IE9

From: Sean Boran <sean_at_boran.com>
Date: Mon, 5 Dec 2011 07:04:53 +0100

Yes it is classical forgery as you say, but that is how SSL interception works.
And yes, I created a self signed CA cert for the proxy and manually
installed it into FF and IE browsers.

Firefox: Open 'Options' > 'Advanced' > 'Encryption' > 'View
Certificates' >e 'Authorities' >'Import' button, select the .der file
attached press 'OK'
IE: Tools > Options > Content > Certificates > Trusted Root
Certification Authorities

Sean

On 3 December 2011 04:11, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
>
> On 3/12/2011 6:22 a.m., Sean Boran wrote:
>>
>> Well yes, we are trying to incept...
>> I dont see where the "forgery" is, if my proxy CA is trusted and a
>> cert is generated for that target, signed by that CA, why should the
>> browser complain?
>
>
> The "forgery" is that you are creating a certificate claiming to be fetched from that website and authorizing you to act as their intermediary with complete security clearance. When it is not. Exactly like me presenting someone with a cheque against your bank account signed by myself. Forgery, by the plain and simple definition of the word. This is why the browser complains unless it has explicitly been made to trust the CA you use to sign.
>
> I missed the part where you had your signing CA already in the browser and read that as the browser not complaining when only presented with the plain cert.
>
>
>> And why would FF not complain but IE9 does?
>
>
> The one complaining does not trust the certificate or some part of its CA chain. As others have said, each of the three browser engines uses their own CA collections.
>
> Amos
Received on Mon Dec 05 2011 - 06:05:02 MST

This archive was generated by hypermail 2.2.0 : Mon Dec 05 2011 - 12:00:03 MST