SSL bumping on a domain - a tip

[austinfria...@googlemail.com]

Just a tip for people running SSL bumping on a domain.  Don't forget that you can add squid as a subordinate CA to your enterprise CA, that way you wont get certificate errors or need to install a squid root CA certificate on clients - your domain CA root will suffice.

Generate a request on your squid box (you will need the key later)

openssl genrsa -out subordinateCA.key 1024
openssl req -new -key subordinateCA.key -out subordinateCA.csr

use the CSR on your domain CA registration page (you may need to add the template to available options on the CA)

https://<ca>/certsrv

make sure you use base64 not der encoding.  Transfer the .cer to your squid box and edit squid accordingly, the location MUST be accessible to squid.  Make sure the .key and .cer are readable by the PROXY user (it might not be the same user as qlproxy!) edit squid.conf as appropriate

http_port 10.254.254.250:8080 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB key=/opt/qlproxy/etc/subordinateCA.key cert=/opt/qlproxy/etc/subordinateCA.cer

same with the storage manager - make sure you generate the required directory and chown it to the same user for the PROXY

/usr/lib/squid3/sslcrtd -c -s /var/spool/squid3_ssldb
chown -R proxy:proxy /var/spool/squid3_ssldb

edit squid.conf accordingly to update the cert cache location

sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/spool/squid3_ssldb -M 4MB

not forgetting to update the rules for diladele in squid.conf

include "/opt/qlproxy/etc/squid/squid.acl"

Now you can SSL bump and not worry about certificate errors on your domain as squid is a subordinate of your enterprise CA.

[Rafael]

Hello Austin,

Thanks a lot!
May I add this as separate step on http://docs.diladele.com/administrator_guide_4_0/system_configuration/active_directory/index.html after testing?

Best regards,
Raf

[austinfria...@googlemail.com]

Sure.  I thought it might help people on domains as you don't need to worry about installing root certificates for squid on clients - plus it is easier to revoke on a domain as you simply revoke the subordinate CA on the enterprise CA rather than GPO a certificate removal.  Of course "guest" computers to the domain will still need to add a root certificate (I cheat at the moment and have guests connecting on a different squid port that doesn't have SSL bumping...)

[Matt Medeiros]

Austin, is there a way in a home environment to do this sort of thing? Even on my PC I still run into sites with cert errors. Transparent Squid setup.

Is it possible to have clients use their own certs as a backup? I don't have a CA setup nor all the domain stuff. The confusing part for me would be like iOS devices and such.

[austinfria...@googlemail.com]

Just to say, this method still works in 4.4 but you still need to do it manually (as above) - you cannot use the GUI (as you need the KEY as well as the CER - this needs to be specified in the squid config).

Another note, when generating the subordinateCA *do not* use a password as squid cant handle that CER. 

An old reply to Matthew - you wouldn't want to do this in a home environment (you would be happy to let the squid/diladele box be your RootCA).  This method is only useful for domain computers as domain computers already "trust" the domain certificate authority.  By adding the squid box as a subordinate authority to the already trusted one this means that there will be no need to add anthing to the PCs.  In a home environment you will need to "trust" the squid box certificate as normal.

Incidentally if you have non-domain PCs in the environment, they will need to trust the domain certificate authority certificate of course although they will not get an up to date revoke list.